Submissions received by the Legal and Constitutional Affairs Committee regarding the Privacy Amendment (Privacy Alerts) Bill 2013

June 22, 2013 |

The Committee has received 20 submissions to the Bill.  That is impressive given there was effectively 2 days from referral to cut off period to lodge submissions.

The submissions are:

Fundraising Institute Australia.

Opposed. It says, in part:

.. the Fundraising Institute Australia believes that insufficient consideration has been given to the effect which mandatory data breach notification would have on charities and not-for-profit organisations. Government decision­ makers seem unaware that fundraisers use extensive donor databases in the same way as business organisations do.

………

The additional burden and cost of mandatory data breach notification is both unwarranted and unwelcome particularly as the implementation date is proposed to coincide with that of the other measures.

 FIA supports ADMA and other organisations who have pointed to the lack of a definition of ‘serious breach’. FIA agrees that a Bill which is so flawed should not be passed by the Parliament. Without a definition of ‘serious breach’ it is impossible the make an accurate assessment of the regulatory impact.

 

Communications Alliance

Opposed. It complains about the lack of consultation.  On the legal issues the Alliance says:

Section 2: Contents of the Bill
Definition of ‘Serious Harm’
Communications Alliance has genuine concerns about the lack of definition of ‘serious harm’.
26X(2)(d)(i) of the Bill states that ‘…the access or disclosure will result in a real risk of serious
harm to any of the individuals…’.
In industry’s view, there should be a threshold test that industry can use to determine whether ‘serious harm’ could or would be caused. It is noted that both ‘risk’ and ‘real risk’ are defined within the legislation, as well as ‘harm’ but there has been no attempt to define the concept of ‘serious harm’.
Further, in the absence of a definition of ‘serious harm’, it is possible that the legislation will cause an organisation to take a risk-averse position in order to avoid breaching such an obligation. This could, potentially, result in over-reporting of relatively minor data-related errors.

Obligation to Prioritise Notification
The current voluntary Data Breach Notification Guide (Guide) of the Office of the Australian Information Commissioner (OAIC) provides guidance to industry on matters relating to a breach of privacy. While it is difficult to quantify compliance with the Guide, there is
anecdotal evidence to suggest that there is a high level of compliance within the telecommunications industry.
The Guide sets out the following steps to consider when responding to a data breach or suspected breach:
• Contain the breach and do a preliminary assessment;
• Evaluate the risks associated with the breach;
• Notification; and
• Prevent future breaches.

The Guide provides a degree of flexibility and allows businesses to consider each breach on a case-by-case basis. This is in contrast to the requirements in the Bill, as set out below.
26ZB sets out the order of processes that an entity must undertake immediately after a serious data breach has occurred. In our view, the order of actions that must be undertaken is contrary to the way in which good business practice would dictate, already outlined in thevoluntary Guide. That is, good business practice would be to (a) contain the breach and do an assessment; (b) evaluate the risks; and then, if necessary, notify those affected by the breach. It is concerning that the Bill places more emphasis on notifying – and potentially confusing or alarming customers – than containing the breach, rectifying the issue and preventing its reoccurrence.
Once again, the current Guide provides much more flexibility in this regard and allows entities to determine on a case-by-case basis what actions should be taken. It is our view that the intent of processes to manage serious breaches of privacy should be on making good the harm that has been done, rather than causing unnecessary alarm.

No Right to Appeal a Commissioner’s Direction
26ZC(1) of the Bill states that if the Commissioner has ‘reasonable grounds’ to believe there has been a serious breach then he/she may direct an entity to undertake a process to notify.
In addition, 26ZC(4) states that ‘an entity must comply with a direction… as soon as practicable after the direction is given’.
Communications Alliance has serious concerns that these clauses provide no opportunity for an organisation to appeal such a determination. It is only reasonable that an entity should have an opportunity to have a right of reply, particularly in circumstances in which the Commissioner may be acting according to misinformation.

 

Association for Data-driven Marketing and Advertising

Opposed. It summarised its complaint as:

1) Failure to follow the Government’s promised process for privacy reform.
2) The Bill is being unnecessarily rushed through Parliament without proper consultation with private sector stakeholder who face significant additional costs and compliance red tape.
3) Imprecise and vague wording of key terms such as ‘serious harm’ on which important risk mitigation decisions depend.
4) Failure to demonstrate a clear public benefit to justify the additional compliance burden on small and large business.
5) Compliance costs to be passed through to consumers and result in higher prices for goods and services, and loss of competitiveness and innovation for Australian businesses.
6) Poor resource planning to deal with the spike in reporting bureaucracy.
7) Ill-advised additional powers to appointed, unelected officials, including the power to impose legislative mechanisms without reference to Parliament.
8) No evidence of systemic failure to justify a positive reporting regime.
9) Unfair exemption for political parties.
10) Failure to deal with fraud matters.

On the more practical legally focused complaints issues ADMA says:

Risk of Over-reporting of Defeats Aim of the Bill
The absence of a clear definition of ‘serious harm’ in the legislation will likely cause organisation to become extra cautious about potentially breaching the obligation and so default to the most risk averse internal policy setting. This, in turn, will lead to the over-reporting of relatively minor data related errors, as compliance managers act to protect their organisation’s reputation.
According to recent research by McAfee (cited by Minister Dreyfus in a speech to a Privacy Reform and Compliance Forum in Sydney 12 June) around 21% of Australian businesses have suffered data breaches. In 2012 there were 2,141,280 businesses trading in Australia. That means the Privacy Commissioner can expect to be investigating 449,669 potential data privacy breaches once
mandatory positive reporting takes effect.

and

Voluntary Disclosure Works
There are also many self-correcting mechanisms in the market. These include companies making announcements of their own volition, media disclosures and affected individuals taking actions themselves via social media or complaining to the OAIC. Companies with brand reputations to protect will fail to disclose data breaches at their peril.
Too Much Power to Regulators to Interpret Key Elements of Law
The failure to define key elements such as ‘serious harm’ will also give a free hand to the Regulator to interpret the legislation via regulation and use its new powers to impose punitive sanctions and Codes which will be a form of ‘back-door’ legislation without proper scrutiny by Parliament.
New Powers of the Commissioner to Impose Codes and Sanctions
ADMA contends that the data security measures contained in a combination of the new APP11.1, the enhanced powers of the OAIC and the existing voluntary Data Breach Notification Guide provide more than adequate protection for the types of breaches which have occurred to date.
ADMA is concerned that the ability of the OAIC to initiate the development of codes which will be legislative instruments may be tantamount to legislating via the back-door. If legislation is evidenced to be warranted, the matter should be subject to the usual legislative processes. The ability to circumvent the legislative process through regulator-imposed ‘code development’ – and
then give the same weight to a code as the law – is deeply concerning.

Australian Privacy Foundation

Supports as far as it goes.  Extrapolating from the two submissions the APF would prefer it to be more comprehensive.  That said aspects of the bill are broadly consistent with its preferred option.  In the supplementary submission the APF states, in part:

4. The Nature of the Harm Caused
APF’S view is that the potential harm which can trigger data breach notification requirements, and the harm which is compensable, should clearly be of the widest possible ambit, and it should be clear that it is not limited to any specified categories such as harm to reputation, economic harm and financial harm. For example, the following need to be included:
• serious inconvenience without financial or economic harm occurring;
• onerous effort needed to right a wrong;
• unreasonable denial of a loan;;
• emotional distress, and psychological harm.
APF’s policy is that it is essential that any law make clear that all forms of harm to individuals’ interests must be taken into account.
5. The Trigger for Notification
The APF’s view is that the trigger for notification must not be set at too high a risk of harm, and that risk of harm should not be the only trigger for notification (at least to the OIAC). Aggregation of terms limiting the nature of the harm that triggers notification increases the risk that organizations will argue that one or other aggregated term do not apply to them. For example, a phrase such as “real risk of serious harm” is a very high threshold, because of the combination of ‘real’ (i.e. ‘not remote’) risk, ‘serious’ harm (with no clear notion of seriousness) and ‘harm’ which may be given a limited definition (as discussed in 4. above).
In addition, a second trigger is necessary. Any significant breach should be subject to notification in any case. If that were not the case, then a significant insecurity would not become apparent, and would not be addressed, and it would be very likely that it would later give rise to a serious breach that was eminently avoidable. A single threshold test would result in a scheme which was a failure.
APF’s policy is that a Bill should be based on either of two conditions being satisfied:
(a) a real risk of harm without qualifications such as ‘serious’; OR
(b) a significant breach, whether or not real risk of harm has arisen.

6. Enforcement of Organisations’ Security Responsibilities
If legislation is based on requiring notification only in the case of some, very serious breaches, then, although we understand the desire to avoid undue costs to organisations, and to avoid undue load on the OAIC, this means that the provisions will only have a very limited impact on organisations that have inadequate security safeguards. Hence two complementary features are necessary, as stated in the next two sections.
6.1 Clear Statement of Organisations’ Security Responsibilities
In January 2013, APF submitted to OAIC, in relation to its revision of the Guide to Information Security, at http://www.privacy.org.au/Papers/OAIC-InfoSecy-1301.pdf, that:
(1) The OAIC’s document needs to be revised to provide more direct guidance relating to the minimum safeguards that are required, together with references to documents that contain more detailed advice on specific security safeguards.
(2) The OAIC’s document needs to be revised to make very clear that privacy-sensitive personal information must be subject to additional safeguards, well beyond the minimum safeguards, that address risks that arise in the particular context.
(3) The OAIC’s document needs to be revised to project the following additional Key Messages,
and provide supporting information:
• security safeguards are a mandatory requirement of the law, not optional;
• organisations that fail to implement the basic set of well-known safeguards for personal data are prima facie in breach of the Privacy Act, and are subject to enforcement actions; and
• organisations that handle privacy-sensitive personal information but fail to implement additional safeguards appropriate to the risks involved, are in breach of the Privacy Act, and are subject to enforcement actions.
APF’s policy is that Data Breach Notification legislation needs to be complemented by clear and specific instructions by OAIC to organisations in relation to their obligations.
6.2 Non-Compliance to be an Interference with Privacy
Non-compliance with an obligation to notify needs to also be an ‘interference with privacy’, and to trigger the Commissioner’s investigation and enforcement powers in the same way that other non- Principle breaches become actionable (e.g. of TFN Guidelines and credit rules).
The policy justification for this simple change is that, if this is omitted, then legislation would not empower individual data subjects who have been adversely affected by failure to notify a serious data breach to initiate any remedial action.
The proposed change would allow such individuals to lodge a complaint with the Commissioner concerning the non-compliance, and obtain any individual remedies to which they are entitled.
Without such a provision legislation would be incomplete and insufficient in that it would rely completely on enforcement initiatives by the Commissioner, with no provision for individual data subjects to obtain a remedy. Such an approach is also necessary because non-compliance with data breach notification requirements would not necessarily be accompanied by any other breach of the APPs, so a data subject would not necessarily be able to make a complaint even though they have been very adversely affected by a failure to notify.
This would not impose any additional compliance costs on regulated entities.
APF’s policy is that non-compliance with an obligation to notify needs to be an’interference with privacy’ and to trigger the Commissioner’s investigation and enforcement powers.
7. Exceptions
Privacy legislation in Australia generally contains excessive exceptions which harm its effectiveness.
APF’s policy in relation to any proposed exceptions is that:
• Any exemption should apply only to specific individuals;
• Exemptions should not apply to notification to the OAIC;
• Any organisation claiming exemption should be under an obligation to provide sufficient
information to OAIC, or at the very least to a regulator such as the Inspector General of Security, in order to demonstrate compliance with exemption conditions; and
• Organisations should be under an obligation to notify as soon as the likelihood of prejudice that an exemption is aimed to prevent has expired.
8. Discretion for the OAIC
APF’s policy is that no discretions should be given to the OAIC in relation to the operation of a data breach notification system; and that, if any is given, then it should be minimal, and should:
• specify the precise circumstances in which it is available; and
• create an effective control over use of the discretion, such as publication of sufficient details that the public can evaluate the use of the provision.
9. Publication of Data Breach Notifications by the OAIC
Some data breach notification schemes only require publications of notifications by the organisation concerned. The APF’s view is that, whenever, publication of notification by an organisation is required, that notification should also be published on the website of the OAIC, and such notifications should be retained there permanently.
The principal policy reasons for this policy are that:
• Unless this aggregation occurs, most notifications will (i) never come to public attention because they do not fall under subsections (h) above; and (ii) even if they are published on aorganisation’s website, they will not be findable permanently after the event nor findable in the one location;
• It is important that all notifications, over time, be able to be browsed and searched, so that interested parties (and not only the OAIC) can identify any recurrent aspects of breach notification; and
• Transparency in data breach notifications is also likely to have a deterrent effect, and this is desirable.
The cost implications of compliance with this policy are negligible for organisations, because they would already be required to provide a copy of the notifications to be published to the Commissioner, and the cost of web republication by the Commissioner would be negligible.
APF’s policy is that all serious data breach notifications must be required by the Act to be published on the Commissioner’s website and retained there permanently.
10. Sanctions
APF’s policy is that the new civil penalty provisions in the Privacy Act should be applicable where there has been a serious or repeated non-compliance with mandatory notification requirements. This is essential to ensure that compliance is not merely voluntary

 

Bruce Arnold

While the Bill is deficient in parts it is a first step towards best practice.

His concerns are, in part:

Specific Concerns
Offshoring
It is axiomatic that Australian law does not supersede the law in other jurisdictions.
It is also axiomatic, however, that we should take responsibility for matters that are in our control and should discourage a sense that the intent of Australian privacy law (and specifically mandatory reporting) can be disregarded by going offshore.
The reporting regime should cover breaches that are offshore but under Australian control.
That is consistent with the approach taken regarding spam and the Do Not Call regime. (I note that there were claims in parts of the information technology community that law regarding unsolicited commercial calls, faxes and email was unnecessary and undesired by consumers or would impose an onerous burden on business. Australia’s experience has demonstrated the lack of substance in those claims.)
Exceptions
The effectiveness of the Australian privacy regime has been weakened since 1988 through exclusions and exceptions. It is important to be forward looking and resist the temptation to enshrine and exceptions and excuses for non-disclosure after a data breach has occurred. The legislation should not be inappropriately restrictive; it should instead cover those entities that are covered by the Commonwealth’s powers and should not take a narrow view of ‘personal information’ on the basis of medium or data type or construe harm solely in financial costs (ie should encompass mental harm or severe distress). Supervision by the Privacy Commissioner of mandatory breach reporting should not be fundamentally weakened through scope for discretionary exceptions. For the purposes of public administration we should reduce the subjectivity that results in ‘closed door’ dealmaking – and requests for deals. Consistency and transparency will reinforce the credibility of the Office of the Information Commissioner, which has been eroded by perceptions that the organisation is either very permissive or naïve, for example in dealing with breaches in the telecommunications sector.
Compliance
The Government has regrettably disregarded recommendations by three law reform commissions, by parliamentary committees and by analysts in belatedly passing the hot potato known as the privacy tort back to the Australian Law Reform Commission. We should be acknowledging that breaches impose a range of costs on the individuals and organisations whose information has been exposed without authorisation. Some of those costs are directly financial, rather than in embarrassment, heightened risk of danger from stalkers and so forth
The Alerts Bill is deficient in terms of compliance. Penalties focus the mind wonderfully (and also gain the attention of journalists, thereby inducing greater awareness of breaches among managers and the community at large). On that basis the penalties for non-compliance with reporting requirements should not be trivial.
Experience demonstrates that if they are trivial they will be disregarded, which negates the point of the proposed legislation. We should look beyond the Bill and ensure that privacy element of the Office of the Australian Information Commissioner has both the physical resources and the ethos to actively address compliance questions. In essence, there is no point in relying on a watchdog that is underfed, lazy and too scared to leave its kennel.
Access
It is essential that, in implementing a breach reporting scheme and moving towards best practice, the community should have ready access on a timely basis to information about the breaches.
That information should not be ‘hidden away’ or buried. It should instead be readily accessible in a electronic form that is readily searchable and that is stable (ie does not disappear because of volatility in design and maintenance of a website). It should be
incumbent on the Office of the Australian Information Commissioner to maintain and publish on a timely basis statistics about the breach regime. That may require additional staffing of the Office, an investment that is justified as a foundation of an effective regime that meets the needs of Australian consumers and that reinforces Australia’s positioning in global e-commerce markets.

Australian Law Reform Commission

Not surprisingly  it is Supportive.

 ACCAN

It is very supportive of the Bill. To the extent it addresses the operation of the Bill it says:

We note that ACCAN and others have expressed concerns about various aspects of the Bill. In particular, there has been concern that the threshold test for the requirement (‘real risk of reasonable harm’) allows enough interpretation that too few incidents would be reported—or alternatively, that too many might be reported. We acknowledge that this test leaves room for interpretation. However, the test has been considered and recommended by the Australian Law Reform Commission, and it is used in the Office of the Australian Information Commissioner’s data breach notification guidelines. While it may be necessary to introduce a different test if evidence emerges that the proposed test is inappropriate, we suggest that a ‘real risk of serious harm’ is suitable in the absence of any evidence to the contrary.

Consumer Credit Legal Centre (NSW) Inc

It strongly supports the Bill.

Liberty Victoria

Liberty Victoria is generally supportive but does highlight some of the weaknesses in the legislation, in particular the lack of civil penalties for a serious breach.  Whether the common law or equity will give individuals a means of taking action for egregious breaches is a matter for the development of the law.

The Bill imposes a data breach notification requirement on entities in certain limited circumstances and where an entity contravenes this requirement, it will have interfered with the privacy of an individual. The purpose of the legislation is commendable.
In essence, the Bill requires an entity to notify individuals of serious data breaches where they are significantly affected by unauthorised access or disclosure of personal information which will result in a real risk of serious harm to any of the individuals to whom the personal information relates (or the personal information is of a kind specified in the regulations). This extends to the loss of personal information in circumstances where unauthorised access or disclosure may occur.
Liberty Victoria believes the notification criteria are limited to an unnecessarily narrow cohort. Notification of the data breach to the individual affected should be made as a matter of course but remedies similar to civil penalty provisions should be available where significant risk of serious harm has been created by the data breach. Liberty agrees that harm should be defined to include harm to reputation, economic harm and financial harm; s26ZE.
Notification of serious data breaches applies in relation to personal information, credit reporting information, credit eligibility information or tax file number information; s26ZB. Liberty generally supports this approach although we note that there are some inconsistencies when referring to ‘tax file numbers’ or just ‘file numbers’ which should be addressed, see s26ZA in particular.
The proposed legislation requires notification by a statement which must be provided to the Commissioner, followed generally by the taking of reasonable steps to notify individuals significantly affected by the breach. In some cases this also extends to publishing the statement on the entity’s website and in one newspaper in each State. The statement must identify the entity, contain a description of the serious data breach believed to have occurred, the information affected and recommendations on what individuals should do about it. This is similar to breaches of environmental protection legislation and provides a beneficial remedy as well as a deterrent to lax procedures for organisations and entities upon whom the requirement is imposed. Liberty Victoria agrees with these requirements and notes that the regulations should require the published Victorian Council for Civil Liberties statement to meet minimum requirements as is common with notice requirements in the OHS and environmental field.
In terms of communicating the serious data breach, the Bill provides that the entity can notify individuals by whatever means normally used by the entity to engage with the individual; s26ZB(3). This is a sensible, technology neutral approach which we agree with as it should ensure communication of the serious data breach is effective and timely.
Whilst Liberty Victoria welcomes the general notification provisions contained in the Bill we are concerned that a large part of the Bill is dedicated to exceptions, the breadth of which which Liberty opposes.
Enforcement bodies
Subsection 26ZB(4) exempts enforcement bodies from notifying individuals or publishing serious data breaches if it believes on reasonable grounds that it would prejudice one or more enforcement related activities conducted by it (or on its behalf). Whilst it is foreseeable that in some limited circumstances enforcement bodies would have need of this, it is also foreseeable that it could be used to avoid disclosing almost any breach by those bodies. Further, the following subsection allows the Commissioner to grant an exception which could be relied upon rather than relying on the enforcement body’s own determination of what might prejudice ‘enforcement related activities’. In our submission a process is required to ensure a degree of accountability and transparency and oversight of the decisions not to report on or notify of serious data breaches and Freedom of Information provisions should be amended to permit access by individuals and the Privacy Commissioner within a period after any active investigations is completed Commissioner exemption
Subsection 26ZB(5) allows the Commissioner to exempt an entity from subsection (1) where satisfied that it is in the public interest to do so. However this exemption should be limited to subsections (1)(g) & (h) and not provision of the statement to the Commissioner. As noted above, it might be preferable to allow certain classes of matter to be referred to the Commissioner by enforcement bodies seeking a recommendation as to disclosure or non disclosure or exemption under this part,  Victorian Council for Civil Liberties rather than the enforcement body clothing itself with total immunity and exercising their own broad exemption for all classes of data breach for all time.
So called ‘secrecy’ exception Subsection (10) is rather misleadingly entitled ‘exception – inconsistency with secrecy provisions’ and yet contains a broader exception where the notification of the breach would be inconsistent with any law of the Commonwealth that prohibits or regulates the use or disclosure of the information. This should be reconsidered.
Section 26ZC enables the Commissioner to direct an entity to prepare a breach notification statement and take steps to notify those significantly affected and also to publish details of the instance where the Commissioner believes on reasonable grounds that a serious data breach has occurred. However the Commissioner cannot give such a direction where any of the other exceptions apply; see subsections (5)-(7). Liberty strongly supports the Commissioner’s power to make such a direction and further recommends removing or reducing the breadth of the exceptions. By inserting the words ‘and appropriate in the circumstances to do so’, the Commissioner would only make such a direction where an entity had failed to take adequate or appropriate action itself.

 The Commonwealth Attorney General’s Department

The Attorney General’s department is It is implicitly supportive of the Bill.  Its submission is more in the way of an explanation as to controversial provisions within the Bill.  Such as the definition of “serious harm”. The weight it gives to the Privacy Commissioner’s guide is significant. And it will be so for the initial period after the legislation is enacted.  The role and action of the Privacy Commissioner is integral in the operation of the Privacy Act.  That said a guide is just that.

I am far from convinced that such a weight will mean too much once if it becomes the subject of consideration by the Federal Court.  Ultimately the Federal Court, and the appellate division, will need to review the meaning of that phrase and others.  The guide is not a regulation.  It is not ancillary legislation.  It is clearly a relevant document however the judiciary will stamp its mark on how broad or narrow that phrase is.  In that respect those querying the meaning of this and other terms have a point.

The guides put out by the Privacy Commissioner are very important documents.  However privacy writings and jurisprudence is extensive, particularly where actionable breaches have been part of the regulative landscape overseas.  Those developments will be relevant and may be very persuasive, even to the extent that they may be inconsistent with the thoughts of the Privacy Commissioner.

Concept of ‘serious harm’
One of the key triggers is that the access or disclosure of personal information involved will result in a ‘real risk of serious harm’ to any of the individuals to whom the personal information relates (see, for example, subparagraph 26X(1)(d)(i)). This was the threshold recommended by the Australian Law Reform Commission in its recommendation on this issue2, and is the current standard used in the OAIC voluntary guide. It is therefore a commonly understood concept amongst agencies and organisations that have sought to comply with the OAIC guide.
The term ‘harm’ has been defined in clause 26ZE to make it clear that it includes certain types of harm such as financial, economic, and reputational harm. That definition has been included because it may not be clear from the dictionary definition that these factors are meant to be considered when considering the issue of ‘harm’.
The concept of what constitutes ‘serious harm’ is intended to be based on the same concept as currently appears in the OAIC guide. Entities have had no difficulties in understanding how it works under the guide. Rather than introduce uncertainty, it has flexibility to adapt the context in which an event occurs, as well as evolve over time.
Accordingly, rather than seek to prescribe a definition in legislation, it is preferable that the OAIC develop guidance about the particular circumstances and factors that might be relevant to the question of harm. This is a common approach taken in privacy regulation, which is more principles-based in nature. It is intended that a revised OAIC guide will continue to provide guidance on the factors that entities should consider when assessing whether the harm is ‘serious’.
Currently, the OAIC guide notes that harm could in some instances be ‘serious’ where it could lead to instances such as: identity theft, financial fraud, health fraud or fraud against the Medicare and PBS systems. It could also be ‘serious’ where it could be used to create discrimination or disadvantage or, in extreme cases, blackmail.
Threshold for reporting data breach
Aside from the concept of ‘serious harm’, the other element of the key trigger noted above is that the risk to the affected individual from the data breach is ‘real’. In terms of what would constitute a ‘real risk’, the Bill ensures that it excludes a risk that is a ‘remote’ risk (clause 26ZF). That is, a real risk cannot be something that is slight, unlikely, faint or improbable. That threshold is intended to exclude data breaches that are less serious and is intended to limit notification ‘fatigue’. As with the existing OAIC guide, it is expected that a revised version of that guide will continue to provide practical guidance on the circumstances in which a ‘real risk’ may arise.
Regulations
The Bill provides for certain matters to be outlined in the regulations rather than the principal legislation. These regulations may be made in two circumstances.
First, regulations may be made to specify particular situations that may also be serious data breaches even if they do not necessarily reach the threshold of a ‘real risk of serious harm’ (e.g. subparagraph 26X(1)(d)(ii)). For example, this could include the release of particularly sensitive information such as an individual’s health information which may not cause serious harm in every circumstance but should be subject to the highest level of privacy protection. It is necessary to provide this flexibility because it may be apparent in the future that there are particular categories of personal information that require this higher level of protection. Secondly, regulations will outline certain ‘general publication conditions’ which will outline the conditions under which an entity will be required to publish a notification
about a serious data breach on its website and in newspapers, as opposed to directly contacting individuals (e.g. paragraph 26ZB(1)(h) and subclause 26ZB(12)).
There are a range of possible factors that might affect this issue, and which might differ depending on the entity involved, and the location of the affected individuals. The making of regulations would enable more flexibility in allowing these matters of detail to be changed as notification processes develop into the future.
For example, the regulations could provide that the ‘general publication conditions’ are
met:
? where particular individuals do not have readily available contact details, or
? where online and newspaper publication methods may reach a larger number of affected individuals in a more timely manner.
As would normally be the case with the development of privacy regulations, these would be prepared in close consultation with relevant stakeholders, including industry groups.
In addition, any regulations made would also be an instrument subject to disallowance by the Parliament.
Order of action under existing OAIC guide
The Bill will not change the order of action that should be taken by entities in response to data breaches that currently comply with the OAIC Guide. The OAIC guide contains numbered steps to take in response to a data breach, but notes that particular steps may
be taken simultaneously or in quick succession. Further, the OAIC guide states that immediate notification should be the first step if appropriate.
Therefore, the Bill does not have the effect of prioritising notification over other remedial action. The new notification requirement is completely consistent with the existing OAIC guide, and will complement existing legislative requirements that must be complied with in responding to a data breach.
In terms of other remedial action, the need to contain a data breach to protect against unauthorised access to, or disclosure of personal information, is an existing requirement in the Privacy Act (National Privacy Principle 4; Information Privacy Principle 4) which will continue under new Australian Privacy Principle 11.
Concept of ‘loss’
The concept of ‘lost’ personal or other information (e.g. subclause 26X(2)) is intended to cover the situation where an entity has disclosed personal information inadvertently, or mislaid or left that information unattended (e.g. losing a laptop or USB). While that information may never be accessed by an unauthorised person, it should still give rise to an obligation to notify because there is the potential for an unauthorised person to access the information. Early steps that are taken by individuals who could be adversely affected by that access could limit damage such as identity theft or fraud.
Currently, the OAIC Guide contains an example of where notification should occur where mail has been incorrectly sent to a different individual. For example, if the letter contains a PIN number, or contains health records, there may be a need to notify the affected individual. It is expected that a revised OAIC Guide will continue to provide practical examples to assist entities about this issue.

 Australian Bankers Association

The ABA  claims that the definition of real risk is uncertain and subjective.  This causes its members concern.  Before dealing with this argument it should be noted together with health records and the personal information held by government in its many guises information about one’s finances is something that an individual wants to keep private. For a bank to wonder aloud whether information relating to a customers’ accounts, their addresses, PIN numbers, mortgages or pretty much any information relating to them and held by it is either naive in the extreme or confecting a problem. Banks have been well versed on the critical importance of keeping their records safe and private.

The definition of real risk is that which is not remote. One, or at least a lawyer, does not need to reach for a dictionary to know that the threshold is low. The more interesting question is what constitutes “serious harm.”  The Bill’s digest regards the threshold as being relatively high and relies upon the ALRC’s commentary in this regard. In some industries, given the nature of the data I am not convinced the threshold is that high. It is not necessary to define the threshold.  These are issues the courts are well be able to address when required.  It is not necessary to define key terms in the Corporations Act or the Consumer Code.  Why is it necessary to exhaustively define this phrase. The ABA’s complaint about the subjectiveness of the term is somewhat if not absolutely artificial.  Losing identifiable data of customers is a real risk of harm.  Losing a list identifying the number of bank accounts held by a branch but no more and with no way of identifying the account holders there let alone their account number  is less of a risk of harm.  The complaint that regulations may determine what personal information the release of which would constitute the real risk of harm ignores the role of Government.  The Government can determine  some personal information is more important than other information.  It does that already when defining sensitive information.

The complaint about notification and when it should be made is reasonable.  That said the expectation would surely be as soon as possible.  There will be circumstances where it will be difficult to identify when the best time is to make a notification.  That said, there are examples from the USA where there are data breach notification laws in the majority of states.  There will be useful precedent from the UK and Europe experience where data protection laws have been long established.

The submission provides:

2. Complying with the Bill if passed
2.1. Definition of “real risk of serious harm”
What is a “real risk of serious harm”? The meaning of this relevant criterion in the Bill will be unclear in an entity’s operational environment. The fact that the “real risk” is limited only to those individuals who are “significantly affected” by the breach does not help to clarify the primary criterion that there must be a real risk of serious harm.
The issue for entities is going to be determining what to report and what not to report. Experience with mandatory breach reporting to a regulator in unrelated areas of business activity indicates that entities often will need to seek legal advice whether there is an obligation to report a breach. Often the legal advice is uncertain with a decision by the entity to report irrespective of whether this is required by the law.
A more certain threshold test of what is a serious data breach which would result in a real risk of serious harm could strike an appropriate balance between the interests of customers while minimising the impact of notification on businesses. It could allow organisations to adopt a risk based approach.
However, clause 26ZF defines of “real risk” as “not a remote risk”. Standard dictionary definitions of “real” refer to something that is “actual”. Using the distinction with a risk that is “remote” introduces a spectrum of risk where the point on the spectrum at which a risk is real and not remote creates potential uncertainty. Either “real” could be left to normal interpretation or it would be clearer to use the language of likelihood, which appears in the Privacy Commissioner’s Data Breach Notification Guide. This would be in line with ALRC recommendations and the international approach. ALRC recommendations include: “reasonable degree of likelihood”; “real and substantial risk”; “real and substantial danger”.
That said, tests such as a ‘real risk of serious harm’ can be subjective and will be interpreted differently by different institutions and in varying circumstances. Where there is the risk of civil penalties applying, conservative institutions like banks will generally adopt a risk adverse approach to notification and take a narrow interpretation of what constitutes a ‘real risk of serious harm’. These interpretations need to be of a high enough standard to avoid notification fatigue (and resourcing issues at the OAIC) to avoid notifications to the Privacy Commissioner or customers where there was simply any risk of serious harm.
If the Bill becomes law, the ABA considers it is critical for the Privacy Commissioner to be required to develop guidelines for industry on this matter. This direction to the Privacy Commissioner should be included in the Bill or Explanatory Memorandum.
In developing this guidance on what should and should not be reported, the Privacy Commissioner should take into account examples provided by industry of what can actually occur in practice.
Further, there is a particular concern that the Bill contemplates there will be regulations prescribing a type of personal information, the unauthorised access, disclosure or loss of which will automatically constitute a serious data breach without necessarily involving any risk of serious harm to the individual concerned who under additional regulations could be taken (presumed) to have been significantly affected by the breach.
There has been no consultation on what may be contained in these regulations or whether there is any intention to develop these regulations. The Explanatory Memorandum to the Bill states in respect of this regulation making power in clause 26X(1)(d)(ii) of the Bill –
“The ability to make regulations to specify particular situations that may also be serious data breaches is intended to provide flexibility to deal with data breaches that may not reach the threshold of a real risk of serious harm but should nevertheless be subject to notification. These could include the release of particularly sensitive health information such as health records which may not cause serious harm in every circumstance but would be subject to the highest level of protection.”
This statement contradicts the policy basis of this Bill that only a “serious data breach” as defined in the Bill to the extent that an individual is “significantly affected” by the breach must be reported to the Commissioner and the individual notified accordingly.
There is also a risk that there may be types of information (e.g. bank details) prescribed in the regulations that may always warrant notification.
The ABA suggests this is an unsatisfactory approach to business regulation. Organisations will have to adjust existing compliance systems for reporting and notification of serious data breaches significantly affecting identifiable individuals without the knowledge of the scope of other circumstances which are later defined by regulations. The ABA believes in seeking to extend the scope of the Bill after it has been considered by the Parliament and with no limitation on the exercise of this regulation-making power the government is not acting consistently with the accepted tenets of best practice regulation.
Therefore, the Bill should include a mandatory obligation on the minister to consult on any proposed regulations and to specifically take into account industry submissions on the timing for commencement of those regulations.

2.2. Notification to affected individuals
As a general comment the financial impact for banks is dependent on what will constitute “a real risk of serious harm” which is discussed above.
The real cost to banks involved with this legislation is the actual notification to affected customers. If a bank, for example, suspected a possible data breach of part of its customer base, it may need to communicate with many individuals even if they are only those who have been significantly affected by the data breach. As already mentioned the breach may have arisen beyond the bank’s control. For organisations with large customer bases, the notification requirement may result in a disproportionate cost to the organisation compared with the possible harm caused by the breach.
Further, the Bill is unclear in what circumstances a bank would be required to notify affected individuals where, for example, a third party such as a merchant is responsible for the unauthorised access to or disclosure of its customers’ credit card data held by the merchant. These data also will be held by the relevant bank. Yet again, some of these details possibly may be held by a range of other entities including other merchants and possibly government agencies. Is it the case that these other entities would be obliged to notify affected individuals and how would duplication of these notifications be avoided so as not to confuse or unnecessarily concern those significantly affected individuals?
The Bill should make it clear on which entity responsibility for notifying significantly affected individuals falls including any change in that obligation when the entity that was responsible for the data breach which, for example, lost or disclosed the information, has only incomplete information. For example, the entity may have an individual’s name and credit card number, but no contact details for the card holder who is the significantly affected individual.
While this could be covered in Privacy Commissioner’s industry guidelines, these guidelines are no substitute for compliance with the law. The ABA considers that the Bill should be amended to cover these situations.
It is important that the reporting and notification provisions in clause 26ZB of the Bill provide certainty for entities in complying with these requirements. As currently drafted clause 26ZB triggers an entity’s reporting and notification obligations once the entity has formed a belief on reasonable grounds that a serious data breach has occurred. The entity must then as soon as practicable take steps to comply with the section. The Bill as drafted does not directly deal with the situation where an entity discovers a breach but does not at the time know the scope of the breach and therefore how many and which individuals will be significantly affected. An entity that fails to notify all significantly affected individuals as soon as practicable after becoming aware of the breach for this reason could arguably be at risk of breaching mandatory breach reporting requirement. The Bill should make it clear that the timing of the reporting and notification obligations is conditioned by the time that an entity reasonably requires to identify the scope of the breach and the individuals that are significantly affected by the breach.
There is a critical element of the notification model in the Bill that is missing because it is unclear what “general publication conditions” will mean if these conditions are satisfied. Without this definition, the real impact of the Bill cannot be assessed because the meaning of this expression will be covered by a regulation-making power in the Bill. Regulations dealing with this aspect have not been provided with the Bill. The administrative and compliance implications and costs for banks and other entities will depend upon when organisations are able to notify data breaches by public announcement, rather than having to individually write to each affected customer. This will also have an effect on the timing for commencement of the Bill, if it is passed.
Proposed regulations defining what is meant by “general publication conditions” in the Bill should be made available.

 The Office of the Australian Information Commissioner

Not surprisingly the Commissioner is supportive of the Bill.

 

Cyberspace Law and Policy Centre, UNSW Faculty of Law

It is supportive but critical of the proposal for not going further.

It’s submission provides:

Mandatory Data Breach Notification is increasingly the norm, and something we support in general: it has been law in parts of the USA for a decade, is increasingly common in other countries, and has been under discussion in Australia for years. The general concept is also increasingly accepted in Australia, including by some businesses who appreciate the transparency behind it as a necessary part of earning the essential ingredient, consumer trust and confidence in ecommerce and online systems in an environment where absolute security clearly can clearly not be promised.
A Mandatory Data Breach Notification scheme is not the answer to everything arising from a data breach, but is often helpful. And it is much better than accepting a silence, or a delay, after a breach, which some data hosts are tempted to do even with a voluntary scheme. The voluntary scheme which has been operating for several years has the potential for a perverse incentive to not disclose, since there are no real penalties, no clear obligations to breach, and notification is rarer and thus more likely to have a reputation impact as a novelty. To this extent it is more helpful to those not wishing to acknowledge a breach than those who accept their
obligation as a matter of good practice.
A mandatory scheme by contrast creates the proper incentive to disclose, since there is a clearer obligation and potential penalties. Part of the benefit for business is that the more disclosures are notified, not only do consumers or data subjects get a better chance to respond and address their own interests quickly (the main purpose), but they also become more aware of the incidence of the problem, with attention then being focused more on

a.) the promptness and effectiveness of the notification and

b.) other record-holder efforts to help mitigate the impact and avoid recurrence, rather novelty. The reputation risk (of being seen to behave inappropriately) is transferred to the non-discloser, who now stands out and is clearly not responding appropriately.
The Privacy Alerts Bill is however a ‘lite’ version of a Mandatory Data Breach Notification law.
Future international comparisons may show that, if passed in the current form, it will fall well short of best practice, and there may thus also be many Australians who might expect (and need!) to be notified under this model who may be still left in the current unsatisfactory limbo.
The Bill should be passed rather than rejected, but if passed should be substantially amended to address some of its
shortcomings.
It is still worth noting that the title should use the by now conventional term ‘data breach notification’, so the Act should be called ‘Privacy Amendment (Data Breach Notifications) Act 2013’ or similar. This is a minor point, but puts it in the context of the growing international jurisprudence, and is not likely to have any deleterious effect on public awareness.
It is very important to cover offshore breaches under local control. To do otherwise is to invite offshoring to avoid the obligations, bad for consumers and bad for highly secure Australian online businesses. It is not clear that this is achieved.
The effect of a non-compliance with notification obligations should be treated similarly to other breaches of privacy. A breach of the compliance obligation should clearly constitute an ‘interference with privacy’ to enable access to other capabilities and regulatory responses if necessary, including civil penalties in the worst cases. It appears that this treatment has been taken into account in this version of the Bill in s3 which creates a new s13A in PA; this is a very welcome development.
It is equally important to limit the scope for exceptions and excuses, for non-disclosure where there is any prospect of impact on subjects. This aspect is deficient as the scope is limited to only those entities covered by the Privacy Act, which is too narrow. The Bill should cover all organisations and all data types of “personal information” that could be subject to a data breach and be covered by the Commonwealth’s powers. Many new e-commerce entities will be exempt, yet they can do serious damage with poor practice, and need to be held to the same protective standard to avoid undermining public confidence in ecommerce data safety.
Exceptions, if they are permitted, should be limited to named entities not classes, require full justification and verification, be limited in duration to the minimum time necessary, not allow failure to inform the regulator, and otherwise be as limited as possible. (Past practice with privacy amendments has been to include a raft of such exceptions, undermining the main provisions; in the case of data security, it is too important to offer an easy excuse for non-compliance.) Similarly, the OAIC’s operation of the scheme should not be subject to discretionary variation or exceptions; where discretions exist they should be defined, and transparently reported. This Bill should not set up a scheme were there is an endless queue to the commissioner’s door for secret exemptions, which would undermine the purpose of the Bill, and the basis of public trust and confidence that they will be able to find out if there is a breach; this would be both a waste of the commissioner’s time, which is better spent pursuing breaches and complaints, and undermines the
expectation of compliance.
Equally, the type of potential harm needed to trigger an obligation should be more broadly cast, to also include e.g. serious inconvenience or need for very onerous action not limited to pure financial costs, impact on capacity to get services like credit, housing, insurance etc, and serious mental harm or distress.
Public access to information on both statistics (by sector and over time) and individual case details is very useful. This can be achieved quite cheaply with modern online tools. Thebenefit outweighs the cost here. It should be mandated. We would expect an explicit obligation on the regulatory system to either itself publish or require publication of both case details and statistics in an efficient, searchable public online register, with stats and serious breaches published online permanently. (Too much online material about the operation of the law in this area is at risk of being lost due to the folly of unpublishing documents during bureaucratic reorganisations and administrative changes, so the permanency should be explicit.)
The Privacy Commissioner should be expected to issue supplementary guidelines setting out suggestions for good
practice in more detail.

Office of the Victorian Privacy Commissioner (Privacy Victoria)

The Victorian Privacy Commissioner has been a very effective educator on privacy issues and is proactive.  It has, in the past, made a excellent submissions to relevant inquiries and on privacy related bills.

The Commissioner is generally supportive of the Bill but does raise a few issues, in particular what constitutes real risk of serious harm.  The definition of risk sets a low bar.  It only does not include remote risks.  Serious harm is defined inclusively and also broadly.  For those who practice in the area of defamation the threshold to establish reputational harm is not high.  Release of personal information which would lower one in the eyes of the community would fall within that category.  Given the development of the common law that which would cause severe distress would also be relevant.   The Privacy Commissioner’s concerns about “serious” is misplaced both on a legal and practical basis.  The Explanatory Memorandum provides a good summary of the way in which harm has been considered.  If anything the Explanatory Memorandum overstates the threshold.  The more codified these terms are the less flexible the Act becomes to properly administer and operate.  It may be that the Federal Court will consider these terms in time.  That is entirely appropriate and was the way the Trade Practices Act, in particular, section 52 developed and is regarded as a very successful piece of legislation.  Organisations know the type of personal information held.  They will, or at least should, have a good idea of how the owners of that information would regard its disclosure.

The Privacy Commissioner’s guidelines are an excellent resource.  But they are only that.  They are not regulations.  Recommending that the Privacy Commissioner establish what the Victorian Privacy Commissioner calls “binding guidelines” is bad policy and probably ultra vires.  Whether the Commissioner can establish a Code, as permitted under the Act, to deal with this issue is an interesting question but it also bad policy and law.  Setting up varying definitional constructs for various industries, groups or agencies will lead to complications and potential unfairness in the operation of the law.  The concepts are drawn broadly but they are hardly extraordinary.  The Corporations Act and the Consumer Code are not rigid codes.  The terms adopted in those pieces of legislation are often drawn broadly.  Many organisations covered by the Privacy Act have a sophisticated understanding of how important personal information is, what would cause serious harm and what won’t.  Or at least they should.

The Victorian Privacy Commissioner’s concerns about the exemption process is very valid. Given the “stop the clock” operation of requesting an exemption there is a real chance that organisations may abuse the operation of the Act and seek an exemption to buy time so that they may work out a PR or other response.  In addition to the public policy problems this may, as the Commissioner fears, impose strains on the Privacy Commissioner’s operations. The Victorian Privacy Commissioner recommends additional funding as a part solution.  That may be necessary.  But some form of default cut off in the period in which the clock stops may be necessary.

The submission relevantly provides:

4. What is a real risk of serious harm?
a) Lack of certainty around when entities need to notify
One potential area of uncertainty surrounds definitional questions concerning the circumstances that trigger the notification requirement. The requirement is that an entity believes on reasonable grounds that there has been a “serious data breach” concerning affected individuals, in turn defined as being that the disclosure/access/loss etc. will result in a “real risk of serious harm”. As the notification requirements are predicated on the entity’s (or Commissioner’s) interpretation of this requirement, lack of clarity (or a means by which clarity can be achieved) may lead to entities either under-reporting or overreporting security breaches.
‘Harm’ is defined at s 26ZE inclusively as including harm to reputation, economic harm, and financial harm, although presumably relying on the words’ ordinary meaning, could extend outside of these types of harm. ‘Real risk’ is defined as a “risk that is not a remote risk” (s 26ZF). These two definitions alone may not be adequate for an organisation to determine when it is required (or not) to perform notification.
Further, and of particular concern, is the fact the term ‘serious’ is undefined. This, again, is a potential source of uncertainty or confusion. The Explanatory Memorandum goes some way to attempting to flesh out what ‘serious harm’ constitutes, mentioning physical and psychological harm, but is of limited legal force.
b) Provide a power for the OAIC to produce guidelines on the definitional question
A mechanism that could be used to address these concerns would be to provide the OAIC with the legal authority to provide guidance on these issues. The OAIC’s guidance may be able to provide direction about, and examples of, the kinds or types of harm that would meet the threshold. Although the Explanatory Memorandum indicates that this process will occur, my understanding is that any OAIC guidance will be merely persuasive.
Quite clearly, subsequent OAIC guidance will need to take into account different scenarios and contexts in which organisations handle personal information. There are a number of preexisting publications which may be of assistance in this process – examples include the OAIC’s April 2012 Guide to handling personal information security breaches. I note that this (currently, voluntary) document does list considerations in determining harm, but the Bill as it stands does not provide the Commissioner with a regulatory power to define these terms or provide the Commissioner’s guidance any legal authority.
There are also a variety of other sources which may be used by the OAIC to inform the development of guidance. In the defence and law enforcement contexts, officials are often required to report on serious security breaches and relevant agencies have produced
internal guidance for their staff. This may be a potential source. Any approach to resolving these issues should be consistent with the Commonwealth’s Protective Security Policy Framework (PSPF), which details government expectations in relation to security incident management and reporting. The PSPF is a risk-based, administratively imposed protective security framework and, as such, ideally should be linked with and inform the OAIC’s authority to produce mandatory guidance material.
Ultimately, the best way to determine the trigger for notification is not through abstract legislative definitions (irrespective of whether such definitions are exclusive or inclusive) but by the OAIC developing binding guidelines to flesh out these terms and providing the Commissioner with an ability to amend those guidelines as circumstances, harms and risks evolve. This process would require the OAIC to consult extensively with relevant stakeholders, but also with bodies tasked with policy and operational security responsibilities (in a Commonwealth context, this would include the Attorney-General’s Department which has protective security policy responsibility.)
In summary, I recommend that the Committee consider whether the Bill should provide a power for the OAIC to issue legally binding guidelines as to precisely what constitutes a “real risk of serious harm.” A model already exists in the Privacy Act – the ability of the
OAIC to issue guidelines for handling of tax file numbers.
5. Notification to the Commissioner
c) The Commissioner can exempt entities from notifications
Section 26ZB contains the requirement for entities to notify the Commissioner and individuals significantly affected. The Commissioner is provided with a power to exempt entities from notification (i.e. to affected individuals) under s 26ZB(5). Section 26ZB(9) contains a mechanism where if any entity forms a belief about a serious data breach, and as soon as practicable after that belief, applies to the Commissioner for an exemption notice, the notification requirements do not apply for the period in which the Commissioner is making a decision in relation to the application.
d) Applications for exemptions may cause significant delays
Whilst I do not oppose providing the Commissioner with this power, I am concerned at potential practical effect of the provision. When an entity applies to the Commissioner for an exemption, the practical effect is that it ‘stops the clock’ on notification until the Commissioner has determined whether or not to grant an exemption. This could lead to a high level of applications to the Commissioner in circumstances where entities are either unsure of their obligation to notify (possibly due to uncertainty around the above definitions), or entities simply wish to try to escape or delay notification by applying for an exemption. At this point, the notification process enters a legal and administrativelacuna and there is no mechanism available to remedy it. There is no obligation for the OAIC to determine such applications within a particular time frame.
This will impose a significant burden on the OAIC’s processing and consideration of exemption applications. Any delay by the OAIC in determining applications for exemptions will result in a delay of subsequent notification to individuals (i.e. where an exemption application is rejected) thus exacerbating the potential risk of harm.
In my view, the policy objectives the Bill is designed to achieve would be more effectively implemented if there was a presumption in favour of notification. This would mean that an entity seeking an exemption should be required to satisfy the OAIC on the balance of probabilities that the exemption should be granted. Such a requirement should be subject to explicit time limitations and the OAIC should be empowered to withdraw an exemption where circumstances change.
e) The Bill should afford extra resources to the OAIC and contain a maximum time period for the OAIC to assess an exemption application
There is therefore a distinct possibility, given the lack of resources afforded to the OAIC and the lack of time limits in the Bill mandating the OAIC to make a decision within a particular time frame, of delay occurring in circumstances where there may be real risks of serious harm to affected individuals.
I suggest the Committee to consider:
? The potential resourcing implications on the OAIC in conferring additional
functions on it;
? That the Bill provide a maximum time period in which the OAIC must make a decision to exempt/not exempt an entity from notification. If a decision is not made within that time period, the presumption in favour of notification would apply
6. Exempt organisations
f) Removal of the small business exemption for data breach notification
The notification requirements do not apply to organisations that are small businesses. My office (and the Australian Law Reform Commission) have recommended that the small business exemption be removed in its entirety. In my view the policy basis advanced to support the small business exemption from privacy does not apply to security and the
exemption is accordingly misconceived.
In essence, the Bill’s objective is to reduce harm that could occur to individuals by notifying affected persons of privacy and security breaches, and to manage risk.
However, it is entirely possible that a significant data breach could occur in a small business context but, due to the exemption, that small business has no obligation to notify affected individuals.
The policy basis that underpins the small business privacy exemption is inapplicable to security. Small business makes up about 94% of Australian enterprises.  As the cost of information and communication technology has reduced and its capabilities have increased, more and more small businesses collect and handle large quantities of personal information. Trust in the security of personal information collected and handled by both the public and private sectors underpins the economic efficiencies that flow from the
information economy. These efficiencies will be curtailed by exempting the vast majority of the private sector from any form of information security accountability.

 Office of the Information Commissioner, Queensland

This office provided a very short submission essentially adopting the Victorian Privacy Commissioner’s submission about the definition of “serious” in the context of serious harm and how section 26ZB will operate.

Australasian Retail Credit Association

This submission doesn’t seem to deal with data breaches and notification.  It addresses the issue of repayment history information and testing of data.

Civil Liberties Australia

The submission is brief and broadly supportive. It seeks a broader definition of “harm”.

It provides:

Civil Liberties Australia would also like to draw the Committee’s attention to proposed section 26ZE. Civil Liberties Australia believes this definition of ‘Harm’ is too limited and ignores that a loss of personal information, including login passwords or usernames, from one service provider (or entity) may compromise other services due to duplicate passwords or common email address. For example, if the username or password a person uses to log into Facebook is compromised it may be possible for a third party to break into other services which use the same login details. As hacked passwords and usernames are frequently ‘dumped’ online, and become available to anyone, this future attack may not even be committed by the individual responsible for the original unauthorised access. While it is best online security practice to avoid using common passwords, this rule is more honoured in the breach than in the observance.
This ‘harm to identity’ may not result in any tangible or immediate economic, reputational or financial harm. As such, it may not be captured by the meaning of the word ‘Harm’ in s 26ZE. In the context of this submission ‘identity’ means the unique informational qualities a person uses to authenticate their identity: username, password, biometric information, date of birth, postcode etc…
Civil Liberties Australia proposes that this clause be amended so that ‘harm to identity’ (however phrased) is also specifically listed as a recognised harm.
Notwithstanding our concerns, we believe this Bill represents a worthwhile first step and should be supported.

Australian Finance Conference

The AFC recommends the self regulatory or voluntary process.  It is a submission that focuses on costs of regulation and complains about lack of consultation (a reasonable point but not really relevant for this process), saying:

On a broader level, the AFC is not aware of evidence to substantiate regulatory or market failure that creates consumer protection risk that would justify additional legislation. As noted earlier, safe and secure data handling is embedded within the compliance culture of AFC Members for regulatory risk, customer relations, corporate governance and commercial reasons.

and

Further, in parallel with the mandated obligations, the self-regulatory or voluntary process for breach notification outlined in guidance issued in 2008 by the Privacy Commissioner (and updated in 2012) is, in the view of AFC Members, effective. It reflects the outcome of extensive stakeholder consultation that ensured a process that could be efficiently adopted in a manner that achieved its underlying consumer protection outcome. In addition, regulated entities appear to be utilising the process based on data breach statistics provided in the Australian Information Commissioner’s Annual Reports. Of note, contrary to the Government’s concern that risk of breach may be on the rise in practice, the statistics ofreported breach in the Commissioner’s 2011/12 Report shows an 18% decrease of data breach notifications in comparison with the previous year.

Insurance Council of Australia

The substance of the ICA’s submission is found in the attachment. It complains about the uncertainty associated with the definition of “harm.”  That is a common complaint but one that is not warranted. The ICA querries the difference between economic and financial harm.  It is a fair point though not much will turn on it. They do cover slightly different issues.  Financial harm is a matter that the courts have considered at length in commercial litigation.  It is a matter that may require consideration in another place but it does not affect the operation of the Act.  As with other submissions there is something of a jeremiad about what “serious” means.  Given the ICA represents a body who write policies whose terms are not inflexibly defined and whose policies have been reviewed for decades this issue should be classified as more annoyance than legitimate concern as to the ICA’s members legal position. The ICA’s submission that the approach and criteria applied with notifications to ASIC should be the same or similar to that which applies to OAIC under this Act assumes that the issues are comparable.  Privacy is and should be regarded as a distinct and specific area of law.  There are concepts of privacy which are not comparable to those dealt with by ASIC and its governing regulation.  There is little logic in this proposal and it is poor public policy.

The ICA expresses concern about the operation of the exemption provision.  The concerns about when the exemption is given are largely unmeritorious.  There is no need to define when an exemption can be given.  Such rigidity is not necessary.  The ICA’s argument that publication is only required where it was in the public interest seeks to reverse the proposed operation, where an exemption from disclosure can only be granted when there is a public interest.  That is too high a test. The complaint about the potential need to publish for one breach for one consumer lacks any merit.  Such a breach may be highly significant.  Data held by insurers are often sensitive.  It is not entirely clear what “..legitimate family law and potential criminal issues which need to be considered” means. The ICA states that “If publication is required, only relevant information should published”.  The Bill states at section 26ZB(2) what needs to be contained in a statement.  That is all quite relevant.

Trying to distinguish privacy breaches involving bank accounts and password protected websites and the “..the day to day business of general insurance..” and to then argue prescriptions on the former should not apply to insurers/brokers/underwriters etc.. is not sustainable on a legal or logical basis.  Information provided to insurers can be very sensitive, even more than that held by banks. The complaint about the operation of section 26X(3) is not sustainable.  The provision does make sense as does the other provision complained of, section 13(4A).

It provides:

ATTACHMENT
Definitions
? Section 26ZE defines harm to ‘include’ the three elements under that section. The Explanatory Memorandum (p.57) indicates this section is included to provide clarity, that the list is ‘non-exhaustive’ and is in addition to the ordinary meaning of the word ‘harm’. It is considered however that this only serves to increase uncertainty as it potentially means a range of matters not specified in the Bill could also be considered ‘harm’.
There is also no explanation under s26ZE as to what ‘economic harm’ and ‘financial harm’ means and it is unclear how these two are to be differentiated.
Further uncertainty exists as the Explanatory Memorandum (p. 42) notes that the ability to make regulations to specify particular situations that may also be serious data breaches is intended to provided flexibility to deal with data breaches that may not reach the threshold of a real risk of serious harm but should nonetheless be subject to notification.
? There is concern around what ‘serious’ in the Bill means. In the definition of a ‘serious data breach’ the Bill refers to ‘a real risk of serious harm to any of the individuals to whom the personal information relates’ ‘Real risk of serious harm’, an essential element of a serious data breach, is left undefined. Uncertainty as to how ‘serious’ is to be determined creates the possibility of it being interpreted at a very low benchmark when linked to an individual.
Insurance Council members have raised concerns that the proposed response (publication) could be disproportionate to the nature of the breach involved particularly taking into account the number of transactions that a large insurance company processes on a regular basis.
? As noted above, OAIC is expected to provide guidance on the concept of ‘real risk of serious harm’. To ensure a balanced view, it has been suggested that the ‘serious data breach’ definition should take into account factors such as those outlined in section 912D(b) of the Corporations Act.
These factors, which are considered when determining whether a breach is significant and whether there is a requirement to notify ASIC include: the number or frequency of similar previous breaches; the extent to which the breach indicates that the entity’s arrangements to ensure compliance with the obligations are inadequate; and the actual or financial loss to the individuals affected. Another factor which may also be relevant in determining whether a breach is serious relates to the type of information which has been accessed or disclosed and whether it is classified as sensitive information.
The Insurance Council submits it makes sense to harmonise the approach in reporting breaches to ASIC and the OAIC. ASIC’s principle-based breach reporting process is set out in Regulatory Guide 78 and enables each entity to take into account the nature,
scale and complexity of their business when determining significance.
Publication
? As explained above, it is difficult in the absence of draft regulations to comment definitively on how the proposed publication sanction would impact general insurers. For example, the Explanatory Memorandum (p.56) states the regulations will deal with situations where it is impossible for the entity to contact each affected individual or where an attempt to contact each individual would be ineffective.
The Insurance Council has previously submitted to the OAIC that the existing arrangements and voluntary guidance are sufficient and appropriately flexible to take into account the individual circumstances of a breach. The current voluntary guidance notes that notification may not be appropriate in all cases.
While section 26ZB(5) in the Bill provides that the Commissioner may issue an exemption notice from publication where there is public interest not to notify, how this exemption is to work needs to be clarified. For example, there is no explanation as to when the proposed exemption would be given along a data breach timeline. The public interest test should apply prior to requiring disclosure so that publication were only required where it was in the public interest.
It is also unclear how the publication conditions are likely to assist an aggrieved consumer and broader community. The requirement to publish, for instance in the case of one breach for one consumer, may be excessive and have little public interest value.
Furthermore, there may be legitimate family law and potential criminal issues which need to be considered. If publication is required, only relevant information should published. It is acknowledged that for privacy breaches involving bank accounts or websites that are
password protected, consumers should be advised of breaches as soon as possible to allow them to take steps to change passwords and protect their information. It is unlikely this situation would arise in the day to day business of general insurance and the prescriptive approach may be excessive for all possible types of potential privacy breaches. In any event, a serious data breach may not affect all customers and it is unclear what benefit would be achieved in causing unnecessary alarm and angst to customers who are not impacted by the breach.
? The legislation should also be written in a technology neutral language so that it does not become outdated and does not exclude other methods of effective publication.
Overseas recipient
? Section 26X(3) appears to make the local entity responsible for notifying a serious data breach of personal information held by the overseas recipient, but it is not clear that this is the intended effect. Following on from that, s26X(3)(b) makes the application of APP8.1 a prerequisite to s26X(3)(d). It is not sufficiently clear whether, in circumstances where an entity successfully invokes one of the defences in APP8.2, a serious data breach of personal information held by an overseas recipient is not required to be reported. This should be clarified.
Interference with the privacy of an individual
? Schedule 1, Clause 3 inserts s13(4A) which makes a failure to notify or failure to comply with a direction to notify an ‘interference with the privacy of an individual’. The Insurance Council considers the wording is ambiguous. It should be clarified whether the intention is to tie this back to the civil penalty provision so as to allow a fine to be imposed for serious and repeated interference with the privacy of an individual (i.e. for repeated and serious failure to notify).
Resourcing of OAIC
? Adequacy of the resourcing of the OAIC is another significant consideration having regard to the expansion of the functions and powers of the Commissioner proposed under a mandatory data breach regime. The OAIC would need to be resourced to prevent, for example, limitations in its governance and consideration of applications for exemptions. If too great a burden is placed on the OAIC, it may be unable to effectively perform the functions conferred upon it by the privacy reforms.

ELECTRONIC FRONTIERS AUSTRALIA

The EFA is supportive in principle however is of the view the Bill could be stronger. It raises concerns about the meaning of “serious harm” preferring to delete serious.  Much of the balance of the submission is policy oriented discussion.

It provides:

Minimum data security standards
EFA also recommends that, as suggested by Securus Global1, minimum data security standards, including monitoring practices, be developed in consultation with relevant industry and civil society organisations. These standards should build on existing best practice standards already available and should be framed to provide practical guidance to organisations of all sizes and across all sectors that collect private information. Education and media campaigns and an outreach program utilising a broad range of representative industry associations should be conducted to maximise the adoption of these standards.
Nature of harm
EFA believes that the definition of harm in section 26ZE should be expanded to include:
? psychological harm
? onerousness and inconvenience to the individuals affected
? harm caused by breaches of inaccurate data (which in many cases will cause more serious harm than for breaches of accurate data)
If the definition of harm is not expanded, EFA believes all references to ‘serious’ should be removed from ‘serious data breach’.
Exceptions under section 26ZC
EFA is also concerned about the lack of judicial or parliamentary oversight involved with the exceptions that prevent the Commissioner from directing an entity to provide a notification of a serious data breach, as defined in Section 26ZC, sub-sections 5 and 6.
With regard to sub-section 5 (b), EFA believes it is appropriate that certification of reasonable grounds for an exemption for an enforcement body is required, however this “certification” does not appear to be a sufficiently powerful mechanism for ensuring the accountability of enforcement-related data. EFA is concerned that the simple certification process outlined could too easily become an ineffective ‘rubber-stamp’ procedure.
EFA believes that the Act should specify the full certification process to be followed in these cases, and that there should be some form of judicial or parliamentary oversight of this certification process to ensure that the process is being followed correctly.  With regard to sub-section 6, EFA is similarly concerned that an even lower standard of accountability is being applied to the determination of inconsistency with secrecy provisions than for enforcement-related data. Unlike sub-section 5 (b), sub-section 6 does not even outline a mechanism for making such a determination. EFA believes that, as above per sub-section 5 (b), the process for determination of inconsistency with secrecy provisions should be fully specified, and that judicial or parliamentary oversight should be included.
Judicial or parliamentary oversight is necessary because decisions about data of this sensitivity need to be held to a very high standard of accountability. EFA understands that, in relation to both sub-sections 5 and 6, this oversight may need to be conducted in-camera, with a mechanism described for the application and form of an in-camera hearing. In-camera hearings should still be subject to oversight and the proceedings should still be available upon request for legal purposes such as criminal and civil hearings.
Reporting by OAIC
EFA recommends that the Office of the Australian Information Commissioner be required to compile, report on and publish public notices on a regular (quarterly) basis related to actions it has taken in relation to this Act.

 The submissions essentially divide along fairly predictable lines.  Consumer groups, civil liberties and privacy advocates support the proposal if somewhat guardedly.  Industry bodies whose members handle personal information on a regular basis see no need for the Bill and are concerned about its drafting.  The Bill is adequate and in effect may be excellent.  As drafted it is somewhat cumbersome.

 

Leave a Reply