Bills digest of the Privacy Amendment (Privacy Alerts) Bill 2013
June 23, 2013 |
The Parliamentary Library has prepared a Bills Digest on the Privacy Amendment (Privacy Alerts) Bill 2013. It is found here.
As usual it is an excellent resource. It provides:
Structure of the Bill
The Bill contains one Schedule of amendments to the Privacy Act. The main amendment in Schedule 1 is item 4 which inserts a new Part IIIC, titled ‘Data breach notification’, into the Privacy Act following existing Part IIIB. This new Part contains the substantive elements of the mandatory data breach notification provisions, which apply to entities that are regulated by the Privacy Act.
The new Part IIIC is divided into three Divisions. Broadly, the first Division sets out when a ‘serious data breach’ will have occurred, the second Division contains obligations for entities to notify of that serious data breach, subject to certain exceptions. The third Division concerns general matters including relevant definitions specific to Part IIIC and application provisions.
Background
Data breach notifications
As the Explanatory Memorandum notes, mandatory data breach notification commonly refers to:
… a legal requirement to provide notice to affected persons and the relevant regulator when certain types of personal information are accessed, obtained, used, disclosed, copied, or modified by unauthorised persons. Such unauthorised access may occur following a malicious breach of the secure storage and handling of that information (e.g. a hacker attack), an accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise.
Data breach notification is a topical issue in privacy regulation around the world, with concerns about identity theft and identity fraud being the main issues driving the development of new laws in this area.
Currently, the Privacy Act does not impose an obligation on entities to notify the Australian Information Commissioner (the Commissioner) or any individuals whose personal information has been compromised. However the Act does require that agencies and organisations take reasonable steps to maintain the security of the personal information they hold. The Office of the Australian Information Commissioner (OAIC) currently has in place a voluntary guide for entities giving advice on how to handle a data breach.6 The guide was developed in August 2008 and revised in late 2011. Although not mandatory, entities regulated by the Privacy Act are encouraged to comply with this guide. In relation to this voluntary guide, the Privacy Commissioner, Timothy Pilgrim has said that research would indicate it is not adequate. He notes that despite the increased number of data breaches over the last three years the OAIC received only 46 data breach notifications in the 2011-2012 financial year, an 18 per cent decrease from the previous year. Mr Pilgrim is concerned that the OAIC is ‘only being notified of a small percentage of serious data breaches that are occurring and that many critical incidents may be going unreported and consumers may be unaware when their personal information could be compromised.’
ALRC and data breach notifications
The Australian Law Reform Commission in its 2008 report on privacy, For Your Information: Australian Privacy Law and Practice made 295 recommendations for reform in a range of areas including creating unified privacy principles and updating the credit reporting system and strengthening the powers of the Privacy Commissioner. The Government’s response to many of these recommendations was through the passage of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 due to commence in March 2014.
Of relevance to this Bill, the ALRC in its 2008 report also considered the topic of data breach notification and made a recommendation regarding the establishment of a mandatory notification scheme. The ALRC noted that, with advances in technology, entities were increasingly holding larger amounts of identifying information in electronic form, raising the risk that a breach of this information could result in another individual using the information for identity theft and identity fraud. A notification requirement on entities that suffer data breaches would allow individuals whose personal information had been compromised by the breach to take remedial steps to lessen the adverse impact that might arise from the breach. The ALRC recommended that the Privacy Act be amended to impose a mandatory obligation to notify the Privacy Commissioner and affected individuals in the event of a data breach that could give rise to a real risk of serious harm to affected individuals. Notification would be compulsory unless it would impact upon a law enforcement investigation or was determined by the regulator to be contrary to the public interest. Failure to notify would attract a civil penalty.
It is of note that at the time of its first stage response to the ALRC report, the Government decided not to implement this ALRC recommendation indicating that further consultation and discussion was necessary. The Attorney-General’s second reading speech on the Bill however, indicates that the Government now considers that legislation imposing mandatory data breach notification is long overdue. The Attorney-General cites a number of high profile data breaches that have confirmed this view including cases of data hacking at the ABC’s website and large scale breaches in recent years at Telstra, Medvet and Sony Playstation.
Government Discussion Paper on data breach notifications
In October 2012 the Government released a Discussion Paper (‘the discussion paper’) seeking public comments on whether Australia’s privacy laws should include a mandatory data breach notification requirement and if so, the possible elements of such a requirement.15 Using the ALRC recommendation as its basis, the discussion paper sought views on whether the existing voluntary reporting system was operating effectively.
That discussion paper and the subsequent consultations have formed the basis for the Bill as introduced into Parliament on 29 May 2013.
Committee consideration
On 18 June 2013, the Bill was referred to the Senate Legal and Constitutional Affairs Committee for inquiry and report by 24 June 2013. Submissions to the inquiry are due on 20 June.
Position of major interest groups
Business groups
To date, reaction to the Bill from business does not appear to be on the public record. However the Explanatory Memorandum notes that of the 62 submissions on the discussion paper, 27 submitters opposed a mandatory scheme on the grounds that the existing voluntary scheme is operating effectively, and that a mandatory scheme could bring additional compliance obligations. The Explanatory Memorandum states that this group comprised private sector industry groups and individual companies in the banking, telecommunications, retail and online industries, and two key government agencies.
The group of submitters supporting a mandatory scheme (24 submitters) included Commonwealth and State privacy/information commissioners, privacy and consumer advocates, academics, IT software and security companies, and some individuals.18
At this point, it is worth noting that small businesses are generally not subject to the Privacy Act and therefore would also be exempt from the mandatory notification scheme proposed in the Bill. The Regulation Impact Statement attached to the Explanatory Memorandum explains the implications of this:
Around 94% of all private sector organisations are small business operators and therefore generally exempt from the Privacy Act. Certain obligations will apply to small businesses that, for example, trade in personal information, are health service providers, are tax file number recipients, operate residential tenancy databases, or simply voluntarily opt in.
Australian Privacy Commissioner
The Australian Privacy Commissioner, Timothy Pilgrim, has welcomed the introduction of this legislation, saying that:
All agencies and organisations must embed a culture that values and respects privacy. Mandatory data breach notification will go some way to achieving this. It will also compliment other privacy law reforms due to commence in March 2014 that will require agencies and organisations to implement new practices, procedures and systems to ensure compliance with the Privacy Act. In my view, mandatory data breach notification will also lead to better public understanding of the scope and frequency of data breaches, and encourage greater privacy awareness.
Law Council of Australia
In its submission on the discussion paper, the Law Council notes that it had previously supported, in principle, a mandatory data breach notification scheme but now takes a different view:
The introduction of the amendments to the Privacy Act contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 [the amending Act] is likely to bring about a different privacy landscape and we suggest that the effectiveness and consequences (both intended and unintended) of those amendments should be experienced and properly considered before further amendments are made.
The Amending Act proposes more rigorous protection of personal information including significant pecuniary penalties for serious or repeated interference with the privacy of an individual. The Committee suggests that this in itself may be sufficient to achieve greater compliance by organisations.
Further, the Amending Act proposes to expand the functions and powers of the Privacy Commissioner, including increasing the Commissioner’s ability to resolve complaints, conduct investigations and promote compliance with privacy obligations. The Committee submits that such changes may sufficiently address the same issues that any mandatory data breach notification legislation would seek to resolve. In any event, it would be appropriate to wait and see how the new provisions work in practice before adding another layer of legislation. The Committee submits that already -stretched resources at the Office of the Australian Information Commissioner will be substantially affected by the expansion of the functions and powers of the Commissioner proposed under the Amending Act.
Any mandatory data breach notification scheme should therefore be considered in the context of the available resources at the OAIC and any subsequent limitations in its governance and policing of privacy obligations of organisations and agencies. If too great a burden is placed on the OAIC, it may be unable to effectively perform the functions conferred upon it by the Privacy Act.
Electronic Frontiers Australia
Electronic Frontiers Australia (EFA) has welcomed the introduction of the Bill stating:
This legislation is an important step in providing greater protection for Australians from the ever-increasing occurrence of breaches of private data from organisations of all sizes, as it will ensure individuals are given the opportunity to change passwords, cancel credit cards and take other actions to protect themselves once notified of a breach. It should also create a strong incentive for all organisations to make data security a core operational priority.
Australian Privacy Foundation
The Australian Privacy Foundation (APF) in a paper issued shortly before the release of the Bill lists what it considers should be contained in mandatory data breach legislation.23 Significantly, the AFP’s list differs in some important respects to the Bill. For example the paper states:
Data breach notification obligations should not be limited to those organisations that are within the scope of the Privacy Act.[…]. There is no justification for exempting from these provisions such organisations as small business enterprises, political parties, media organisations, and national security and law enforcement agencies. Nor is there any justification for exempting records that are exempt from the Privacy Act, such as data relating to employees.
[…]
APF’S view is that the potential harm which can trigger data breach notification requirements, and the harm which is compensable, should clearly be of the widest possible ambit, and it should be clear that it is not limited to any specified categories such as harm to reputation, economic harm and financial harm. For example, the following need to be included:
â?¢ serious inconvenience without financial or economic harm occurring;
â?¢ onerous effort needed to right a wrong;
â?¢ unreasonable denial of a loan;;
â?¢ emotional distress, and psychological harm.
[…]
The APF’s view is that the trigger for notification must not be set at too high a risk of harm, and that risk of harm should not be the only trigger for notification (at least to the OIAC). Aggregation of terms limiting the nature of the harm that triggers notification increases the risk that organizations will argue that one or other aggregated term do not apply to them. For example, a phrase such as “real risk of serious harm” is a very high threshold, because of the combination of ‘real’ (i.e. ‘not remote’) risk, ‘serious’ harm (with no clear notion of seriousness) and ‘harm’ which may be given a limited definition […].
In addition, a second trigger is necessary. Any significant breach should be subject to notification in any case. If that were not the case, then a significant insecurity would not become apparent, and would not be addressed, and it would be very likely that it would later give rise to a serious breach that was eminently avoidable. A single threshold test would result in a scheme which was a failure.
APF’s policy is that a Bill should be based on either of two conditions being satisfied:
(a) a real risk of harm without qualifications such as ‘serious’; OR
(b) a significant breach, whether or not real risk of harm has arisen.
Financial implications
The Explanatory Memorandum states that the Bill will have no significant impact on Commonwealth expenditure or revenue.
Policy position of non-government parties
The Bill was supported by the Coalition in the House of Representatives, although in debate on the Bill in the Federation Chamber, the Opposition speaker, Mr Michael Keenan, indicated that while the Coalition supports the passage of the Bill through the House, it reserves ‘the right to move amendments following any recommendations made by the Senate Legal and Constitutional Affairs Committee which will inquire into the Bill in a thorough manner.’
To date, the Australian Greens view of the Bill is not known.
Statement of Compatibility with Human Rights
As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.
Key issues and provisions
Item 4 of Schedule 1 to the Bill inserts a new Part IIIC, titled ‘Data breach notification’, into the Privacy Act.
Serious data breaches
Division 1 of new Part IIIC set out the various types of ‘serious data breaches’ to do with:
ï?· personal information held by APP entities (proposed section 26X)
ï?· credit reporting information held by credit reporting bodies (proposed section 26Y)
ï?· credit eligibility information held by credit providers (proposed section 26Z) and
ï?· tax file number information held by recipients of such information (proposed section 26ZA).
The Digest describes only the first of these four categories which would encompass data breaches by government agencies and private sector organisations. The regulation of these entities is the main focus of the Privacy Act. For a description of the latter three categories (to do with credit and tax file information), the reader is referred to the Explanatory Memorandum.
Serious data breaches—APP entities
Proposed section 26X sets out the circumstances in which access to, or disclosure of, personal information will be a serious data breach where the personal information is held by an APP entity. ‘APP entity’ is defined in subsection 6(1) of the Privacy Act and includes Commonwealth Government agencies and private sector organisations regulated by the Privacy Act.
Proposed subsection 26X(1) provides that unauthorised access to, or unauthorised disclosure of, personal information will be a serious data breach if an APP entity holds personal information relating to one or more individuals, is required under section 15 of the Privacy Act to comply with Australian Privacy Principle 11.127, and either:
ï?· the access or disclosure will result in a ‘real risk’ of ‘serious harm’ to any of the individuals to whom the personal information relates (proposed subparagraph 26X(1)(d)(i)) or
ï?· any of the personal information is of a kind specified in the regulations (proposed subparagraph 26X(1)(d)(ii))
In this context, ‘serious harm’ includes but is not limited to harm to reputation and economic or financial harm (proposed section 26ZE).28 The risk of harm must be real (that is, not remote) for it to give rise to a serious data breach (proposed section 26ZF).
As noted above, the threshold of ‘real risk of serious harm’ was part of the ALRC recommendation. The Explanatory Memorandum, justifies this relatively high threshold stating:
In order not to impose an unreasonable compliance burden on APP entities and to avoid the risk of ‘notification fatigue’ among individuals receiving a large number of notifications in relation to non-serious breaches, it is not intended that every data breach be subject to a notification requirement.
The Government’s rationale in providing that regulations may specify particular situations that qualify as serious data breaches is:
… intended to provide the flexibility to deal with data breaches that may not reach the threshold of a real risk of serious harm but should nevertheless be subject to notification. These could include the release of particularly sensitive information such as health records which may not cause serious harm in every circumstance but should be subject to the highest level of privacy protection.
Proposed subsection 26X(2) establishes the circumstances that will constitute a ‘serious data breach’ when personal information is lost in a situation that may result in that personal information being subject to unauthorised access or unauthorised disclosure. The provision is drafted in similar terms to proposed subsection 26X(1) described above and contains the same threshold of a ‘real risk of serious harm’.
Proposed subsection 26X(3) establishes the circumstances under which an APP entity will retain accountability for a ‘serious data breach’ involving personal information even though that APP entity might not be otherwise responsible for the breach due to the fact that the information has been disclosed to an overseas recipient. The Explanatory Memorandum provides a further description.
Notification of serious data breaches
Division 2 of Part IIIC contains obligations for entities to notify a serious data breach, subject to limited exceptions.
Proposed section 26ZB sets out the circumstances in which an entity must provide notification of a serious data breach and to whom notification must be given.
Proposed subsection 26ZB(1) states that an entity is required to provide notification to the Commissioner and affected individuals as soon as practicable after the entity believes on reasonable grounds that there has been a serious data breach of the entity in relation to either personal information, credit reporting information, credit eligibility information or tax file number information. The notice must include:
ï?· the identity and contact details of the entity
ï?· a description of the serious data breach
ï?· the kinds of information concerned
ï?· recommendations about the steps that individuals should take in response to the serious data breach and
ï?· any other information specified in the regulations (proposed subsection 26ZB(2)).
In providing information to affected individuals the entity must take such steps as are reasonable in the circumstances to notify the affected individual unless there are ‘general publication conditions’ in place. In cases where ‘general publication conditions’ are met, communication is to be through the entity’s website or via general advertisements in each state newspaper. ‘General publication conditions’ will be set out in the regulations (proposed subsection 26ZB(12)) and will describe circumstances where it is impossible or impracticable to provide a notification to each affected individual.
There are exceptions to these notification obligations which include:
ï?· exceptions for law enforcement bodies in cases where compliance with a notification requirement would be likely to prejudice law enforcement activities (proposed subsection 26ZB(4))
ï?· exceptions by the Commissioner (either in response to an application from an entity or on the Commissioner’s own initiative (proposed subsections 26ZB(5) and 26ZB(7)). These exemptions would apply in cases where the Commissioner is satisfied that it is in the public interest to make an exception (proposed subsection 26ZB(6)). A refusal by the Commissioner to grant an exception must be in writing (proposed subsection 26ZB(8)) and is reviewable by the Administrative Appeals Tribunal (item 5 of Schedule 1 of the Bill, proposed paragraph 96(1)(ba)) and
ï?· exceptions where a notification would be inconsistent with secrecy provisions in other Commonwealth laws (proposed subsection 26ZB(10)).
Proposed section 26ZC provides the Commissioner with the power to issue a written direction to an entity to provide notification of a serious data breach. The information to be provided to the Commissioner and affected individuals will be the same as if the entity had initiated the notification itself and methods of communication will also be the same.
There are also exceptions— for example a law enforcement body that reasonably believes that compliance with the Commissioner’s direction would be likely to prejudice law enforcement activities would be exempt from complying with the direction (proposed subsection 26ZC(5)). The exception will apply in relation to notification to the affected individuals, not in relation to notification to the Commissioner.
The Explanatory Memorandum states that section 26ZC Commissioner directions could be needed in circumstances ‘such as where a serious data breach comes to the attention of the Commissioner but has not come to the attention of an entity.
Failure to comply with the notification obligations in proposed sections 26ZB and 26ZC would be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act (item 3 of Schedule 1, proposed subsection 13(4A)). The effect of this amendment would be to engage the Commissioner’s existing powers and those that will commence in March 2014 to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. The Explanatory Memorandum states this includes:
… the capacity to initiate own motion investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.
Concluding comments
The Bill has bipartisan support in the Parliament and should be welcomed by privacy and consumer advocates. It has been described by the Attorney-General as long overdue and it implements a recommendation of the ALRC dating back to 2008.
It is a significant Bill. In terms of consumer privacy protection, it will help keep Australians personal information more secure in the digital age. Perhaps of equal importance, it is likely to have the secondary effect of encouraging agencies and private sector organisations to improve their data security practices.
That said, the Bill does have more limited application than might initially be thought. Due to current exemptions in the Privacy Act, mandatory notification of serious data breaches will not apply to organisations such as many small business enterprises, political parties, media organisations and national security agencies.
A final comment concerns the timing of introduction of this Bill to the Parliament. Given it implements an ALRC recommendation dating back to 2008, it might have been preferable to include these amendments in the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 introduced in May 2012. That Bill was before the Parliament for approximately six months and was scrutinised by several parliamentary committees.35 This Bill, which is significance in its impact, will be before the Parliament for less than a month with minimal opportunity for parliamentary committee scrutiny. Another alternative might have been to follow the Law Council’s suggestion and wait and see the effect of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 before adding another layer of legislation.