Privacy Commissioner issues a response to the Mandatory Data Breach Notification legislation

February 14, 2017 |

The Privacy Commissioner has issued a statement regarding the passage of the Mandatory Data breach notification Bill.  The Privacy Commissioner has a defined and critical role in the regulation.  And as the statement makes clear there has been work on Data breach notification even where there was no compulsion to notify.

The problem is that the Privacy Commissioner focuses on education to the exclusion of enforcement.  It has been a passive and ineffective regulatory model.  The statement provides:

I welcome the passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which establishes a mandatory data breach notification scheme in Australia.

I look forward to working with government, business and consumer groups during transition to this new scheme; which will help protect the privacy rights of individuals, and strengthen community trust in businesses and agencies.

This amendment will require government agencies and businesses covered by the Privacy Act to notify any individuals affected by a data breach that is likely to result in serious harm. My office will be advised of these breaches, and can determine if further action is required.  The law also gives me the ability to direct an agency or business to notify individuals about a serious data breach.

The new scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches. It will also give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.

My office will be working closely with agencies and businesses to help prepare for the scheme’s commencement. This will include providing additional guidance over the next 12 months, and events hosted through the OAIC’s Privacy Professionals Network.

In the meantime, agencies and businesses should continue to take reasonable steps to make sure personal information is held securely – including being equipped with a clear response plan in the event of a data breach.

The OAIC’s Data breach notification — a guide to handling personal information security and Guide to developing a data breach response plan provide a best practice model, and will be updated in consultation with stakeholders ahead of the commencement of the mandatory notification scheme. The OAIC also has a comprehensive Guide to securing personal information.

The coverage has not been extensive,  Itnews covered the history and the impact of the law in Australia finally has mandatory data breach notification which provides:

Australia will have a mandatory data breach notification scheme in place within the year after several aborted attempts, following the passage of legislation through the senate today.

The Labor and Liberal parties today united to pass the government’s Privacy Amendment (Notifiable Data Breaches) Bill 2016 into law. Learn what the rules mean for your organisation.

The passage came despite a last-ditch attempt by the Greens to make changes to the bill that would shorten the period in which an organisation must notify of a breach down from 30 days to three.

The party also attempted in vain to capture political parties and businesses with less than $3m turnover under the legislation.

The scheme applies only to government agencies and organisations governed by the Privacy Act, meaning state government organisations and local councils, plus organisations with a turnover less than $3 million a year, fall outside the legislation.

The bill now needs only royal assent – a formality – before it becomes law.

The Liberal government had pledged to have a mandatory data breach notification scheme up and running before the end of 2015, but missed its own deadline to get the bill into parliament.

It debuted the Privacy Amendment (Notifiable Data Breaches) Bill 2016 last October.

The bill edited the language of a draft published the year prior slightly to bend to industry calls to remove the requirement for notification if an organisation “ought to have been aware” a breach had occurred.

The newly-passed law means organisations that determine they have been breached or have lost data will need to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of a breach.

The notification must include a description of the data breach, the kind of information involved, and how customers should respond to the security incident.

Those that fail to notify face penalties including fines of $360,000 for individuals and $1.8 million for organisations.

The legislation considers a serious breach to have occured when there is unauthorised access to, disclosure or loss of customer information held by an entity, which generates a real risk of serious harm to individuals involved.

Such information includes personal details, credit reporting information, credit eligibility information, and tax file number information.

Organisations can take certain actions that mean a suspected data breach will not be considered one under the law.

The bill gives the example of when an entity becomes aware that it has “mistakenly emailed the information of one individual to another individual, asks the second individual to delete the information without using or disclosing it, and is confident that the second individual has complied with that request”.

It also uses the examples of when a lost or stolen device has been remotely wiped before its content can be accessed, or when a device is left in a taxi and the individual can be certain the driver did not access the device.

The scheme will come into operation at an as-yet unannounced date within the next 12 months.

Years of effort

The passage of the bill marks the end to three years of effort by both sides of parliament to get a data breach notification scheme in operation.

The government’s newly-passed bill is almost identical to the Privacy Alerts bill introduced by Labor in 2013 and again in 2015.

The Coalition government refused to support the Labor bill at the time because of concerns about a lack of definition around terms like “serious breach” and “serious harm”.

The Liberals’ own data breach legislation came as a result of recommendations made last year by the parliamentary joint committee tasked with reviewing the government’s data retention bill.

Itnews has also published a quick breakdown on how the Act will operate (not legal advice) which provides:

The Australian senate yesterday passed new laws that will require businesses and government agencies to notify the Privacy Commissioner and customers if they have experienced a data breach.

It brought an end to five years of uncertainty as both sides of politics made attempts to get a mandatory data breach notification scheme up and running.

But what does the Privacy Amendment (Notifiable Data Breaches) Bill 2016 mean for your business, and what constitutes a breach? 

When does the scheme start?

The government will designate a specific start date for the scheme to begin operation at some point in the near future.

The legislation gives the government a year to pick a date, otherwise the law will kick in 12 months from when it receives royal assent from the governor-general (a final formality expected within the next few weeks).

What do I have to do?

Entities must notify the Privacy Commissioner and affected customers “as soon as practicable” after becoming aware that a data breach has occured.

In cases where an organisation suspects a data breach has occured, it must undertake an assessment into the circumstances within 30 days to ascertain whether or not it has actually occured, and therefore whether it needs to notify.

Who do the laws apply to?

The legislation covers government agencies and organisations governed by the Privacy Act.

It means state government organisations and local councils, plus organisations with a turnover less than $3 million a year, do not need to comply with the legislation.

Similarly, if notifying customers will prejudice law enforcement activities, police and intelligence agencies need not comply.

If an organisation has taken remedial action after a breach that means it’s unlikely the incident will result in serious harm to affected individuals, it also won’t be required to report the incident.

For example, the legislation offers a notification reprieve if an individual agrees to delete information that has been mistakenly emailed to them by someone else, or if a stolen or lost device can be remotely wiped before it is accessed.

How do I know if a breach is serious enough to report? 

The legislation considers a data breach to have occured when there has been “unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure”.

It includes things like malicious breaches of secure storage and information handling (i.e. a hack); accidential loss of, for example, a hard drive or soft-copy documents; and negligent and improper disclosure of information.

Information considered to be “personal” covers identifying details, credit reporting information, credit eligibility information, and tax file number information.

A data breach is considered eligible under the mandatory reporting requirements when a “reasonable person” would conclude there is “a likely risk of serious harm” to those affected by the breach.

This harm threshold covers “serious” physical, psychological, emotional, economic, and financial harm, as well as serious harm to reputation.

A “reasonable person” would need to be satisfied that the risk of serious harm occuring is more likely than not. Just being upset that your data has been disclosed or accessed without authorisation is not enough to force a company to notify.

What happens if one of my partners accidentally exposes my data?

The Australian Red Cross Blood Service unwittingly claimed the crown for the country’s biggest ever data breach when its website partner Precedent accidentally exposed 1.28 million of the blood service’s records online.

Outsourcing arrangements like these are a dime a dozen, so what does it mean if your IT partner makes a bungle that sees your data exposed?

The legislation says that if more than one entity holds the same personal records, a breach at one could constitute a breach at the other.

But it also considers that both organisations have complied with their reporting obligations if only one notifies. The organisations are allowed to decide amongst themselves which will do the reporting.

What do I need to put in the notification, and how do I tell my customers?

A notification to the Privacy Commissioner and affected individuals needs to include the company’s name and contact details, a description of the breach, the kinds of information involved, and recommended actions those affected should take to protect themselves.

An organisation can notify customers via the normal methods they use to communicate with them. This approach is suggested so customers don’t dismiss the notification as a scam.

The legislation requires a company to take “reasonable steps” to inform customers of the breach, such as through email, phone, or post.

Organisations have discretion to notify their entire customer base, or just those they deem to be at risk as a result of the breach.

If an organisation can’t notify customers, it can publish a notification to its website.

What happens if I don’t notify?

In short, a failure to comply with notification rules can incur fines of up to $360,000 for individuals and $1.8 million for organisations.

Initially the Privacy Commissioner can issue a written direction requiring an organisation to notify of the breach if they discover it has occured.

From there, penalties for non-compliance start from less severe sanctions like public apologies and compensation payments, up to the aforementioned civil penalties, which kick in when the Privacy Commissioner considers there to have been “serious or repeated non-compliance”.

One Response to “Privacy Commissioner issues a response to the Mandatory Data Breach Notification legislation”

  1. Privacy Commissioner issues a response to the Mandatory Data Breach Notification legislation | Australian Law Blogs

    […] Privacy Commissioner issues a response to the Mandatory Data Breach Notification legislation […]

Leave a Reply