Australian Information Commissioner releases Notifiable Data Breaches resources

December 18, 2017 |

It is always in the enforcement that regulators are judged.  And how effective legislation is.  In the privacy sphere that is no different.  The Privacy Amendment (Notifiable Data Breaches) Act 2017  commences operation on 22 February 2018.

The Australian Information Commissioner has released the final resources (used to be called guidelines) on the operation of the Act and what is expected of organisations and agencies.  They are set out below.

Resources are one thing it is the culture that is as important.  The excellent article When cultures collide: the debate we’re not having on data privacy highlights the fact that the culture drives regulation.  In Australia the political class have been reluctant legislators, with the ALP Government in 1988 implementing a relatively bare bones legislation covering agencies, the Coalition Government increasing the coverage to the private sector in 2001 and providing a more beefed up enforcement powers and stronger rules on credit reporting protections in 2012 with an ALP Government.  The legislation has been far from the Gold Standard but has always has some scope for assertive regulation.  Unfortunately successive Privacy Commissioners who have been appointed have been timid and ineffective, often but not always having insufficient resources.  The culture developed by the Privacy Commissioner has been education over enforcement and delay over decisive action.  Needless to say the general privacy culture has suffered.  Now with the European GDPR regulations taking effect next year there may be some uncomfortable moments for organisations that do business with European entities or have a presence in the EU.  On top of that mandatory data breach notification laws have the potential to ensnare companies who have assumed that the Privacy Commissioner’s bite is a non starter and his bark is a whimper.  There is a good chance that the Information Commissioner will remain a timid regulator who works on public service hours and does not see high profile enforcement as being a worthwhile activity.  But the nature of the data breach laws means that making the wrong choice at the time of a breach may expose a company to a later problem if the Privacy Commissioner or others discover the mistake.

The article provides:

As governments around the world re-evaluate their privacy regimes, an emerging issue for every CIO is changes to data privacy regulation. These changes are forcing CIOs to review their privacy practices and, in some cases, trigger complete overhauls of business processes.

But one of the greatest dangers to data privacy has nothing to do with technology, and everything to do with culture.

Until now, Australian businesses have had the luxury of operating exclusively under Australian data privacy regulations, unless they had some physical presence overseas. The latest data privacy law to come out of Europe, the General Data Protection Regulation (GDPR), has the potential to change all this.

The great hurdle for Australian companies is the Australian cultural lens they cast over the GDPR. By ignoring, or not appreciating the deep-seated importance of data privacy to Europeans, businesses expose themselves to unprecedented levels of financial and commercial risk.

Attitudes towards privacy: Australia vs Europe

Culture is a strong driver of national privacy regulations in Australia, as is the case around the world. But compared to other parts, Australia has long had a very relaxed approach to data privacy (and privacy more generally).

In parliament, data privacy has bipartisan support. Everyone generally agrees that it is important – there is just not a lot of urgency in implementing it. For instance, it was not until 1988 that we had our first national privacy law. Even then, the law was only introduced following public concerns around the way the Federal Government handled citizen data in their failed attempt to introduce a national identity scheme, the ‘Australia Card’.

More recently, the introduction of a mandatory data breach reporting scheme was an almost decade-long journey between the Australian Law Reform Commission’s report recommending mandatory data breach reporting, to its passage into legislation earlier this year.

In stark contrast, the importance of data privacy is deeply engrained in European culture. Through the early part of the twentieth century, Europeans saw first hand the impact of widespread data privacy violations by dictatorial regimes. As a result, in the wake of World War II, they unanimously declared privacy (including data privacy) to be a fundamental human right and have since actively fought to protect that right.

European regulators have long taken a particularly dim view of companies that do not take privacy seriously. But the task of fortifying privacy has become more difficult in the internet age, where vast volumes of citizen information is now held by foreign companies and in repositories across the globe.

It is through this lens that the GDPR was conceived.

The GDPR in Australia

For Australian businesses, the introduction of the GDPR presents an obvious question: “Why should I care about privacy changes in Europe?”

As it stands, a huge number of Australian companies are already interacting with EU entities, with the EU being Australia’s largest source of foreign investment and second largest trading partner (Department of Foreign Affairs and Trade). There are even more that work with EU-based companies or participate in extended data supply chains that have access to EU personal data.

With data privacy considered a fundamental human right, the GDPR’s key premise is that the privacy of the data’s owner cannot be violated, even if this data is being taken outside of the EU. In short, the GDPR seeks to protect data no matter where it resides in the world. It does not matter how you get access to it, or what you are doing with it, if your business has access to EU personal data, the GDPR will apply to you.

Significantly, the GDPR demands compliance as a condition of access to the EU market. It will be a condition of doing business with Australia’s largest source of foreign funds and her second largest trading partner. To ignore it, would be to be excluded from this market, or to expose your business the largest fines ever to be applied to data privacy (potentially up to 4 per cent of a business’ annual global turnover or up to 20 million Euros).

For Australian businesses, there are two basic cases by which most companies will need to consider the GDPR. Firstly, and most obviously, the GDPR will apply if your company is selling products or services to consumers or businesses located within the EU. Secondly, the GDPR will also apply if you are part of the data supply chain for a company selling products or services to consumers or businesses located within the EU.

Unlike Australia’s view of privacy data, the EU takes a very broad view of what should be considered personal data, and therefore protected. Under the GDPR, any data relating to a living person physically located within the EU, will be considered personal data for the purposes of the GDPR. In some contexts, this could encompass IP addresses – a very different approach to what we take here in Australia.

Security and technology are only pieces of the puzzle

For most Australian CIOs, the hardest cultural hurdle will be reconciling how data privacy is positioned within their organisation, and how the GDPR demands it be managed.

Many Australian companies view data privacy as a responsibility of the CIO’s office. This severely underplays the role of business teams in data privacy compliance. For example, on their own, the CIO is not able to dictate the types of data their business collects, why, and whether the appropriate approvals have been sought. The CIO is also rarely able to judge whether business process or re-engineering, personnel training, or the application of technology is the best way to solve a potential data privacy issue.

This is not say that security and technology are not important components of an effective data privacy program. But without the full participation of the rest of the business, data privacy controls will fall short and regulation compliance will be impossible to achieve. It will require Australian businesses to apply technology, business processes and appropriately trained people to better protect data privacy.

In some ways, that is why the EU regulations apply such large penalties. Not only do they make even the largest companies in the world sit up and pay attention, they aim to raise data privacy discussions to the board level. They will also challenge us to take more than the traditional Australian, minimum compliance approach to privacy.

What is also important for CIOs to consider, is that data privacy regulations require their organisations to be more data centric, and to look at the company from a data governance perspective.

CIOs are no strangers to data governance but, until now, most have been very focussed on understanding their organisations from the view of a system integration or system management. Understanding the what, how and why of the data held by an organisation is vital for GDPR compliance.

Think about data

Even by European standards, the GDPR is a large and complicated piece of regulation. It enshrines many of the data privacy principles we have seen come out of the EU such as privacy by design, the right of access to information, the right to be forgotten, and receiving ‘specific and informed consent’ for data use. It will drive reform from a wide range of business activities from contracting services, end-user licence agreements and database design. And applying it can seem daunting.

In a 2016 survey of European businesses, Symantec found that 96 per cent of respondents felt they didn’t fully understand GDPR, and 90 per cent still felt unprepared. If you’re not feeling fully across what the GDPR could be asking of you, you are not alone.

Through the GDPR, EU regulators want to end the day of vague and open-ended collection permissions sought from consumers, for data that is not required, then kept indefinitely. They will be looking for responsible businesses to collect only the data they need, with full knowledge and permission, for a specific purpose, that will be disposed when no longer needed.

For businesses and CIOs across Australia, this calls for business processes, people and technology to all work together. And don’t discount the impact of Australia’s cultural approach to data privacy.

The Resources provide:

What is the Notifiable Data Breaches scheme?

The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.

The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.

Agencies and organisations can lodge their statement about an eligible data breach to the Commissioner through the Notifiable Data Breach statement — Form.

Agencies and organisations must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result require notification.

Which data breaches require notification?

An ‘eligible data breach’, which triggers notification obligations, is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.

A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

Examples of a data breach include when:

  • a device containing customers’ personal information is lost or stolen
  • a database containing personal information is hacked
  • personal information is mistakenly provided to the wrong person.

Why the NDB scheme is important

The NDB scheme strengthens the protections afforded to everyone’s personal information and improves transparency in the way agencies and organisations respond to serious data breaches.

This supports greater community confidence that personal information is being protected and respected, and encourages a higher standard of personal information security across Australian industries.

Notification also provides individuals with the opportunity to take steps to minimise the damage that can result from a data breach.

When the NDB takes effect

The NDB scheme commences on 22 February 2018. It only applies to eligible data breaches that occur on or after that date.

Section 6 of the Privacy Amendment (Notifiable Data Breaches) Act 2017 says that the scheme applies to incidents where personal information is subject to unauthorised access or disclosure, or is lost, following the scheme’s commencement.

An organisation that discovers a data breach before 22 February 2018 is not subject to the NDB scheme. If the organisation discovers the breach after 22 February 2018, but the breach occurred prior to that date, the breach is not an eligible data breach for the purposes of the NDB scheme.

However, certain data breaches occur over a period rather than at a discrete point in time. For example, a system may be compromised by an attacker before 22 February 2018, with data subsequently stolen both before and after 22 February 2018. While entities will need to assess their particular circumstances, in such a situation, the OAIC suggests that entities should assume that the breach is subject to the NDB scheme.

Example 1 – Data breach that occurs before the NDB scheme takes effect

On 30 March 2018, a routine IT security assessment reveals that an unauthorised third party accessed a business’s customer database on 10 February 2018. The business’s IT security analysis determines that the unauthorised third party downloaded a data file containing the names and email addresses of 5,000 customers, but concludes that there was no further unauthorised access after 10 February 2018. Because the breach occurred before 22 February 2018, notification under the NDB scheme is not required.

Example 2 – Data breach that is ongoing when the NDB scheme commences

On 1 April 2018, an organisation discovers that an employee inadvertently placed a data file containing the name and health information of its customers on a publicly accessible website. The organisation conducts an assessment, and finds that the file was placed on its website in December 2017, but was downloaded both before and after 22 February 2018. Because the data breach (namely, the unauthorised disclosure of personal information) occurred both before and after 22 February 2018, the NDB scheme applies and notification may be required.

When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.

The notification to affected individuals and the Commissioner must include the following information:

  • the identity and contact details of the organisation
  • a description of the data breach
  • the kinds of information concerned and;
  • recommendations about the steps individuals should take in response to the data breach.

Key points

  • When an entity experiences a data breach, its first step should be to contain the breach where possible and take remedial action. Where serious harm cannot be mitigated through remedial action (see Identifying eligible data breaches), it must notify individuals at risk of serious harm and provide a statement to the Commissioner as soon as practicable.
  • If it is not practicable to notify individuals at risk of serious harm, an entity must publish a copy of the statement prepared for the Commissioner on its website, and take reasonable steps to bring its contents to the attention of individuals at risk of serious harm.
  • If a single eligible data breach applies to multiple entities, only one entity needs to notify the Commissioner and individuals at risk of serious harm. It is up to the entities to decide who notifies. Generally, the Commissioner suggests that the entity with the most direct relationship with the individuals at risk of serious harm should undertake the notification.

Who needs to be notified?

Once an entity has reasonable grounds to believe there has been an eligible data breach, the entity must, as soon as practicable, make a decision about which individuals to notify, prepare a statement for the Commissioner and notify individuals of the contents of this statement.

TheNotifiable Data Breaches (NDB) scheme provides flexibility — there are three options for notifying individuals at risk of serious harm, depending on what is ‘practicable’ for the entity (s 26WL(2)).

Whether a particular option is practicable involves a consideration of the time, effort, and cost of notifying individuals at risk of serious harm in a particular manner. These factors should be considered in light of the capabilities and capacity of the entity.

Option 1 — Notify all individuals

If it is practicable, an entity can notify each of the individuals to whom the relevant information relates(s 26WL(2)(a)). That is, all individuals whose personal information was part of the eligible data breach.

This option may be appropriate, and the simplest method, if an entity cannot reasonably assess which particular individuals are at risk of serious harm from an eligible data breach that involves personal information about many people, but where the entity has formed the view that serious harm is likely for one or more of the individuals.

The benefits of this approach include ensuring that all individuals who may be at risk of serious harm are notified, and allowing them to consider whether they need to take any action in response to the eligible data breach.

Option 2 — Notify only those individuals at risk of serious harm

If it is practicable, an entity can notify only those individuals who are at risk of serious harm from the eligible data breach (s 26WL(2)(b)).

That is, individuals who are likely to experience serious harm as a result of the eligible data breach. If an entity identifies that only a particular individual, or a specific subset of individuals, involved in an eligible data breach is at risk of serious harm, and can specifically identify those individuals, only those individuals need to be notified.

The benefits of this targeted approach include avoiding unnecessary distress to individuals who are not at risk, limiting possible notification fatigue among members of the public, and reducing administrative costs, where it is not required by the NDB scheme.

Example: An attacker installs malicious software on a retailer’s website. The software allows the attacker to intercept payment card details when customers make purchases on the website. The attacker is also able to access basic account details for all customers who have an account on the website. Following a comprehensive risk assessment, the retailer considers that the individuals who made purchases during the period that the malicious software was active are at likely risk of serious harm, due to the likelihood of payment card fraud. Based on this assessment, the retailer also considers that those customers who only had basic account details accessed are not at likely risk of serious harm. The retailer is only required to notify those individuals that it considers to be at likely risk of serious harm.

Option 3 – Publish notification

If neither option 1 or 2 above are practicable, for example, if the entity does not have up-to-date contact details for individuals, then the entity must:

  • publish a copy of the statement on its website if it has one
  • take reasonable steps to publicise the contents of the statement (s 26WL(2)(c)).

It is not enough to simply upload a copy of the statement prepared for the Commissioner on any webpage of the entity’s website. Entities must also take proactive steps to publicise the substance of the eligible data breach (and at least the contents of the statement), to increase the likelihood that the eligible data breach will come to the attention of individuals at risk of serious harm.

While the Privacy Act 1988 (Cth) does not specify the amount of time that an entity must keep the statement accessible on their website, the Commissioner would generally expect that it is available for at least 6 months.

Example: In the process of cleaning up his old desktop, an accountant accidently sends a spreadsheet containing the TFN and contact information of his past clients to his entire email contact list. He is worried that the information contained could be used for identity theft and understands that ‘recalling’ emails does not usually work. He emails his contact list to request that they immediately delete the spreadsheet and notify him when this has happened. In addition, since the file is over ten years old, he decides that notifying individuals directly (through option 1 or 2) would not be practicable, as their contact details would more than likely be outdated. He notifies the Commissioner about the data breach and publicises a notification (option 3).

How do I notify and what do I need to say?

Options 1 (Notify all individuals) and 2 (Notify only those individuals at risk of serious harm)

Options 1 and 2 above require that entities take ‘such steps as are reasonable in the circumstances to notify individuals about the contents of the statement’ that the entity prepared for the Commissioner (s 26WL(2)(a) and (b)).

The entity can use any method to notify individuals (for example, a telephone call, SMS, physical mail, social media post, or in-person conversation), so long as the method is reasonable. In considering whether a particular method, or combination of methods is reasonable, the notifying entity should consider the likelihood that the people it is notifying will become aware of, and understand the notification, and weigh this against the resources involved in undertaking notification.

An entity can notify an individual using their usual method of communicating with that particular individual (s 26WL(4)). For example, if an entity usually communicates through a nominated intermediary, they may also choose to notify through this intermediary.

The entity can tailor the form of its notification to individuals, as long as it includes the content of the statement required by s 26WK. That statement (and consequently, the notification to individuals) must include the following information:

  1. the identity and contact details of the entity (s 26WK(3)(a))
  2. a description of the eligible data breach that the entity has reasonable grounds to believe has happened (s 26WK(3)(b))
  3. the kind, or kinds, of information concerned (s 26WK(3)(c))
  4. recommendations about the steps that individuals should take in response to the eligible data breach (s 26WK(3)(d)).

Decisions about the appropriate types of recommendations will always be dependent on the circumstances of the eligible data breach. This may include choosing to tailor recommended steps around an individual’s personal circumstances, or providing general recommendations that apply to all individuals. In some circumstances, the entity may have already taken some protective steps, reducing the necessity for action by affected individuals. The entity may choose to explain these measures in the notice to individuals as a part of their recommendation. For example, a bank may notify an individual that it has suspended suspicious transactions on their account and recommended steps may be limited to suggesting the individual monitor their accounts and notify the bank immediately of any other suspicious transactions.

Option 3 (Publish notification)

Option 3, which can only be used if Options 1 or 2 are not practicable, requires an entity to publish a copy of the statement prepared for the Commissioner on its website, and take reasonable steps to publicise the contents of that statement.

An entity should consider what steps are reasonable in the circumstances of the entity and the data breach to publicise the statement. The purpose of publicising the statement is to draw it to the attention of individuals at risk of serious harm, so the entity should consider what mechanisms would be most likely to bring the statement to the attention of those people.

A reasonable step when publicising an online notice, might include:

  • ensuring that the notice is prominently placed on the relevant webpage, which can be easily located by individuals and indexed by search engines
  • publishing an announcement on the entity’s social media channels
  • taking out a print or online advertisement in a publication or on a website the entity considers reasonably likely to reach individuals at risk of serious harm.

In some cases, it might be reasonable to take more than one step to publicise the contents of the statement. For example, if a data breach involves a particularly serious form of harm, or affects a large number of individuals, an entity could take out multiple print or online advertisements (which could include paid advertisements on social media channels), publish posts on multiple social media channels, or use both traditional media and online channels.

The approach to publicising the statement may depend on the publication method. For example, where space and cost allows, an entity may republish the entirety of the information required to be included in the statement. Another option, if the available space is limited, or the cost of republishing the entire statement would not be reasonable in all the circumstances, would be to summarise the information required to be included in the statement and provide a hyperlink to the copy of the statement published on the entity’s website. Entities should keep in mind the ability and likelihood of individuals at risk of serious harm being able to access the statement when determining the appropriateness of relying solely on such an approach.

If Option 3 is chosen, entities should take care to ensure that the online notice does not contain any personal information. While it may help if entities provide a general description of the cohort of affected individuals, this description should not identify any of the affected individuals or provide information that may make an individual reasonably identifiable. For example, it may be appropriate for an online retailer to publicise that individuals who made transactions in the year 2013 may be affected, but it would not be appropriate for the retailer to publicise the names associated with any compromised transaction data.

Timing of notification

Entities must notify individuals as soon as practicable after completing the statement prepared for notifying the Commissioner (s 26WL(3)).

Considerations of cost, time, and effort may be relevant in an entity’s decision about when to notify individuals. However, the Commissioner generally expects entities to expeditiously notify individuals at risk of serious harm about an eligible data breach unless cost, time, and effort are excessively prohibitive in all the circumstances.

If entities have notified individuals at risk of serious harm of the data breach before they notify the Commissioner, they do not need to notify those individuals again, so long as the individuals were notified of the contents of the statement given to the Commissioner. The scheme does not require that notification be given to the Commissioner before individuals at risk of serious harm, so if entities wish to begin notifying those individuals before, or at the same time as notifying the Commissioner, they may do so.

Key points

  • The NDB scheme requires entities to notify individuals about an eligible data breach (see Identifying eligible data breaches).

  • Entities are also required to prepare a statement and provide a copy to the Australian Information Commissioner (the Commissioner) (s 26WK). The OAIC’s online form may help entities to do this.
  • The statement must include the name and contact details of the entity, a description of the eligible data breach, the kind or kinds of information involved, and what steps the entity recommends that individuals at risk of serious harm take in response to the eligible data breach (s 26WK(3))
  • Entities must notify affected individuals about the contents of this statement or, if this is not practicable, publish a copy of the statement on the entity’s website and take reasonable steps to publicise the contents of the statement (s 26WL(2)) (see Notifying individuals about an eligible data breach).

What must be included in the statement

A statement about an eligible data breach must include:

  • the identity and contact details of the entity (s 26WK(3)(a))
  • a description of the eligible data breach (s 26WK(3)(b))
  • the kind or kinds of information involved in the eligible data breach (s 26WK(3)(c))
  • what steps the entity recommends that individuals take in response to the eligible data breach (s 26WK(3)(d)).

Identity and contact details of the entity

Where an entity’s company name is different to the business or trading name, the OAIC recommends that entities also include the name that is most familiar to individuals. The entity must also include information about how an individual can contact it. Depending on the nature and scale of the breach, the entity may wish to consider whether to provide its general contact details, or establish a dedicated phone line or email address to answer queries from individuals.

Description of the eligible data breach

An entity is required to include ‘a description’ of the data breach in its statement.

The OAIC expects that the statement will include sufficient information about the data breach to allow affected individuals the opportunity to properly assess the possible consequences of the data breach for them, and to take protective action in response.

Information describing the eligible data breach may include:

  • the date, or date range, of the unauthorised access or disclosure
  • the date the entity detected the data breach
  • the circumstances of the data breach (such as any known causes for the unauthorised access or disclosure)
  • who has obtained or is likely to have obtained access to the information
  • relevant information about the steps the entity has taken to contain or remediate the breach.

In general, the OAIC does not expect entities to identify the specific individuals who have accessed information, unless this is relevant to the steps the entity recommends individuals might take in response. For example, where information has been accidentally disclosed in a family violence situation known to the entity, this would be important information for the individual to know.

Usually, however, it would suffice to provide a general description of the type of person who has obtained the information, such as ‘an external third party’ or ‘former employee’.

The kind or kinds of information concerned

The statement must include the kind or kinds of information involved in the data breach. Knowing what kind of personal information has been breached is critical to assessing what action should be taken by individuals following a data breach.

Entities, in assessing the data breach, should clearly establish what information was involved in the data breach, including whether the breach involved ‘sensitive information’ (such as information about an individual’s health), government related identifiers (such as a Medicare number or driver licence number), or financial information.

The statement must include recommendations individuals should take in response to the data breach, to mitigate the serious harm or likelihood of serious harm from the data breach.

The nature of recommendations will depend on the entity’s functions and activities, the circumstances of the eligible data breach, and the kind or kinds of information that were involved. Recommendations should include practical steps that are easy for the individuals to action.

For example, to help reduce the risk of identity theft or fraud, recommendations in response to a data breach that involved individuals’ Medicare numbers might include steps an individual can take to request a new Medicare card. Or in the case of a data breach that involved credit card information, putting individuals at risk of identity theft, recommendations might include that an individual contact their financial institution to change their credit card number, and also contact a credit reporting body to establish a ban period on their credit report.

Where the entity does not have the requisite knowledge or capacity to provide advice to affected individuals, they should seek specialist advice or assistance in preparing this section. In limited circumstances, after seeking advice, the entity may use this section to advise individuals that no steps are required.

Additional information to provide

Other entities involved in the data breach

If more than one entity holds personal information that was compromised in an eligible data breach, only one entity needs to prepare a statement and notify individuals about the data breach (s 26WM, and see Data breaches involving more than one organisation). This may occur when an entity outsources the handling of personal information, is involved in a joint venture, or where it has a shared services arrangement with another entity.

When a data breach affects more than one entity, the entity that prepares the statement may include the identity and contact details of the other entities involved (s 26WK(4)). Whether an entity includes the identity and contact details of other involved entities in its statement will depend on the circumstances of the eligible data breach, and the relationship between the entities and the individuals involved. The Privacy Act 1988 (Cth) (Privacy Act) does not require this information to be included on the statement, and it is open to entities to assess whether it is useful to provide this information to individuals.

The OAIC recognises that in some instances the identity and contact details of a third party may not be relevant to an individual whose personal information is involved in an eligible data breach, for example, where the individual does not have a relationship with the other entity. In these circumstances, rather than include the identity and contact details of the third party or parties, the entity that prepares the statement may wish to describe the nature of the relationship with the third party in its description of the data breach.

When to provide a copy of the statement to the Commissioner

Entities must prepare and give a copy of the statement to the Commissioner as soon as practicable after becoming aware of the eligible data breach (s 26WK(2)).

What is a ‘practicable’ timeframe will vary depending on the entity’s circumstances, and may include considerations of the time, effort, or cost required to prepare the statement. The OAIC expects that once an entity becomes aware of an eligible data breach, it will provide a statement to the Commissioner promptly, unless there are circumstances that reasonably hinder the entity’s ability to do so.

It may be appropriate in some circumstances for an entity to advise individuals about the contents of the statement before or at the same time that it gives the statement to the Commissioner, rather than waiting.

While a statement provided to the Commissioner and individuals must include certain information outlined above (s 26WK(3)), where additional relevant information becomes available after submitting this statement, the entity may provide this to the OAIC. The OAIC will include instructions about how to provide any supplementary information upon receipt of the statement.

….

The role of the OAIC in NDB scheme regulation

The Commissioner has a number of roles under the NDB scheme. These include:

  • receiving notifications of eligible data breaches
  • encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance
  • offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.

The Australian Information Commissioner (the Commissioner) has a number of roles under the Notifiable Data Breaches (NDB) scheme in the Privacy Act 1988 (Cth) (Privacy Act). These include:

  • receiving notifications of eligible data breaches
  • encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance
  • offering advice and guidance to regulated entities, and providing information to the community about the operation of the scheme.

……

Notifications of data breaches to the Commissioner

How to notify the Commissioner

Once an entity has reasonable grounds to believe there has been an eligible data breach and it is not exempted from notifying, it is required to provide notification to individuals at risk of serious harm and the Commissioner. When notifying the Commissioner, the entity must provide a notification statement that contains the following information (s 26WK(3)):

  1. the identity and contact details of the notifying entity
  2. a description of the data breach
  3. the kind or kinds of information concerned
  4. recommendations to individuals about the steps that they should take to minimise the impact of the breach.

Providing voluntary information

Although not required by the Privacy Act, entities may provide additional supporting information to the Commissioner to explain the circumstances of the data breach and the entity’s response in further detail. For example, entities may choose to provide the Commissioner with technical information, which may not be appropriate to include in the statement to individuals. This information will assist the Commissioner to decide whether to make further inquiries or to take any other action. It may also be used by the Commissioner when preparing statistical reports about notifications received.

When a data breach affects more than one entity, the entity that prepares the statement may also choose to include the identity and contact details of the other entities involved (s 26WK(4)). The Privacy Act does not require this information to be included on the statement, and it is open to entities to assess whether it is useful to provide this information in the statement.

Confidentiality of information provided in notifications

If an entity elects to provide additional supporting information to the Commissioner, it may request that the Commissioner hold that information in confidence. The Commissioner will respect the confidence of commercially or operationally sensitive information provided voluntarily in support of a data breach notification, and will only disclose such information after consulting with the notifying entity, and with the entity’s agreement or where required by law.

If the Commissioner receives a freedom of information (FOI) request for a notification statement or additional supporting information, the Commissioner will consult with the entity that made the notification before responding. As a matter of course, the Commissioner will offer to transfer any FOI requests relating to agencies to the agencies in question.

The Commissioner’s response to notifications

The Commissioner will acknowledge receipt of all data breach notifications.

The Commissioner may also make inquiries or offer advice and guidance in response to notifications. In deciding whether to make inquiries or offer advice and guidance in response to a notification, the Commissioner may consider the type and sensitivity of the personal information, the numbers of individuals potentially at risk of serious harm, and the extent to which the notification statement and any additional supporting information provided demonstrate that:

  • the data breach has been contained or is in the process of being contained where feasible
  • the notifying entity has taken, or is taking, reasonable steps to mitigate the impact of the breach on the individuals at risk of serious harm
  • the entity has taken, or is taking, reasonable steps to minimise the likelihood of a similar breach occurring again.

The Commissioner may also decide to take regulatory action on the Commissioner’s own initiative in response to a notification, or a series of notifications. In deciding whether to take regulatory action, the Commissioner will have regard to the OAIC’s Privacy regulatory action policy and Guide to privacy regulatory action.

However, generally the Commissioner’s priority when responding to notifications is to provide guidance to the entity and to assist individuals at risk of serious harm.

The Commissioner’s enforcement of the NDB scheme

The Commissioner has a number of enforcement powers to ensure that entities meet their obligations under the scheme. A failure by an entity to meet any of the following requirements of the scheme is an interference with the privacy of an individual (s 13(4A)):

  • conduct a reasonable and expeditious assessment of a suspected eligible data breach (s 26WH(2)), taking all reasonable steps to ensure that this assessment is completed within 30 days of becoming aware (s 26WH(2)(b))
  • prepare a statement about the data breach, and give a copy to the Commissioner, as soon as practicable (s 26WK(2))
  • notify the contents of the statement to individuals at risk of serious harm (or, in certain circumstances, publish the statement) as soon as practicable (s 26WL(3))
  • comply with a direction from the Commissioner to prepare a statement and notify as soon as practicable (s 26WR(10)).

The enforcement powers available to the Commissioner in response to an interference with privacy, which range from less serious to more serious regulatory action, include powers to:

  • accept an enforceable undertaking (s 33E) and bring proceedings to enforce an enforceable undertaking (s 33F)
  • make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62)
  • seek an injunction to prevent ongoing activity or a recurrence (s 98)
  • apply to court for a civil penalty order for a breach of a civil penalty provision (s 80W), which includes a serious or repeated interference with privacy (s 13G).

The Commissioner is also required, in most circumstances, to investigate a complaint made by an individual about an interference with the individual’s privacy (s 36), which would include a failure to notify an individual at risk of serious harm of an eligible data breach where required to do so.

In deciding when to exercise enforcement powers in relation to a contravention of the NDB scheme, the Commissioner will have regard to the OAIC’s Privacy Regulatory Action Policyand the circumstances outlined in Chapter 9: Data breach incidents of the OAIC’s Guide to privacy regulatory action.

The preferred approach of the Commissioner is to work with entities to encourage and facilitate voluntary compliance with an entity’s obligations under the Privacy Act before taking enforcement action.

The Commissioner acknowledges that it will take time for all regulated entities to become familiar with the requirements of the NDB scheme. During the first 12 months of the scheme’s operation, the Commissioner’s primary focus will be on working with entities to ensure that they understand the new requirements and are working in good faith to implement them.

The Commissioner’s other powers and functions under the scheme

Direction to notify (s 26WR)

The Commissioner can direct an entity to notify individuals at risk of serious harm, as well as the Commissioner, about an eligible data breach in certain circumstances.

Before directing an entity to notify, the Commissioner will usually ask the entity to agree to notify. This might happen if a data breach comes to the attention of the Commissioner but has not come to the attention of the relevant entity, or if the Commissioner does not agree with the entity’s initial view about whether a data breach triggers an obligation to notify.

If the Commissioner and the entity cannot agree about whether notification should occur, the Commissioner will give the entity an opportunity to make a formal submission about why notification is not required, or if notification is required, on what terms. The Commissioner will consider the submission and any other relevant information before deciding whether to direct the entity to notify under s 26WR.

Declaration that notification need not be made, or that notification be delayed (s 26WQ)

The Commissioner may declare that notification of a particular data breach is not required (s 26WQ(1)(c)). The Commissioner may also modify the period in which notification needs to occur (s 26WQ(1)(d)).

The Commissioner cannot make a declaration under s 26WQ unless satisfied that it is reasonable in the circumstances to do so, having regard to the public interest, any relevant advice received from an enforcement body or the Australian Signals Directorate, and any other relevant matter. While the Commissioner is empowered to make a declaration if it is ‘reasonable in the circumstances to do so’, the Commissioner still has discretion about whether to make a declaration, and on what terms.

In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objects of the Privacy Act (s 2A) and other relevant matters. The Commissioner will consider whether the risks associated with notifying a particular data breach outweigh the benefits of notification to individuals at risk of serious harm.

Given the clear objective of the scheme to promote notification of eligible data breaches to affected individuals, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will be limited to exceptional cases.

An entity applying for a declaration will be expected to make a well-reasoned and convincing case detailing how the data breach is an eligible data breach, why any relevant exceptions do not apply, and why notification should not occur or should be delayed. The entity should provide detailed evidence or information in support of its application.

Advice, guidance, and community information

The Commissioner provides general information to the community about the Privacy Act, including the NDB scheme, via the OAIC’s website or its public enquiries service.

The Commissioner has developed a range of guidance material published on the OAIC’s website to help entities comply with the scheme.

However, the Commissioner will not generally be able to provide detailed advice about the application of the scheme to specific data breaches. Entities should seek their own legal and technical advice.

Part of the Commissioner’s role in the NDB scheme is to promote transparency in the way that entities handle personal information. To this end, the Commissioner will regularly publish de-identified statistical information about data breaches notified under the scheme.

Draft: Guide to OAIC Privacy Regulatory Action — Chapter 9: Data breach incidents

The Office of the Australian Information Commissioner (OAIC) published this resource as an exposure draft on 27 September 2017. Comments are now closed.

Notifiable Data Breaches (NDB) scheme

9.1 The OAIC administers a Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.

9.2 Under Part IIIC, entities that have information security obligations under the Privacy Act[1] must generally notify the Australian Information Commissioner (the Commissioner), and individuals whose information was involved, about eligible data breaches (ss 26WK and 26WL).

9.3 The Commissioner has the following functions under the scheme:

  • promoting compliance with the scheme
  • receiving notifications from entities
  • directing an entity to notify under s 26WR
  • declaring that notification need not be made, or that notification be delayed under s 26WQ
  • offering advice and guidance to regulated entities, and providing information to the community about the operation of the scheme.

Promoting compliance with the scheme

9.4 Section 13(4A) provides that if an entity contravenes any of the following requirements of the NDB scheme, the contravention is taken to be an act that is an interference with the privacy of an individual, subject to possible enforcement action:

  • carry out an assessment of a suspected eligible data breach (s 26WH(2))
  • prepare a statement about the eligible data breach, and give a copy to the Commissioner as soon as practicable (s 26WK(2))
  • notify the contents of the statement to individuals whose personal information was involved in the eligible data breach (or, in certain circumstances, publish the statement) as soon as practicable (s 26WL(3))
  • comply with a direction from the Commissioner to notify the eligible data breach (s 26WR(10)).

9.5 The Commissioner’s preferred approach is to work with entities to encourage and facilitate voluntary compliance with an entity’s obligations under the NDB scheme before taking enforcement action in relation to any interferences with privacy. The OAIC has developed guidance about the NDB scheme to assist entities.

9.6 The Commissioner may, on the Commissioner’s own initiative, investigate an act or practice that may be an interference with privacy where the Commissioner thinks it is desirable to do so (s 40(2)). The Commissioner must also investigate complaints made by individuals where an act or practice may be an interference with the privacy of the individual (s 40(1)).

9.7 Where the Commissioner has identified an interference with privacy, there are a number of enforcement powers available to the Commissioner, ranging from less serious to more serious regulatory action depending on the relevant factors. These include powers to:

  • accept an enforceable undertaking (s 33E) and bring proceedings to enforce an enforceable undertaking (s 33F)
  • make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62)
  • seek an injunction to prevent ongoing activity or a recurrence (s 98)
  • apply to a court for a civil penalty order for a breach of a civil penalty provision (s 80W), which includes serious or repeated interferences with privacy.

9.8 In deciding whether an investigation or enforcement action is appropriate in the circumstances, the Commissioner will act in accordance with the OAIC’s Privacy regulatory action policy.

Receipt of notifications

9.9 The Commissioner will acknowledge receipt of all data breach notifications.

9.10 The Commissioner may or may not take any action in response to a data breach notification. The Commissioner will decide which notifications to respond to depending on available resources, and the Commissioner’s evaluation of the extent to which taking action in response to the notification will further the objects of the Privacy Act.

9.11 Some notifications may point to a possible interference with privacy. Under s 42, the Commissioner may make preliminary inquiries to determine whether to investigate an act or practice that may be an interference with privacy, where there has been a complaint or on the Commissioner’s own initiative. In deciding whether to make preliminary inquiries or offer advice and guidance in response to a notification, the Commissioner may consider:

  • the type and sensitivity of the personal information involved
  • the numbers of individuals potentially at risk of serious harm
  • whether the data breach has been contained or is in the process of being contained where feasible
  • steps the notifying entity has taken, or is taking, to mitigate the impact on individuals at risk of serious harm
  • measures that the entity has taken, or is taking, to minimise the likelihood of a similar breach occurring again.

9.12 The Commissioner may also inquire about the incident to determine whether the OAIC can provide assistance to the entity, such as best practice advice on data breach responses and the future prevention of similar incidents.

Declaration of Commissioner – exception to notification (s 26WQ)

9.13 The Commissioner may declare that an entity does not need to comply with the notification requirements in the NDB scheme in relation to an eligible data breach. Under s 26WQ the Commissioner may give written notice declaring that a statement to the Commissioner (under s 26WK) and notification to individuals (under s 26WL) is not required,[ or that notification to individuals is delayed for a specified period.

9.14 The Commissioner must not make a declaration unless satisfied that it is reasonable in the circumstances to do so, having regard to:

  • the public interest (s 26WQ(3)(a))
  • any relevant advice given to the Commissioner by an enforcement body or the Australian Signals Directorate (ASD) (s 26WQ(3)(b)) , and
  • such other matters (if any) as the Commissioner considers relevant (s 26WQ(3)(c)).

9.15 An entity that is considering applying to the Commissioner for a s 26WQ declaration should do so as soon as practicable after the entity is aware that there are reasonable grounds to believe an eligible data breach has occurred.

9.16 In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objects of the Privacy Act and other relevant matters. The Commissioner will consider whether the risks associated with notifying of a particular data breach outweigh the benefits of notification to individuals at risk of serious harm.

9.17 Given the clear objective of the scheme to promote notification of eligible data breaches, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will only be made in exceptional cases and only after a compelling case has been put forward by the entity seeking the declaration.

Applying for a s 26WQ declaration

9.18 An entity considering making an application under s 26WQ should contact the OAIC in the first instance to discuss its intention.

9.19 If the entity decides to make an application, it should provide the following information and documents to the OAIC:

  • a detailed description of the data breach
  • a statement outlining the entity’s reasons for seeking a s 26WQ notice
  • a draft notice setting out the terms that it believes should be included in the notice issued by the Commissioner
  • relevant supporting documents and evidence (including, if applicable, relevant advice from an enforcement body or the ASD)
  • contact details of an employee or representative of the entity.

9.20 The onus is on the entity to demonstrate to the Commissioner that it is appropriate for the Commissioner to make a declaration. As such, the entity applying for a declaration will be expected to make a well-reasoned and compelling case detailing how the data breach is an eligible data breach, why any relevant exceptions do not apply, and why notification should not occur or should be delayed. The entity should provide detailed evidence or information in support of its application.

9.21 The Commissioner may seek further information from the entity or third parties. However, given the time critical nature of data breach notifications, the entity may not have a further opportunity to provide evidence or submissions to the OAIC before the Commissioner makes a decision on the application. As such, the entity should include all relevant information in its written application.

9.22 In considering whether to make a declaration, the Commissioner will have regard to relevant factors which may include:

  • the objects in s 2A of the Privacy Act
  • the purposes of the NDB scheme, which include enabling individuals to take steps to protect themselves from serious harm arising from a data breach
  • the circumstances of the eligible data breach
  • the extent to which notification will cause harm to particular groups or to the community at large
  • the extent to which benefits of notification will be lost or diminished if notification does not occur or is delayed
  • whether advice from an enforcement body or the ASD indicates that notification would be contrary to the public interest in the effective conduct of enforcement related activities and national security matters
  • whether the entity responsible for the eligible data breach has been the subject of prior compliance or regulatory enforcement action by the OAIC, and the outcome of that action
  • whether the eligible data breach is an isolated instance, or whether it indicates a potential systemic issue (either within the entity concerned or within an industry) or an increasing issue which may pose ongoing compliance or enforcement issues
  • such other matters as the Commissioner considers relevant.

9.23 After considering the application, the Commissioner will make one of the following decisions:

  • a declaration that notification does not need to occur
  • a declaration that notification can be delayed (either for the period proposed by the applicant, or another period selected by the Commissioner)
  • a refusal of the application.

9.24 Where the Commissioner refuses a declaration, the Commissioner will give written notice of the refusal (s 26WQ(7)).

9.25 Decisions by the Commissioner under s 26WQ are reviewable by the Administrative Appeals Tribunal (AAT). An application for review by the AAT may be made by the entity that made the application for the declaration, or another entity whose obligations under the NDB scheme are affected by the declaration.

Direction of Commissioner – requiring notification (s 26WR)

9.26 The Commissioner may direct an entity to:

  • prepare a statement about the eligible data breach
  • give a copy of the statement to the Commissioner, and
  • notify individuals about the eligible data breach.

9.27 In deciding whether to give a direction to an entity under s 26WR(1), the Commissioner must consider:

  • any relevant advice given to the Commissioner by an enforcement body or the ASD (s 26WR(6)(a))
  • any relevant submission made by the entity (s 26WR(6)(b))
  • such other matters (if any) as the Commissioner considers relevant (s 26WR(6)(c)).

9.28 Under s 26WR(5), a direction by the Commissioner may require an entity to include specified information about the eligible data breach, in addition to the information required in a statement prepared for the Commissioner under s 26WR(4).

9.29 The specified information that relates to an eligible data breach is likely to be information that the Commissioner considers would assist individuals to take appropriate action in response to the eligible data breach. Examples could include:

  • information about the risk of harm to individuals that the Commissioner considers exists as a result of the eligible data breach
  • recommendations about steps the Commissioner considers individuals should take in response to the eligible data breach
  • information about complaint mechanisms available under the Privacy Act to individuals affected by the eligible data breach
  • other specified information relating to the eligible data breach that the Commissioner considers reasonable and appropriate in the circumstances to include in the statement.

Process for making a s 26WR direction

9.30 Before directing an entity to notify, the Commissioner will usually ask the entity to agree to notify voluntarily.

9.31 If the Commissioner and the entity cannot agree about whether notification should occur, the Commissioner will formally invite the entity to make a submission about the direction under consideration, within a specified period (s 26WR(3)). The form of the invitation, and the period of time specified in the invitation for the entity to respond, will be for the Commissioner to determine depending on the particular circumstances. In deciding the form and period of time to respond, the Commissioner will have regard to the impact on the entity and the nature and imminence of the risk of harm to individuals who would receive notification of the eligible data breach the Commissioner has reasonable grounds to believe has happened.

9.32 The Commissioner will consider submissions and any other relevant information provided by the entity before deciding whether to direct the entity to notify under s 26WR.

9.33 The Commissioner’s decision will be communicated to the entity in writing. Entities can apply to the AAT for review of a decision by the Commissioner under s 26WR(1) to make a direction.

9.34 An entity must comply with a direction made under s 26WR(1) as soon as practicable (s 26WR(10)). Contravention of s 26WR(10) is an interference with the privacy of an individual (s 13(4A)).

Publication and disclosure of information

9.35 The OAIC will publish statistics in connection with the NDB scheme, with a view to reviewing this approach 12 months after the scheme’s commencement.

9.36 The OAIC will respect the confidence of commercially or operationally sensitive information that is provided voluntarily in support of a data breach notification.

9.37 As a matter of course, the Commissioner will consult with entities following a request for information made under FOI law. For FOI requests relating to agencies, the Commissioner will offer to transfer requests to the agency in question.

9.38 Decisions about public communications will be made in accordance with the considerations set out in the ‘Public communication as part of privacy regulatory action’ section of the Privacy regulatory action policy.

 

 

 

 

One Response to “Australian Information Commissioner releases Notifiable Data Breaches resources”

  1. Australian Information Commissioner releases Notifiable Data Breaches resources | Australian Law Blogs

    […] Australian Information Commissioner releases Notifiable Data Breaches resources […]

Leave a Reply