Privacy Commissioner issues Draft guidelines and resources on Notifiable Data breaches
June 5, 2017 |
Australia’s mandatory data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017, takes effect on 22 February next year. It has been a long time coming.
Last Friday the Privacy Commissioner released an exposure draft resources, whatever that means, for business and agencies on their obligations under the Act. It is open for comment until 14 July 2017, Bastille Day (hopefully that symbolises nothing).
The broad overview provides:
What is the Notifiable Data Breaches scheme?
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia.
The NDB scheme requires organisations covered by the Australian Privacy Act 1988 (Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach.
This notice must include recommendations about the steps that individuals should take in response to the data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
What is a Notifiable Data Breach?
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.
Examples of a data breach include when:
- a device containing customers’ personal information is lost or stolen
- a database containing personal information is hacked
- personal information is mistakenly provided to the wrong person.
Why is the NDB scheme important?
The NDB scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that organisations respond to serious data breaches.
This in turn supports consumer and community confidence that personal information is being respected and protected.
It also gives individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.
When does it take effect?
The NDB scheme will commence on 22 February 2018.
Resources to prepare for the NDB scheme
We recommend that all organisations review their practices, procedures and systems for securing personal information in preparation for the scheme. The OAIC has a comprehensive Guide to securing personal information to assist you with this.
Organisations should also prepare or update their data breach response plan to ensure that they are able to respond quickly to suspected data breaches. The OAIC’s Data breach notification — A guide to handling personal information security breaches and Guide to developing a data breach response plan provide a best practice model, and will be updated in consultation with stakeholders ahead of the commencement of the NDB scheme.
Our privacy management framework sets out the steps that the OAIC expects organisations to take to ensure good privacy governance and compliance with the Privacy Act.
Who must comply with the NDB scheme
The NDB scheme will apply to businesses, Australian Government agencies, and other organisations that are already required by the Privacy Act to keep information secure.
Which data breaches are notifiable
Not all data breaches are notifiable — the NDB scheme only requires organisations to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates. Exceptions to the NDB scheme will apply for some data breaches, meaning that notification to individuals or to the Commissioner may not be required.
This section will be updated with additional information to assist in deciding whether an exception to the NDB scheme applies.
Assessing suspected data breaches
Organisations that suspect a data breach may have occurred are required to undertake an expeditious assessment to determine if the data breach is likely to result in serious harm.
This section will be updated with resources on assessing a suspected data breach to determine whether it is an eligible data breach under the NDB scheme.
How to notify
Where an organisation becomes aware that there are reasonable grounds to believe an eligible data breach has occurred, they are obligated to notify individuals at risk of serious harm and the OAIC as soon as practicable. This notification must set out:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned and;
- recommendations about the steps individuals should take in response to the data breach.
The role of the OAIC in NDB scheme regulation
The Commissioner will have a number of roles under the NDB scheme. These include:
- receiving notifications of eligible data breaches
- encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance
- offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.
As to specific draft resource documents:
The Australian Information Commissioner’s role in the NDB scheme.
In the main it is a factual recitation of how the legislation operates. Under Responding to Notification and enforcement it appears that the Privacy Commissioner will continue with the measured, process oriented and conservative approach he has taken with other forms of compliance and enforcement under the Act. He refers to and relies upon the Privacy and Regulatory Action policy and its guide. Having drafted submissions on behalf of the Australian Privacy Foundation on this policy and guide it is hard to find a more general and vague formulation of policy. And that is the critical issue. If the Privacy Commissioner fails to enforce compliance with the legislation it will fast become dead letter. Perhaps the most complex issue is the provision allowing the preventi
The Australian Information Commissioner (the Commissioner) has a number of roles under the Notifiable Data Breaches (NDB) scheme in the Privacy Act 1988 (Cth) (Privacy Act). These include:
- receiving notifications of eligible data breaches
- encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance
- offering advice and guidance to regulated entities, and providing information to the community about the operation of the
This document summarises how the Commissioner anticipates exercising these functions.
Receiving notifications of data breaches
How the Commissioner will receive notification
Once an entity has reasonable grounds to believe there has been an eligible data breach and is not exempted from notifying, it is required to provide notification to the Commissioner and, usually, individuals at risk of serious harm. When notifying the Commissioner, the entity must provide a notification statement that contains the following information (s 26WK(3)):
- the identity and contact details of the notifying entity
- a description of the data breach
- a description of the personal information involved
- recommendations to individuals about the steps that they should take to minimise the impact of the breach.
Although not required by the Privacy Act, entities may also provide additional supporting information to the Commissioner to explain the circumstances of the data breach and the entity’s response in further detail. This information will assist the Commissioner to decide whether to make further inquiries or to take any other action.
The Commissioner will publish an online form to help entities lodge notification statements and provide additional supporting information.
Confidentiality of information provided in notifications
If an entity elects to provide additional supporting information to the Commissioner, they may request that the Commissioner hold that information in confidence. The Commissioner will respect the confidence of commercially sensitive information provided voluntarily in support of a data breach notification, and will only disclose such information after consulting with the notifying entity, and with the entity’s agreement or where required by law.
If the Commissioner receives a freedom of information (FOI) request for a notification statement or additional supporting information, the Commissioner will consult with the entity that made the notification (if it is an organisation) or will offer to transfer the request to the entity (if it is an agency).
Responding to notifications
The Commissioner will acknowledge receipt of all data breach notifications.
The Commissioner may also make inquiries or offer advice and guidance in response to notifications. In deciding whether to make inquiries or offer advice and guidance in response to a notification, the Commissioner may consider the type and sensitivity of the personal information, the numbers of individuals potentially at risk of serious harm, and the extent to which the notification statement and any additional supporting information provided demonstrate that:
- the data breach has been contained or is in the process of being contained where feasible
- the notifying entity has taken, or is taking, reasonable steps to mitigate the impact of the breach on the individuals at risk of serious harm
- the entity has taken, or is taking, reasonable steps to minimise the likelihood of a similar breach occurring again.
The Commissioner may also decide to take regulatory action on the Commissioner’s own initiative in response to a notification, or series of notifications, if this indicates a serious or systemic breach of the Privacy Act. In deciding whether to take regulatory action, the Commissioner will have regard to the OAIC’s Privacy regulatory action policy1 and Guide to privacy regulatory action.2 However, the Commissioner’s priority when responding to notifications is to provide guidance to the entity and to assist individuals at risk of serious harm
Enforcing compliance with the scheme
The Commissioner has a number of enforcement powers to ensure that entities meet their obligations under the scheme. A failure to meet any of the following requirements of the scheme is an interference with the privacy of an individual (s 13(4A)):
- conduct a reasonable and expeditious assessment of a suspected eligible data breach (s 26WH(2))
- prepare a statement about the data breach, and give a copy to the Commissioner, as soon as practicable (s 26WK(2))
- notify the contents of the statement to individuals at risk of serious harm (or, in certain circumstances, publish the statement) as soon as practicable (s 26WL(3))
- comply with a direction from the Commissioner to notify as soon as practicable (s 26WR(10)).
The enforcement powers available to the Commissioner in response to an interference with privacy, which range from less serious to more serious regulatory action, include powers to:
- accept an enforceable undertaking (s 33E) and bring proceedings to enforce an enforceable undertaking (s 33F)
- make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62)
- seek an injunction to prevent ongoing activity or a recurrence (s 98)
- apply to court for a civil penalty order for a breach of a civil penalty provision (s 80W), which includes any serious or repeated interference with
The Commissioner is also required, in most circumstances, to investigate a complaint made by an individual about an interference with the individual’s privacy (s 36), which would include a failure to notify an individual at risk of serious harm of an eligible data breach where required to do so.
In deciding when to exercise enforcement powers in relation to a contravention of the NDB scheme, the Commissioner will have regard to the OAIC’s Privacy Regulatory Action Policy.
The preferred approach of the Commissioner is to work with entities to encourage and facilitate voluntary compliance with an entity’s obligations under the Privacy Act before taking enforcement action.
The Commissioner acknowledges that it will take time for all regulated entities to become familiar with the requirements of the NDB scheme. During the first 12 months of the scheme’s operation, the Commissioner’s primary focus will be on working with entities to ensure that they understand the new requirements and are working in good faith to implement them
Other powers and functions under the scheme
Direction to notify (s 26WR)
The Commissioner can direct an entity to notify the Commissioner and individuals at risk of serious harm about an eligible data breach in certain circumstances
Before directing an entity to notify, the Commissioner will usually ask the entity to agree to notify. This might happen if a data breach comes to the attention of the Commissioner but has not come to the attention of the relevant entity, or if the Commissioner does not agree with an entity’s initial view about whether a data breach triggers an obligation to notify.
If the Commissioner and the entity cannot agree about whether notification should occur, the Commissioner will give the entity an opportunity to make a formal submission about why notification is not required, or if notification is required, on what terms. The Commissioner will consider the submission and any other relevant information before deciding whether to direct the entity to notify under s 26WR.
Declaration that notification need not be made, or that notification be delayed (s 26WQ)
The Commissioner may declare that notification of a particular data breach is not required (s 26WQ(1)(c)). The Commissioner may also modify the period in which notification needs to occur (s 26WQ(1)(d)).
The Commissioner cannot make a declaration under s 26WQ unless satisfied that it is reasonable in the circumstances to do so, having regard to the public interest, relevant advice received from an enforcement body or the Australian Signals Directorate, and any other relevant matter. While the Commissioner is empowered to make a declaration if it is ‘reasonable in the circumstances to do so’, the Commissioner still has discretion about whether to make a declaration, and on what terms.
In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objectives of the Privacy Act and other relevant matters. The Commissioner will consider whether the risks associated with notifying of a particular data breach outweigh the benefits of notification to individuals at risk of serious harm.
Given the clear objective of the scheme to promote notification of eligible data breaches, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will be limited to exceptional cases.
An entity applying for a declaration will be expected to make a well-reasoned and convincing case detailing how the data breach is an eligible data breach, why any relevant exceptions do not apply, and why notification should not occur or should be delayed. The entity should provide detailed evidence or information in support of its application.
Advice, guidance, and community information
The Commissioner provides general information to the community about the Privacy Act, including the NDB scheme, via its public enquiries service and on its website.
The Commissioner is developing a range of guidance material that will be published on the OAIC’s website to help entities comply with the scheme.
However, the Commissioner will not be able to provide detailed advice about the application of the scheme to specific data breaches. Entities will need to seek their own legal advice.
The Commissioner intends to provide information to the community about the operation of the scheme
Identifying eligible data breaches
Given the structure of the legislation this is part of the “resource” is critical. The question of what is a data breach is usually, but not always, not a real issue. What is the scope and operation of “serious harm” will be the focus of privacy practitioners. The authorities, such as they are, do not specifically deal with the extent of harm. There is a good argument that damage is presumed, much like in defamation. The argument then becomes what constitutes serious harm. Based on research and anecdotal reportage those whose personal information is accessed or stolen react strongly and are significantly affected by such breaches. A prudent organisation and agency would approach breaches as causing serious harm. It would be very useful for the Federal Court to consider a test case. The other critical limb is the weighing of factors to determine the likelihood issue. That involves a complex weighing exercise where the consequences of making the wrong decision could be significant. Perhaps the most complicated is the statutory provision allowing remedial action to obviate the need to notify. If the United States is any guide some companies are remarkably sophisticated, proactive and effective at notifying people of breaches and dealing with concerns. Others opt for a very basic, unhelpful and pro forma response so as to be seen to complying. And that may be the issue on how effective remedial action is.
As with any action taken the best approach is to be ready beforehand. Have systems and protocols in place and staff trained to respond without delay.
Key points
- The notifiable data breaches (NDB) scheme requires regulated entities (entities) to notify particular individuals and the OAIC about ‘eligible data breaches’. A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information
- Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s
- Not all data breaches are eligible. For example, if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the OAIC. There are also exceptions to notifying in certain circumstances.
Eligible data breach
An eligible data breach arises when the following three criteria are satisfied:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds (see, What is a ‘data breach’?)
- this is likely to result in serious harm to one or more individuals (see, Is serious harm likely?), and
- the entity has not been able to prevent the likely risk of serious harm with remedial action (see,
Preventing serious harm with remedial action).
This document is about the threshold at which an incident is considered an ‘eligible data breach’ that will be notifiable under the scheme unless an exception applies. The OAIC will develop a separate resource, Assessing a suspected data breach, to provide guidance to entities about the process to follow when carrying out an assessment of ‘whether there are reasonable grounds to suspect that there may have been an eligible data breach of the entity’ under s 26WH.
What is a ‘data breach’?
The first step in deciding whether an eligible data breach has occurred involves considering whether there has been a data breach; that is, unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information (s 26WE(2)). The Privacy Act 1988 (Cth) (Privacy Act) does not define these terms. The following analysis and examples draw on the ordinary meaning of these words.
- Unauthorised access of personal information occurs when personal information that an entity holds is accessed by someone who is not permitted to have access. This includes unauthorised access by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party (such as by hacking).
For example, an employee browses sensitive customer records without any legitimate purpose, or a computer network is compromised by an external attacker resulting in personal information being accessed without authority.
- Unauthorised disclosure occurs when an entity makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee of the entity.
For example, an employee of an entity accidentally publishes a confidential data file containing the personal information of one or more individuals on the internet.
- Loss refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure. An example is where an employee of an entity leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) on public transport.
Under the NDB scheme, if personal information is lost in circumstances where subsequent unauthorised access to or disclosure of the information is unlikely, there is no eligible data breach (s 26WE(2)(b)(ii)). For example, if the personal information is remotely deleted before an unauthorised person could access the information, or if the information is encrypted to a high standard making unauthorised access or disclosure unlikely, then there is no eligible data breach.
Is serious harm likely?
The second step in deciding whether a notifiable data breach has occurred involves deciding whether, from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.
For the NDB scheme a ‘reasonable person’ means a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. What is reasonable can be influenced by relevant standards and practices. ‘Reasonable person’ is also discussed in general terms in Chapter B of the OAIC’s Australian Privacy Principle Guidelines.1
The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).
The chance that an individual will experience serious harm increases as the number of people whose personal information was part of the data breach increases. It may therefore be prudent for an entity to assume that a data breach that involves the loss of personal information of a very large number of individuals is likely to result in serious harm to at least one of those individuals unless the context or circumstances would support this not being the case.
‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
Entities should assess the risk of serious harm holistically, having regard to the likelihood of the harm eventuating for individuals whose personal information was part of the data breach and the consequences of the harm. The NDB scheme includes a non-exhaustive list of ‘relevant matters’ that may assist entities to assess the likelihood of serious harm. These are set out in s 26WG as follows:
- the kind or kinds of information
- the sensitivity of the information
- whether the information is protected by one or more security measures
- if the information is protected by one or more security measures – the likelihood that any of those security measures could be overcome
- the persons, or the kinds of persons, who have obtained, or who could obtain, the information
- if a security technology or methodology:
- was used in relation to the information, and;
- was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information
the likelihood that the persons, or the kinds of persons, who:
- have obtained, or who could obtain, the information, and;
- have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates
have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology
- the nature of the harm
- any other relevant
As some of these matters involve overlapping considerations, they are discussed further below, under the broader headings:
- the type or types of personal information involved in the data breach
- the circumstances of the data breach
- the nature of the harm that may result from the data
The type or types of personal information involved in the data breach
Some kinds of personal information are more likely to cause an individual serious harm if compromised. Examples of the kinds of information that may increase the risk of serious harm if there is a data breach include:
- ‘sensitive information’,2 such as information about an individual’s health
- documents commonly used for identity fraud (including Medicare card, driver licence, and passport details)
- financial information
- a combination of personal information (rather than a single piece of personal information).
Circumstances of the data breach
The specific circumstances of the data breach are relevant when assessing whether there is a risk of serious harm to an individual. This may include consideration of the following:
- Whose personal information was involved in the breach? An entity could consider whose personal information was involved in the breach, as certain people (such as young persons and vulnerable individuals) may be at particular risk of serious harm. A data breach involving the names and addresses of individuals might not, in various circumstances, be likely to result in serious harm to an individual, particularly if that information is already publicly available. However, if the entity knows that the information involved primarily relates to a vulnerable segment of the community, this may increase the risk of serious
- How many individuals were involved? If the breach involves the personal information of many individuals, the scale of the breach may affect an entity’s assessment of likely risks. Even if an entity considers that each individual will only have a small chance of suffering serious harm, if enough people’s personal information is involved in the breach, it may become likely that some of the individuals will experience serious harm. From a risk perspective, it may be prudent, depending on the particular circumstances, to treat a breach involving the personal information of a very large number of people as likely to result in serious harm to at least one of those individuals.
Do the circumstances of the data breach affect the sensitivity of the personal information? A breach that may publicly associate an individual’s personal information with a sensitive product or service the
have used may increase the risk of serious harm. For example, a data breach involving an individual’s name may involve a risk of serious harm if the entity’s name links the individual with a particular physical or mental health service.
- Is the personal information adequately encrypted, anonymised, or otherwise not easily accessible? A relevant consideration is whether the information is rendered unreadable through the use of security measures to protect the stored information, or if it is stored in such a way so that it cannot be used if breached. In considering whether security measures (such as encryption) applied to compromised data are adequate, the entity should consider whether the method of encryption is an industry-recognised secure standard at the time the entity is assessing the likelihood of risk. Additionally, an entity should have regard to whether the unauthorised recipients of the personal information would have the capability to circumvent these safeguards. For example, if an attacker holds both encrypted data and the encryption key needed to decrypt that data, the entity should not assume the data is
- What parties have gained or may gain unauthorised access to the personal information? The unauthorised disclosure of an individual’s criminal record to someone who knows that individual personally may increase the risk of serious reputational harm for that
In addition, where a third party that obtains unauthorised access to personal information, or appears to target personal information of a particular individual or group of individuals, this may increase the risk of serious harm as it may be more likely the personal information is intended for malicious purposes.
The nature of the harm
In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harms that may follow a data breach. It may be helpful for entities assessing the likelihood of harm to consider a number of scenarios that would result in serious harm and the likelihood of each. Examples may include:
- identity theft
- significant financial loss by the individual
- threats to an individual’s physical safety
- loss of business or employment opportunities
- humiliation, damage to reputation or relationships
- workplace or social bullying or marginalisation.
The likelihood of a particular harm occurring, as well as the anticipated consequences for individuals whose personal information is involved in the data breach if the harm materialises, are relevant considerations.
Preventing serious harm with remedial action
The NDB scheme provides entities the opportunity to take positive steps to address a data breach in a timely manner, and avoid the need to notify. If an entity takes remedial action that prevents the likelihood of serious
harm occurring for any individuals whose personal information is involved in the data breach, then the breach is not an eligible data breach for that entity or for any other entity (s 26WF(1), s 26WF(2), s 26WF(3)). For breaches where information is lost, the remedial action is adequate if it prevents the unauthorised access or disclosure of personal information (s 26WF(3)).
If the remedial action prevents the likelihood of serious harm to some individuals within a larger group of individuals whose information was compromised in a data breach, notification to those individuals for whom harm has been prevented is not required.
Examples of remedial action that may prevent serious harm occurring include:
Example 1:
A data file, which includes the personal information of numerous individuals, is sent to an incorrect recipient outside the entity. The sender realises the error and contacts the recipient, who advises that the data file has not been accessed. The sender then confirms that the recipient has not copied, and has permanently deleted the data file. |
Example 2:
An employee leaves a smartphone on public transport while on their way to work. When the employee arrives at work they realise that the smartphone has been lost, and ask their employer’s IT support staff to remotely delete the information on the smartphone. Because of the security measures on the smartphone, the IT support staff are confident that its content could not have been accessed in the short period between when it was lost and when its contents were deleted |
Examples of data breaches
The following examples are provided to illustrate some of the considerations that entities might take into account when assessing whether a data breach is likely to result in serious harm.4 However, whether any data breach is notifiable depends on the particular circumstances of the breach.
Example 1 — strong encryption making notification unnecessary WeCare, an insurance company, decides to update its customer relationship management and record keeping software. While running a test, the IT team installing the software discovers that some customer records were accessed by an unauthorised third party more than a year ago. The customer records involved are primarily encrypted payment card information. WeCare notifies the police and hires an external IT security consultant to conduct an audit and security assessment. The audit confirms that 500 customer records were involved in the data breach, and that an overseas source was responsible for the hack. The IT security consultant’s comprehensive sweeps of the internet and dark web were unable to find evidence that the information was offered for sale or otherwise disclosed online. The IT security consultant also assesses that because of the high standard of encryption used for the credit card information, it is unlikely that this information could be accessed by the hacker. WeCare implemented the recommendations of the IT security consultant, including new IT security protocols and intrusion detection software. WeCare determines that it is not likely that the individuals whose personal information is involved in the data breach are at risk of serious harm. Therefore, WeCare decides it is not an eligible data breach, and does not notify the OAIC or the affected individuals. Nonetheless, it decides that as a customer service measure, it should tell the individuals about the incident. It sends an email to the customers informing them of the incident and providing some advice on personal information security measures they can take.
Example 2 — notification following unintentional publication of sensitive data PharmaChoice, a chain of low-cost pharmacies, becomes aware that its customer database, including records about dispensing of prescription drugs, has been publicly available on the internet due to a technical error. PharmaChoice’s security consultants identify that the database was publicly available for a limited time and that it was only accessed a few times. However, PharmaChoice is unable to determine who accessed the data or if they kept a copy. Given the sensitivity of the personal information contained in the database, including drugs related to the treatment of addictive and psychiatric conditions, PharmaChoice’s risk assessment concludes that the data breach would be likely to result in serious harm to some of its customers. PharmaChoice decides to notify all customers whose personal information is involved in the data breach. Because it does not have contact details for many of the customers who filled prescriptions with it in person, it publishes a notice describing the breach on its website and posts a copy in a prominent location at each of its stores.
Example 3 — data breach experienced by overseas contractor leading to phishing Shop4You enters into a contract with an automated email marketing platform located overseas which it uses to communicate with its customers. The service provider detects that the bulk mailing distribution lists for Shop4You have been downloaded by an external IP address. The bulk mailing distributions lists include the name, email address, gender, and suburb of Shop4You’s customers. The service provider notifies Shop4You, who conducts an immediate investigation into how the mailing lists were accessed and downloaded. An IT Security sweep detects malware on an employee’s computer, and the investigation concludes that their login credentials were obtained after the employee unintentionally opened an email attachment from a malicious third party attacker. As Shop4You also held the personal information, assuming that the service provider was not an APP entity, Shop4You undertook an assessment of whether it was required to notify individuals and the OAIC. As part of its assessment, Shop4You identified that some of the individuals whose personal information was involved in the data breach received emails that fraudulently claimed to be sent from Shop4You, and which sought to obtain the individual’s credit card details. As a result, Shop4You concludes that it is more probable than not that the attacker will use the information in the mailing lists for the purposes of identity theft, and that it is likely that some of the individuals will suffer serious financial harm as a result of this. Given this likelihood, Shop4You notifies the OAIC and sends an email with the relevant information required by the NDB scheme to those individuals whose personal information is involved in the data breach. Shop4You’s email to these individuals includes information about scam emails and how to identify them, and provides referrals to services that assist individuals in mitigating the risk of identity theft.
Example 4 — loss of unencrypted storage media containing personal information A memory stick containing the employee records of 200 employees of an Australian Government Department (the Department) goes missing while the employee who holds the memory stick is travelling from one work site to another. Once the Department becomes aware that the memory stick is lost, it conducts an extensive search but fails to locate it. The information contained in the employee records includes the names, salary information, TFNs, home addresses, phone numbers, birth dates, and in some cases health information (including disability information) of current staff. As the data on the memory stick is not encrypted, and there is a chance that the memory stick was lost outside of the Department’s premises, the Department concludes that unauthorised disclosure is likely to occur. Due to the sensitivity of the unencrypted information – not only the extent and variety of the information, but also the inclusion of health and disability information in the records – the Department’s risk assessment finds that there is a likely risk of serious harm to at least one of the individuals whose personal information is involved in the data breach. On this basis, the Department considers that it is an eligible data breach for the purposes of the NDB scheme, and prepares a statement to notify the OAIC. A senior staff member emails the relevant staff to notify them of the eligible data breach, and provides the content of the statement prepared for the OAIC. In the notification, the Department also offers staff an apology for the breach, notes that the OAIC has been informed of the breach, and explains what steps have been put in place to prevent this type of a breach occurring in the future.
Example 5 — online banking fraud and remedial action Jupiter Bank’s fraud detection systems flag that there has been unusual activity on an individual’s online banking account, when a substantial amount of money is transferred to an account in another country. The fraud team assesses the activity, and finds that the account was accessed by an unauthorised attacker who had obtained control of the individual’s account. Through its existing fraud management processes, Jupiter Bank’s fraud team notify the individual that it is temporarily freezing online access to the account due to the fraudulent activity, resets the password for online access and returns the stolen funds. As part of its risk assessment, the fraud team confirms that the individual’s other accounts have not been compromised, and recommends to the individual that they change any similar passwords to other services. A member of Jupiter Bank’s fraud team assesses whether there is a risk of likely harm to the individual, and concludes that as a result of the above steps taken to remediate the unauthorised access, it is not likely the individual will be at risk of serious harm. Given this remedial action, Jupiter Bank does not notify the OAIC.
Example 6 — email sent to the wrong recipient contained before serious harm can occur Care Services, a claims management service provider, regularly sends updates to its clients about the status of the workers compensation claims of their employees. Because of human error, an employee of Care Services accidentally sends an email with an attachment about the employees of Business A to another client, Business B. The attachment contains the personal information of 200 employees of Business A, and includes their name, address, date of birth, and health information about their claimed injury.
The Care Services employee realises the error, and contacts Business B to delete the email with the attachment. Business B confirms it has not accessed the file, and that it has deleted the email. Care Services’ assessment of the remedial action taken concludes that, while the file included sensitive information about the individuals’ health, the assurance that Business B deleted the file has prevented the likely risk of serious harm to any individuals. As a consequence, Care Services determines that it is not an eligible data breach that needs to be notified
Notifying individuals about an eligible data breach.
This is an entirely new facet to privacy regulation. Self reporting to the Privacy Commissioner has occurred on a limited basis and there have been significant privacy breaches which have given rise to notifications to affected parties. Such as the Australian Red Cross breach last year. The Australian Red Cross took a proactive approach to advise users on what was being done to learn from the breach and prevent it happening again.
The legislation does not prescribe a form of action but rather requires the organisation and agency to formulate its response, weighing the various factors in the legislation. That has its own complexities. It would be best for organisations to have a pre planned response which can be modified rather than considering which approach to take when there is an eligible data breach. That means organisation, systems, protocols and most important, training.
Key points
- When an entity experiences an eligible data breach, it must provide a statement to the Commissioner, and notify individuals at risk of serious harm of the contents of the
- If it is not practicable to notify individuals at risk of serious harm, an entity must publish a copy of the statement prepared for the Commissioner on its website, and take reasonable steps to bring its contents to the attention of individuals at risk of serious
- If a single eligible data breach applies to multiple entities, only one entity needs to notify the Commissioner and individuals at risk of serious harm. It is up to the entities to decide who notifies. Generally, the Commissioner suggests that the entity with the most direct relationship with the individuals at risk of serious harm should undertake the
Who needs to be notified?
Once an entity has reasonable grounds to believe there has been an eligible data breach, the entity must promptly prepare a statement for the Commissioner and make a prompt decision about which individuals to notify.
The Notifiable Data Breaches (NDB) scheme provides flexibility — there are three options for notifying individuals at risk of serious harm, depending on what is ‘practicable’ for the entity (s 26WK(2)).
Whether a particular option is practicable involves a consideration of the time, effort, and cost of notifying individuals at risk of serious harm in a particular manner. These factors should be considered in light of the capabilities and capacity of the entity.
Option 1 — Notify all individuals
If it is practicable, an entity can notify each of the individuals to whom the relevant information relates (s 26WL(2)(a)). That is, all individuals whose personal information was part of the data breach.
This option may be appropriate, and the simplest method, if an entity cannot reasonably assess which particular individuals are at risk of serious harm from an eligible data breach that involves personal information about many people, but where the entity has formed the view that serious harm is likely for one or more of the individuals.
The benefits of this approach include ensuring that all individuals who may be at risk of serious harm are notified, and allowing them to consider whether they need to take any action in response to the data breach.
Option 2 — Notify only those individuals at risk of serious harm
If it is practicable, an entity can notify only those individuals who are at risk of serious harm from the eligible data breach (s 26WL(2)(b)).
That is, individuals who are likely to experience serious harm as a result of the data breach. If an entity identifies that only a particular individual, or a specific subset of individuals, involved in an eligible data breach is at risk of serious harm, and can specifically identify those individuals, only those individuals need to be notified.
The benefits of this targeted approach include avoiding possible notification fatigue among members of the public, and reducing administrative costs, where it is not required by the NDB scheme.
Option 3 – Publish notification
If neither option 1 or 2 above are practicable, the entity must:
- publish a copy of the statement on its website if it has one
- take reasonable steps to publicise the contents of the statement (s26WL(2)(c)).
It is not enough to simply upload a copy of the statement prepared for the Commissioner on any webpage of the entity’s website. Entities must also take proactive steps to publicise the substance of the data breach (and at least the contents of the statement), to increase the likelihood that the eligible data breach will come to the attention of individuals at risk of serious harm
How do I notify and what do I need to say?
Options 1 and 2
Options 1 and 2 above require that entities take ‘such steps as are reasonable in the circumstances to notify individuals about the contents of the statement’ that the entity prepared for the Commissioner (s 26WL(2)(a) and (b)).
The entity can use any method to notify individuals (for example, a telephone call, SMS, physical mail, social media post, or in-person conversation), so long as the method is reasonable. In considering whether a particular method, or combination of methods is reasonable, the notifying entity should consider the likelihood that the people it is notifying will become aware of, and understand the notification, and weigh this against the resources involved in undertaking notification.
An entity can notify an individual using their usual method of communicating with that particular individual (s 26WL(4)).
The entity can tailor the form of its notification to individuals, as long as it includes the content of the statement required by s 26WK. That statement (and consequently, the notification to individuals) must include the following information:
- the identity and contact details of the entity (s 26WK(3)(a))
- a description of the eligible data breach that the entity has reasonable grounds to believe has happened (s 26WK(3)(b))
- the kind, or kinds, of information concerned (s 26WK(3)(c))
- recommendations about the steps that individuals should take in response to the data breach (s 26WK(3)(d)).
Option 3
Option 3, which can only be used if Options 1 or 2 are not practicable, requires an entity to publish a copy of the statement prepared for the Commissioner on its website, and take reasonable steps to publicise the contents of that statement.
An entity should consider what steps are reasonable in the circumstances of the entity and the data breach to publicise the statement. The purpose of publicising the statement is to draw it to the attention of individuals at risk of serious harm, so the entity should consider what mechanisms would be most likely to bring the statement to the attention of those people.
A reasonable step when publicising an online notice, might include:
- ensuring that the webpage on which the notice is placed can be located and indexed by search engines
- publishing an announcement on the entity’s social media channels
- taking out a print or online advertisement in a publication or on a website the entity considers reasonably likely to reach individuals at risk of serious harm.
In some cases, it might be reasonable to take more than one step to publicise the contents of the statement. For example, if a data breach involves a particularly serious form of harm, or affects a large number of individuals, an entity could take out multiple print or online advertisements (which could include paid advertisements on social media channels), publish posts on multiple social media channels, or use both traditional media and online channels.
The approach to publicising the statement may depend on the publication method. For example, where space and cost allows, an entity may republish the entirety of the information required to be included in the statement. Another option, if the available space is limited, or the cost of republishing the entire statement would not be reasonable in all the circumstances, would be to summarise the information required to be included in the statement and provide a hyperlink to the copy of the statement published on the entity’s website. Entities should keep in mind the ability and likelihood of individuals at risk of serious harm being able to access the statement when determining the appropriateness of relying solely on such an approach.
Timing of notification
Entities must notify individuals as soon as practicable after completing the statement prepared for notifying the Commissioner (s 26WL(3)).
Considerations of cost, time, and effort may be relevant in deciding an entity’s decision about when to notify individuals. However, the Commissioner generally expects entities to expeditiously notify individuals at risk of serious harm about an eligible data breach unless cost, time, and effort are excessively prohibitive in all the circumstances.
If entities have notified individuals at risk of serious harm of the data breach before they notify the Commissioner, they do not need to notify those individuals again, so long as the individuals were notified of the contents of the statement given to the Commissioner. The scheme does not require that notification be given to the Commissioner before individuals at risk of serious harm, so if entities wish to begin notifying those individuals before, or at the same time as notifying the Commissioner, they may do so.
Data breaches involving more than one organisation
If more than one entity holds personal information that was compromised in an eligible data breach, only one entity needs to notify individuals about the data breach. For example, more than one entity may hold personal information compromised in an eligible data breach due to outsourcing, a joint venture, or shared services arrangements between entities. However, if none of the entities notifies, each of the entities may be found to have breached s 26WL(2).
In these circumstances the Privacy Act intentionally does not specify which entity must undertake the notification, in order to allow entities flexibility in making arrangements appropriate for their business and their customers.
Entities should consider making arrangements regarding compliance with NDB scheme requirements, including notification to individuals at risk of serious harm, such as in service agreements or other relevant contractual arrangements, as a matter of course when entering into such agreements.
The Commissioner suggests that, in general, the entity with the most direct relationship with the individuals at risk of serious harm should notify. This will allow individuals to better understand the notification, and how the data breach might affect them.
Example: A medical practice stores paper-based patient records with a contracted storage provider. The storage provider’s premises are broken into, and the patient records stolen. Both the medical practice and the storage provider hold the records for the purpose of the Privacy Act, so both have an obligation to notify. Although the storage provider’s insurance company has agreed to cover the cost of the break in, including the cost of notification, the storage provider and medical practice agree that it is most appropriate that notification come from the medical practice, as the individuals at risk of serious harm do not have any pre-existing relationship with the storage provider. As such, the medical practice notifies the individuals about the incident and is reimbursed by the storage provider and its insurer for the costs of notification.
[…] Privacy Commissioner issues Draft guidelines and resources on Notifiable Data breaches […]