Senate Standing Committees on Legal and Constitutional Affairs endorses the Privacy Amendment (Privacy Alerts) Bill 2013

June 25, 2013 |

The Senate Standing Committees on Legal and Constitutional Affairs has reported on the Privacy Amendment (Privacy Alerts) Bill 2013.  The Committee endorsed the Bill.

The report relevantly provides (absent footnotes, introduction and appendices)

RECOMMENDATION
Recommendation 1
2.30 The committee recommends that the Senate pass the Bill.

CHAPTER 1
INTRODUCTION
1.1 On 29 May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 (Bill) was introduced into the House of Representatives by the Attorney-General, the Hon. Mark Dreyfus QC MP.1 On 17 June 2013, the Bill was introduced into the Senate and was referred on 18 June 2013 to the Legal and Constitutional Affairs Legislation Committee (committee) for inquiry and report by 24 June 2013.
Background to the Bill
1.2 In his second reading speech, the Attorney-General described the Bill as ‘the next key step in the government’s major reform of Australia’s privacy laws’ and a ‘long overdue measure’ recommended by the Australian Law Reform Commission (ALRC) in its 2008 report, For Your Information: Australian Privacy Law and Practice.
That recommendation reads:
Recommendation 51-1 The Privacy Act should be amended to include a new Part on data breach notification, to provide as follows:
(a) An agency or organisation is required to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.
(b) The definition of ‘specified personal information’ should include both personal information and sensitive personal information, such as information that combines a person’s name and address with a unique identifier, such as a Medicare or account number.
(c) In determining whether the acquisition may give rise to a real risk of serious harm to any affected individual, the following factors should be taken into account:
(i) whether the personal information was encrypted adequately; and
(ii) whether the personal information was acquired in good faith by an employee or agent of the agency or organisation where the agency or organisation was otherwise acting for a purpose permitted by the Privacy Act (provided that the personal information is not used or
subject to further unauthorised disclosure).
(d) An agency or organisation is not required to notify an affected individual where the Privacy Commissioner considers that notification would not be in the public interest or in the interests of the affected individual.
(e) Failure to notify the Privacy Commissioner of a data breach as required by the Act may attract a civil penalty.
Purpose of the Bill
1.3 The Bill seeks to amend the Privacy Act 1988 (Cth) (Privacy Act), as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), to introduce mandatory data breach notification provisions for Commonwealth
government agencies and certain private sector organisations (defined as ‘APP entities’ in the Privacy Act).
1.4 The Explanatory Memorandum (EM) explains that a mandatory data breach notification is a legal requirement to notify affected persons and the relevant regulator, in this case the Australian Information Commissioner (Commissioner), when certain types of personal information are accessed, obtained, used, disclosed, copied, or modified by unauthorised persons.
1.5 The Attorney-General summarised the Bill’s intended effect:
It will introduce a new consumer privacy protection for Australians that will keep their personal information more secure in the digital age. It will also encourage agencies and private sector organisations to improve their data security practices.
Structure and key provisions of the Bill
1.6 The Bill will amend the Privacy Act by inserting new Part IIIC – Data breach notification into the Act (item 4 of Schedule 1). The new Part IIIC contains the substantive elements of the proposed mandatory data breach notification provisions, which are set out in two Divisions:

• Division 1 – Serious data breach sets out the circumstances in which APP entities, credit reporting bodies, credit providers and file number recipients will have committed a ‘serious data breach’; and
• Division 2 – Notifying serious data breaches sets out the circumstances in which an entity must notify a ‘serious data breach’ and to whom notice must be given, subject to limited exceptions.
1.7 The Bill also provides that an entity which fails to comply with its notification obligations will have interfered with the privacy of an individual (item 3 of Schedule 1).
Conduct of the inquiry
1.8 Details of the inquiry, including links to the Bill and associated documents, were placed on the committee’s website at www.aph.gov.au/senate_legalcon. The committee also wrote to 44 organisations and individuals, inviting submissions by 20 June 2013.
1.9 The committee received 21 submissions, which are listed at Appendix 1. All submissions were published on the committee’s website. The committee thanks those organisations and individuals who made submissions. No public hearings were held for the inquiry.

CHAPTER 2
KEY ISSUES
2.1 Some submissions strongly supported the introduction of mandatory data breach notification provisions for Commonwealth government agencies and certain private sector organisations, including the Australian Law Reform Commission (ALRC) and the Office of the Australian Information Commissioner (OAIC).
Submissions also highlighted key concerns, including:
• meaning of the phrase ‘real risk of serious harm’ within the definition of ‘serious data breach’;
• application of the steps set out in the mandatory notification provisions; and
• inclusion and breadth of exceptions to the mandatory notification provisions.
‘Real risk of serious harm’
2.2 Proposed new sections 26X-ZA of the Privacy Act 1988 (Cth) (Privacy Act) establish the circumstances in which APP entities, credit reporting bodies, credit providers and file number recipients will have committed a ‘serious data breach’. One of the conditions is that the breach will result in a real risk of serious harm to any of the individuals to whom the information relates.
2.3 Some submissions questioned the meaning of the phrase ‘real risk of serious harm’ or its various elements (such as ‘serious harm’ and ‘real risk’),3 with submitters suggesting ways in which this ambiguity could be ameliorated or rectified.
2.4 The Australian Bankers’ Association (ABA) submitted that the meaning of the criterion will be unclear in an entity’s operational environment: ‘the issue for entities is going to be determining what to report and what not to report’.4 The ABA suggested that, if the Bill is enacted ‘it is critical for the [Australian Information Commissioner (Commissioner)] to be required to develop guidelines for industry on this matter’.
2.5 The Office of the Victorian Privacy Commissioner (Victorian Privacy Commissioner) acknowledged that the Commissioner could be granted legal authority to provide guidance on issues of definition but ‘any OAIC guidance will be merely persuasive’. The Victorian Privacy Commissioner suggested:
Ultimately, the best way to determine the trigger for notification is not through abstract legislative definitions (irrespective of whether such definitions are exclusive or inclusive) but by the [Commissioner] developing binding guidelines to flesh out these terms and providing the Commissioner with an ability to amend those guidelines as circumstances, harms and risks evolve.6
2.6 The Communications Alliance submitted that there should be a ‘threshold test that industry can use to determine whether ‘serious harm’ could or would be caused’. Its submission warned that, in the absence of a definition of ‘serious harm’, there is a possibility of entities inadvertently undermining the objectives of the Bill:
[I]in the absence of a definition of ‘serious harm’, it is possible that the legislation will cause an organisation to take a risk-averse position in order to avoid breaching such an obligation. This could, potentially, result in over-reporting of relatively minor data-related errors.
2.7 Alternatively, the Australian Privacy Foundation (APF) did not support the ‘real risk of serious harm’ threshold, whether or not it was clarified by the Commissioner or in the Bill. In the APF’s view, the threshold should not be set at too high a risk of harm, and risk of harm should not be the only trigger for notification (at least to the Commissioner):
Aggregation of terms limiting the nature of the harm that triggers notification increases the risk that organizations will argue that one or other aggregated term do not apply to them. For example, a phrase such as “real risk of serious harm” is a very high threshold, because of the combination of ‘real’ (i.e. ‘not remote’) risk, ‘serious’ harm’ (with no clear notion of seriousness) and ‘harm’ which may be given a limited definition… In addition, a second trigger is necessary. Any significant breach should be subject to notification in any case. If that were not the case, then a significant insecurity would not become apparent, and would not be addressed, and it would be very likely that it would later give rise to a serious breach that was eminently avoidable. A single threshold test would result in a scheme which was a failure. 8
Government response
2.8 The Explanatory Memorandum (EM) explicitly states that the definition of ‘serious data breach’, including the element of a ‘real risk of serious harm’, is intended to capture only those breaches which are significant enough to warrant notification:
This will ensure the Government does not create or impose an unreasonable compliance burden on entities regulated by the scheme, and [will] avoid the risk of ‘notification fatigue’ among individuals receiving a large number of notifications in relation to non-serious breaches.9
2.9 In particular, the EM notes that a ‘real risk of serious harm to the individual to whom the information relates…is the standard recommended by the ALRC’ (Recommendation 51-1(a)), and is incorporated into the Commissioner’s voluntary data breach guidelines, Data Breach Notification: A guide to handling personal information security breaches (OAIC guide).10 The Attorney-General’s Department (Department) submitted:
[The proposed standard] is therefore a commonly understood concept amongst agencies and organisations that have sought to comply with the OAIC guide.
2.10 The Department explained further that the proposed concept of ‘serious harm’ is also based on the OAIC guide. In addition to that term being well understood, the Department emphasised the flexibility of the OAIC guide to adapt to specific contexts and to evolve over time:
Accordingly, rather than seek to prescribe a definition in legislation, it is preferable that the OAIC develop guidance about the particular circumstances and factors that might be relevant to the question of harm. This is a common approach taken in privacy regulation, which is more principles-based in nature. It is intended that a revised OAIC guide will continue to provide guidance on the factors that entities should consider
when assessing whether the harm is ‘serious’.
2.11 In this context, the OAIC advised that, if the Bill proceeds, ‘the OAIC will prioritise the amendment of the [OAIC guide] to address and provide clarity on the operation of the new mandatory notification requirements’.
Mandatory notification provisions
2.12 Proposed new section 26ZB of the Privacy Act requires an entity to undertake three specific actions, as soon as practicable, after forming a reasonable belief that a
‘serious data breach’ has occurred:
• preparation of a detailed statement concerning the breach;14
• provision of a copy statement to the Commissioner;15 and
• notification:
• by taking such steps as are reasonable in the circumstances to notify the contents of the statement to each ‘significantly affected’ individual;16 and
• by publishing a copy of the statement on the entity’s website (if any) and in at least one newspaper circulating generally in each state/territory, if prescribed ‘general publication conditions’ are satisfied (collectively, the
notification requirement).
2.13 Liberty Victoria welcomed the proposed mandatory notification provisions, submitting that the proposed process reflects similar processes in environmental protection legislation, as well as providing ‘a beneficial remedy [and] deterrent to lax procedures for organisations and entities upon whom the requirement is imposed’.
2.14 The Communications Alliance argued however that the specific actions outlined in proposed new section 26ZB are contrary to good business practice,
as reflected in the OAIC guide:
[G]ood business practice would be to (a) contain the breach and do an assessment; (b) evaluate the risks; and then, if necessary, notify those affected by the breach. It is concerning that the Bill places more emphasis on notifying – and potentially confusing or alarming customers – than containing the breach, rectifying the issue and preventing its reoccurrence.
2.15 The ABA referred to proposed new subsection 26ZB(12), which provides for regulations to declare that one or more specified conditions are ‘general publication conditions’ for the purposes of the section. The ABA expressed concern regarding the uncertain scope of the ‘general publication conditions’ notification model:
There is a critical element of the notification model in the Bill that is missing because it is unclear what “general publication conditions” will mean if these conditions are satisfied. Without this definition, the real impact of the Bill cannot be assessed because the meaning of this expression will be covered by a regulation-making power in the Bill. Regulations dealing with this aspect have not been provided with the Bill.
Government response
2.16 The Department submitted that there are a range of factors which might be relevant to ‘general publication conditions’, such as the type of entity involved or the location of the affected individuals:
The making of regulations would enable more flexibility in allowing these matters of detail to be changed as notification processes develop into the future.
For example, the regulations could provide that the ‘general publication conditions’ are met:
• where particular individuals do not have readily available contact details, or
• where online and newspaper publication methods may reach a larger number of affected individuals in a more timely manner. 21
2.17 The Department assured the committee that the development of privacy regulations would be conducted in close consultation with relevant stakeholders, including interest groups. The Department noted also that any regulations made would be subject to disallowance by the parliament as disallowable instruments.22
2.18 In response to concerns regarding the order of the actions set out in proposed new section 26ZB, the Department contended that the Bill will not depart from the
approach adopted in the OAIC guide:
The OAIC guide contains numbered steps to take in response to a data breach, but notes that particular steps may be taken simultaneously or in quick succession. Further, the OAIC guide states that immediate notification should be the first step if appropriate. Therefore, the Bill does not have the effect of prioritising notification over other remedial action. The new notification requirement is completely consistent with the existing OAIC guide, and will complement existing legislative requirements that must be complied with in responding to a data breach.
Exceptions to the mandatory notification provisions
2.19 Proposed new section 26ZB of the Privacy Act wholly or partially exempts some entities from the measures proposed in the Bill.24 For example, the Commissioner will be empowered to issue a written notice of exemption on public interest grounds, on the application of an entity or on the Commissioner’s own initiative. This exemption would apply to the totality of the notification requirements set out in proposed new section 26ZB.
Opposition to the proposed measure
2.20 Some submissions expressed concern with the proposed exceptions to the mandatory notification provisions, arguing that the provisions should be narrower, if they are to be legislated at all, and be subject to a greater degree of accountability and transparency.
2.21 Liberty Victoria, for example, submitted that a ‘large part of the Bill is dedicated to exceptions’, the breadth of which Liberty Victoria opposed. In relation to
the proposed public interest exemption, Liberty Victoria argued:
[T]his exemption should be limited to subsections (1)(g) & (h) [the notification requirement] and not provision of the statement to the Commissioner…[I]t might be preferable to allow certain classes of matter to be referred to the Commissioner by enforcement bodies seeking a
recommendation as to disclosure or non-disclosure or exemption under the new part, rather than the enforcement body clothing itself with total immunity and exercising their own broad exemption for all classes of data
breach for all time.
2.22 The APF argued that the mandatory notification provisions should apply to all organisations and all personal information that are ‘reasonably within reach of Commonwealth jurisdiction’. Its views in regard to exemptions were consistent with those of the Cyberspace Law and Policy Centre, which submitted:
Exceptions, if they are permitted, should be limited to named entities not classes, require full justification and verification, be limited in duration to the minimum time necessary, not allow failure to inform the regulator, and otherwise be as limited as possible…Similarly, the OAIC’s operation of the scheme should not be subject to discretionary variation or exceptions; where discretions exist they should be defined, and transparently reported. This Bill should not set up a scheme where there is an endless queue to the Commissioner’s door for secret exemptions, which would undermine the purpose of the Bill, and the basis of public trust and confidence that they will be able to find out if there is a breach; this would be both a waste of the Commissioner’s time, which is better spent pursuing breaches and
complaints, and undermines the expectation of compliance.
2.23 Mr Bruce Arnold, a lecturer in privacy, secrecy and data protection law at the University of Canberra, also did not support endowing the Commissioner with discretionary power to grant exemptions to the mandatory notification requirement: Supervision by the [Commissioner] of mandatory breach reporting should not be fundamentally weakened through scope for discretionary exceptions. For the purposes of public administration we should reduce the subjectivity that results in ‘closed door’ deal-making – and requests for deals. Consistency and transparency will reinforce the credibility of the [OAIC], which has been eroded by perceptions that the organisation is either very permissive or naïve[.]
Government response
2.24 In determining whether an exemption notice will be issued on the grounds of public interest, the EM indicates that guidance on the relevant factors will be developed by the Commissioner and be made available to stakeholders:
In that respect, the ALRC commented that [provisions such as those establishing the discretionary exemption power on public interest grounds] could cover situations, for example, where there is a law enforcement investigation being undertaken into a data breach…and notification would impede that investigation, or where the information concerned matters of national security. This provision is intended to cover cases of that nature (where these activities, or the information concerned, are not already exempt from the scheme), particularly where a private sector organisation suffers the data breach and is responsible for reporting. In those situations, a Commonwealth agency or private sector organisation would have grounds to seek this exemption on advice from an enforcement body or intelligence agency.
Committee view
2.25 The committee supports enhanced privacy protection for individuals whose personal information has been accessed by, or disclosed to, a third party as the result of a ‘serious data breach’. The committee notes the Commissioner’s evidence that data breaches are under-reported and on the increase within Australia.
2.26 The measures proposed in the Bill are supported by the ALRC, which specifically recommended such a reform to help resolve the situation of individuals being adversely affected by the compromise of their personal information.
The Commissioner has also expressed unconditional support for the Bill, as did consumer advocates who participated in the inquiry. The committee agrees that the proposed reform is ‘long overdue’ and would benefit Australian consumers, as well as industry stakeholders, who would be simultaneously encouraged to effect and maintain high-quality data security practices.
2.27 A public consultation paper was released by the Department in October 2012, seeking the community’s view on whether a mandatory data breach notification law should be introduced in Australia and, if so, how the law should be framed. This was
followed by a confidential targeted consultation in respect of a more detailed legislative model in April 2013.33 The committee considers that stakeholders have been afforded ample opportunity to comment on the proposals in the Bill, noting that the matters under consideration were first raised in 2008 by the ALRC.
2.28 The trigger for mandatory notification concerned several submitters. While the committee acknowledges these concerns, the Department pointed out that this threshold has been implemented in the voluntary data breach guidelines since 2008, when the ALRC recommended the standard. The committee therefore accepts the Department’s view that the threshold is familiar to stakeholders, and agrees that it is preferable for the Commissioner to continue to issue guidance on the meaning of a ‘real risk of serious harm’, as circumstances require. In this context, the committee notes that the Commissioner is already considering amendments to the OAIC guide, to account for the changes to be introduced by the Bill.
2.29 Accordingly, the committee concludes that the Bill should be passed.
Recommendation 1
2.30 The committee recommends that the Senate pass the Bill.
Senator Trish Crossin
Chair

ADDITIONAL COMMENTS BY
COALITION SENATORS
1.1 Coalition senators are, like a number of submitters to this inquiry, concerned with the lack of due process and time for scrutiny afforded to this bill through the
committee.
1.2 Coalition senators understand that the number and depth of analysis of submissions to this inquiry has been hampered by the restrictive timeframe. No explanation has been forthcoming from the government as to the reason for this extraordinarily foreshortened process.
1.3 Given the importance of the nature of this matter, and the extensive criticisms which were levelled at the primary privacy legislation when it was examined by the
committee last year, it is most unfortunate that thorough and detailed scrutiny should not have been afforded to this bill.
1.4 In its submission, the Cyberspace Law and Policy Centre of the University of New South Wales, Faculty of Law highlighted that it had “around 10 working hours in which to collaborate on, draft and finalise a submission”[.]
1.5 The Australian Privacy Foundation too expressed this concern, citing a:
…seriously negative impact on the democratic process that is inherent in the provision by the Parliament of 1-1/2 working days, during which civil society organisations are expected to discuss, draft and finalise  Submission to your Committee.
1.6 The Coalition has on a number of occasions highlighted consultation, or lack thereof, as a point of concern when dealing with bills through Senate committees. On this occasion, that concern is self-evident through the limited time available for submissions.
1.7 Coalition senators note the concerns expressed by a number of submitters regarding the lack of definition of the terms ‘serious breach’ or ‘serious harm’ in the legislation. We note also concerns expressed about ‘regulatory overload’ being experienced by industry as it digests both the new privacy regime and this latest tranche of significant enhancements to that regime. In the absence of public hearings of the committee and the receipt of live testimony, it is difficult to know what weight to place on these concerns.
1.8 Coalition senators believe that the concerns of key stakeholders should not lightly be set aside, where they are afforded an opportunity to be consulted. Coalition senators believe the concerns raised by those stakeholders should be better scrutinised, understood and acted upon by the relevant government agencies as this new privacy regime is rolled out.

Leave a Reply