It is always in the enforcement that regulators are judged.  And how effective legislation is.  In the privacy sphere that is no different.  The Privacy Amendment (Notifiable Data Breaches) Act 2017  commences operation on 22 February 2018.

The Australian Information Commissioner has released the final resources (used to be called guidelines) on the operation of the Act and what is expected of organisations and agencies.  They are set out below.

Resources are one thing it is the culture that is as important.  The excellent article When cultures collide: the debate we’re not having on data privacy highlights the fact that the culture drives regulation.  In Australia the political class have been reluctant legislators, with the ALP Government in 1988 implementing a relatively bare bones legislation covering agencies, the Coalition Government increasing the coverage to the private sector in 2001 and providing a more beefed up enforcement powers and stronger rules on credit reporting protections in 2012 with an ALP Government.  The legislation has been far from the Gold Standard but has always has some scope for assertive regulation.  Unfortunately successive Privacy Commissioners who have been appointed have been timid and ineffective, often but not always having insufficient resources.  The culture developed by the Privacy Commissioner has been education over enforcement and delay over decisive action.  Needless to say the general privacy culture has suffered.  Now with the European GDPR regulations taking effect next year there may be some uncomfortable moments for organisations that do business with European entities or have a presence in the EU.  On top of that mandatory data breach notification laws have the potential to ensnare companies who have assumed that the Privacy Commissioner’s bite is a non starter and his bark is a whimper.  There is a good chance that the Information Commissioner will remain a timid regulator who works on public service hours and does not see high profile enforcement as being a worthwhile activity.  But the nature of the data breach laws means that making the wrong choice at the time of a breach may expose a company to a later problem if the Privacy Commissioner or others discover the mistake.

The article provides:

As governments around the world re-evaluate their privacy regimes, an emerging issue for every CIO is changes to data privacy regulation. These changes are forcing CIOs to review their privacy practices and, in some cases, trigger complete overhauls of business processes.

But one of the greatest dangers to data privacy has nothing to do with technology, and everything to do with culture.

Until now, Australian businesses have had the luxury of operating exclusively under Australian data privacy regulations, unless they had some physical presence overseas. The latest data privacy law to come out of Europe, the General Data Protection Regulation (GDPR), has the potential to change all this.

The great hurdle for Australian companies is the Australian cultural lens they cast over the GDPR. By ignoring, or not appreciating the deep-seated importance of data privacy to Europeans, businesses expose themselves to unprecedented levels of financial and commercial risk.

Attitudes towards privacy: Australia vs Europe

Culture is a strong driver of national privacy regulations in Australia, as is the case around the world. But compared to other parts, Australia has long had a very relaxed approach to data privacy (and privacy more generally).

In parliament, data privacy has bipartisan support. Everyone generally agrees that it is important – there is just not a lot of urgency in implementing it. For instance, it was not until 1988 that we had our first national privacy law. Even then, the law was only introduced following public concerns around the way the Federal Government handled citizen data in their failed attempt to introduce a national identity scheme, the ‘Australia Card’.

More recently, the introduction of a mandatory data breach reporting scheme was an almost decade-long journey between the Australian Law Reform Commission’s report recommending mandatory data breach reporting, to its passage into legislation earlier this year.

In stark contrast, the importance of data privacy is deeply engrained in European culture. Through the early part of the twentieth century, Europeans saw first hand the impact of widespread data privacy violations by dictatorial regimes. As a result, in the wake of World War II, they unanimously declared privacy (including data privacy) to be a fundamental human right and have since actively fought to protect that right.

European regulators have long taken a particularly dim view of companies that do not take privacy seriously. But the task of fortifying privacy has become more difficult in the internet age, where vast volumes of citizen information is now held by foreign companies and in repositories across the globe.

It is through this lens that the GDPR was conceived.

The GDPR in Australia

For Australian businesses, the introduction of the GDPR presents an obvious question: “Why should I care about privacy changes in Europe?”

As it stands, a huge number of Australian companies are already interacting with EU entities, with the EU being Australia’s largest source of foreign investment and second largest trading partner (Department of Foreign Affairs and Trade). There are even more that work with EU-based companies or participate in extended data supply chains that have access to EU personal data.

With data privacy considered a fundamental human right, the GDPR’s key premise is that the privacy of the data’s owner cannot be violated, even if this data is being taken outside of the EU. In short, the GDPR seeks to protect data no matter where it resides in the world. It does not matter how you get access to it, or what you are doing with it, if your business has access to EU personal data, the GDPR will apply to you.

Significantly, the GDPR demands compliance as a condition of access to the EU market. It will be a condition of doing business with Australia’s largest source of foreign funds and her second largest trading partner. To ignore it, would be to be excluded from this market, or to expose your business the largest fines ever to be applied to data privacy (potentially up to 4 per cent of a business’ annual global turnover or up to 20 million Euros).

For Australian businesses, there are two basic cases by which most companies will need to consider the GDPR. Firstly, and most obviously, the GDPR will apply if your company is selling products or services to consumers or businesses located within the EU. Secondly, the GDPR will also apply if you are part of the data supply chain for a company selling products or services to consumers or businesses located within the EU.

Unlike Australia’s view of privacy data, the EU takes a very broad view of what should be considered personal data, and therefore protected. Under the GDPR, any data relating to a living person physically located within the EU, will be considered personal data for the purposes of the GDPR. In some contexts, this could encompass IP addresses – a very different approach to what we take here in Australia.

Security and technology are only pieces of the puzzle

For most Australian CIOs, the hardest cultural hurdle will be reconciling how data privacy is positioned within their organisation, and how the GDPR demands it be managed.

Many Australian companies view data privacy as a responsibility of the CIO’s office. This severely underplays the role of business teams in data privacy compliance. For example, on their own, the CIO is not able to dictate the types of data their business collects, why, and whether the appropriate approvals have been sought. The CIO is also rarely able to judge whether business process or re-engineering, personnel training, or the application of technology is the best way to solve a potential data privacy issue.

This is not say that security and technology are not important components of an effective data privacy program. But without the full participation of the rest of the business, data privacy controls will fall short and regulation compliance will be impossible to achieve. It will require Australian businesses to apply technology, business processes and appropriately trained people to better protect data privacy.

In some ways, that is why the EU regulations apply such large penalties. Not only do they make even the largest companies in the world sit up and pay attention, they aim to raise data privacy discussions to the board level. They will also challenge us to take more than the traditional Australian, minimum compliance approach to privacy.

What is also important for CIOs to consider, is that data privacy regulations require their organisations to be more data centric, and to look at the company from a data governance perspective.

CIOs are no strangers to data governance but, until now, most have been very focussed on understanding their organisations from the view of a system integration or system management. Understanding the what, how and why of the data held by an organisation is vital for GDPR compliance.

Think about data

Even by European standards, the GDPR is a large and complicated piece of regulation. It enshrines many of the data privacy principles we have seen come out of the EU such as privacy by design, the right of access to information, the right to be forgotten, and receiving ‘specific and informed consent’ for data use. It will drive reform from a wide range of business activities from contracting services, end-user licence agreements and database design. And applying it can seem daunting.

In a 2016 survey of European businesses, Symantec found that 96 per cent of respondents felt they didn’t fully understand GDPR, and 90 per cent still felt unprepared. If you’re not feeling fully across what the GDPR could be asking of you, you are not alone.

Through the GDPR, EU regulators want to end the day of vague and open-ended collection permissions sought from consumers, for data that is not required, then kept indefinitely. They will be looking for responsible businesses to collect only the data they need, with full knowledge and permission, for a specific purpose, that will be disposed when no longer needed.

For businesses and CIOs across Australia, this calls for business processes, people and technology to all work together. And don’t discount the impact of Australia’s cultural approach to data privacy.

The Resources provide:

What is the Notifiable Data Breaches scheme?

The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.

The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.

Agencies and organisations can lodge their statement about an eligible data breach to the Commissioner through the Notifiable Data Breach statement — Form.

Agencies and organisations must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result require notification.

When the NDB takes effect

The NDB scheme commences on 22 February 2018. It only applies to eligible data breaches that occur on or after that date.

When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.

The notification to affected individuals and the Commissioner must include the following information:

• the identity and contact details of the organisation
• a description of the data breach
• the kinds of information concerned and;
• recommendations about the steps individuals should take in response to the data breach.

Key points

• When an entity experiences a data breach, its first step should be to contain the breach where possible and take remedial action. Where serious harm cannot be mitigated through remedial action (see Identifying eligible data breaches), it must notify individuals at risk of serious harm and provide a statement to the Commissioner as soon as practicable.
• If it is not practicable to notify individuals at risk of serious harm, an entity must publish a copy of the statement prepared for the Commissioner on its website, and take reasonable steps to bring its contents to the attention of individuals at risk of serious harm.
• If a single eligible data breach applies to multiple entities, only one entity needs to notify the Commissioner and individuals at risk of serious harm. It is up to the entities to decide who notifies. Generally, the Commissioner suggests that the entity with the most direct relationship with the individuals at risk of serious harm should undertake the notification.

Who needs to be notified?

Once an entity has reasonable grounds to believe there has been an eligible data breach, the entity must, as soon as practicable, make a decision about which individuals to notify, prepare a statement for the Commissioner and notify individuals of the contents of this statement.

TheNotifiable Data Breaches (NDB) scheme provides flexibility — there are three options for notifying individuals at risk of serious harm, depending on what is ‘practicable’ for the entity (s 26WL(2)).

Whether a particular option is practicable involves a consideration of the time, effort, and cost of notifying individuals at risk of serious harm in a particular manner. These factors should be considered in light of the capabilities and capacity of the entity.

Option 1 — Notify all individuals

If it is practicable, an entity can notify each of the individuals to whom the relevant information relates(s 26WL(2)(a)). That is, all individuals whose personal information was part of the eligible data breach.

This option may be appropriate, and the simplest method, if an entity cannot reasonably assess which particular individuals are at risk of serious harm from an eligible data breach that involves personal information about many people, but where the entity has formed the view that serious harm is likely for one or more of the individuals.

The benefits of this approach include ensuring that all individuals who may be at risk of serious harm are notified, and allowing them to consider whether they need to take any action in response to the eligible data breach.

Option 2 — Notify only those individuals at risk of serious harm

If it is practicable, an entity can notify only those individuals who are at risk of serious harm from the eligible data breach (s 26WL(2)(b)).

That is, individuals who are likely to experience serious harm as a result of the eligible data breach. If an entity identifies that only a particular individual, or a specific subset of individuals, involved in an eligible data breach is at risk of serious harm, and can specifically identify those individuals, only those individuals need to be notified.

The benefits of this targeted approach include avoiding unnecessary distress to individuals who are not at risk, limiting possible notification fatigue among members of the public, and reducing administrative costs, where it is not required by the NDB scheme.

Option 3 – Publish notification

If neither option 1 or 2 above are practicable, for example, if the entity does not have up-to-date contact details for individuals, then the entity must:

• publish a copy of the statement on its website if it has one
• take reasonable steps to publicise the contents of the statement (s 26WL(2)(c)).

It is not enough to simply upload a copy of the statement prepared for the Commissioner on any webpage of the entity’s website. Entities must also take proactive steps to publicise the substance of the eligible data breach (and at least the contents of the statement), to increase the likelihood that the eligible data breach will come to the attention of individuals at risk of serious harm.

While the Privacy Act 1988 (Cth) does not specify the amount of time that an entity must keep the statement accessible on their website, the Commissioner would generally expect that it is available for at least 6 months.

How do I notify and what do I need to say?

Options 1 (Notify all individuals) and 2 (Notify only those individuals at risk of serious harm)

Options 1 and 2 above require that entities take ‘such steps as are reasonable in the circumstances to notify individuals about the contents of the statement’ that the entity prepared for the Commissioner (s 26WL(2)(a) and (b)).

The entity can use any method to notify individuals (for example, a telephone call, SMS, physical mail, social media post, or in-person conversation), so long as the method is reasonable. In considering whether a particular method, or combination of methods is reasonable, the notifying entity should consider the likelihood that the people it is notifying will become aware of, and understand the notification, and weigh this against the resources involved in undertaking notification.

An entity can notify an individual using their usual method of communicating with that particular individual (s 26WL(4)). For example, if an entity usually communicates through a nominated intermediary, they may also choose to notify through this intermediary.

The entity can tailor the form of its notification to individuals, as long as it includes the content of the statement required by s 26WK. That statement (and consequently, the notification to individuals) must include the following information:

1. the identity and contact details of the entity (s 26WK(3)(a))
2. a description of the eligible data breach that the entity has reasonable grounds to believe has happened (s 26WK(3)(b))
3. the kind, or kinds, of information concerned (s 26WK(3)(c))
4. recommendations about the steps that individuals should take in response to the eligible data breach (s 26WK(3)(d)).

Decisions about the appropriate types of recommendations will always be dependent on the circumstances of the eligible data breach. This may include choosing to tailor recommended steps around an individual’s personal circumstances, or providing general recommendations that apply to all individuals. In some circumstances, the entity may have already taken some protective steps, reducing the necessity for action by affected individuals. The entity may choose to explain these measures in the notice to individuals as a part of their recommendation. For example, a bank may notify an individual that it has suspended suspicious transactions on their account and recommended steps may be limited to suggesting the individual monitor their accounts and notify the bank immediately of any other suspicious transactions.

Option 3 (Publish notification)

Option 3, which can only be used if Options 1 or 2 are not practicable, requires an entity to publish a copy of the statement prepared for the Commissioner on its website, and take reasonable steps to publicise the contents of that statement.

An entity should consider what steps are reasonable in the circumstances of the entity and the data breach to publicise the statement. The purpose of publicising the statement is to draw it to the attention of individuals at risk of serious harm, so the entity should consider what mechanisms would be most likely to bring the statement to the attention of those people.

A reasonable step when publicising an online notice, might include:

• ensuring that the notice is prominently placed on the relevant webpage, which can be easily located by individuals and indexed by search engines
• publishing an announcement on the entity’s social media channels
• taking out a print or online advertisement in a publication or on a website the entity considers reasonably likely to reach individuals at risk of serious harm.

In some cases, it might be reasonable to take more than one step to publicise the contents of the statement. For example, if a data breach involves a particularly serious form of harm, or affects a large number of individuals, an entity could take out multiple print or online advertisements (which could include paid advertisements on social media channels), publish posts on multiple social media channels, or use both traditional media and online channels.

The approach to publicising the statement may depend on the publication method. For example, where space and cost allows, an entity may republish the entirety of the information required to be included in the statement. Another option, if the available space is limited, or the cost of republishing the entire statement would not be reasonable in all the circumstances, would be to summarise the information required to be included in the statement and provide a hyperlink to the copy of the statement published on the entity’s website. Entities should keep in mind the ability and likelihood of individuals at risk of serious harm being able to access the statement when determining the appropriateness of relying solely on such an approach.

If Option 3 is chosen, entities should take care to ensure that the online notice does not contain any personal information. While it may help if entities provide a general description of the cohort of affected individuals, this description should not identify any of the affected individuals or provide information that may make an individual reasonably identifiable. For example, it may be appropriate for an online retailer to publicise that individuals who made transactions in the year 2013 may be affected, but it would not be appropriate for the retailer to publicise the names associated with any compromised transaction data.

Timing of notification

Entities must notify individuals as soon as practicable after completing the statement prepared for notifying the Commissioner (s 26WL(3)).

Considerations of cost, time, and effort may be relevant in an entity’s decision about when to notify individuals. However, the Commissioner generally expects entities to expeditiously notify individuals at risk of serious harm about an eligible data breach unless cost, time, and effort are excessively prohibitive in all the circumstances.

If entities have notified individuals at risk of serious harm of the data breach before they notify the Commissioner, they do not need to notify those individuals again, so long as the individuals were notified of the contents of the statement given to the Commissioner. The scheme does not require that notification be given to the Commissioner before individuals at risk of serious harm, so if entities wish to begin notifying those individuals before, or at the same time as notifying the Commissioner, they may do so.

Key points

• The NDB scheme requires entities to notify individuals about an eligible data breach (see Identifying eligible data breaches).

• Entities are also required to prepare a statement and provide a copy to the Australian Information Commissioner (the Commissioner) (s 26WK). The OAIC’s online form may help entities to do this.
• The statement must include the name and contact details of the entity, a description of the eligible data breach, the kind or kinds of information involved, and what steps the entity recommends that individuals at risk of serious harm take in response to the eligible data breach (s 26WK(3))

• Entities must notify affected individuals about the contents of this statement or, if this is not practicable, publish a copy of the statement on the entity’s website and take reasonable steps to publicise the contents of the statement (s 26WL(2)) (see Notifying individuals about an eligible data breach).

What must be included in the statement

A statement about an eligible data breach must include:

• the identity and contact details of the entity (s 26WK(3)(a))
• a description of the eligible data breach (s 26WK(3)(b))
• the kind or kinds of information involved in the eligible data breach (s 26WK(3)(c))
• what steps the entity recommends that individuals take in response to the eligible data breach (s 26WK(3)(d)).

Identity and contact details of the entity

Where an entity’s company name is different to the business or trading name, the OAIC recommends that entities also include the name that is most familiar to individuals. The entity must also include information about how an individual can contact it. Depending on the nature and scale of the breach, the entity may wish to consider whether to provide its general contact details, or establish a dedicated phone line or email address to answer queries from individuals.

Description of the eligible data breach

An entity is required to include ‘a description’ of the data breach in its statement.

The OAIC expects that the statement will include sufficient information about the data breach to allow affected individuals the opportunity to properly assess the possible consequences of the data breach for them, and to take protective action in response.

Information describing the eligible data breach may include:

• the date, or date range, of the unauthorised access or disclosure
• the date the entity detected the data breach
• the circumstances of the data breach (such as any known causes for the unauthorised access or disclosure)
• who has obtained or is likely to have obtained access to the information
• relevant information about the steps the entity has taken to contain or remediate the breach.

In general, the OAIC does not expect entities to identify the specific individuals who have accessed information, unless this is relevant to the steps the entity recommends individuals might take in response. For example, where information has been accidentally disclosed in a family violence situation known to the entity, this would be important information for the individual to know.

Usually, however, it would suffice to provide a general description of the type of person who has obtained the information, such as ‘an external third party’ or ‘former employee’.

The kind or kinds of information concerned

The statement must include the kind or kinds of information involved in the data breach. Knowing what kind of personal information has been breached is critical to assessing what action should be taken by individuals following a data breach.

Entities, in assessing the data breach, should clearly establish what information was involved in the data breach, including whether the breach involved ‘sensitive information’ (such as information about an individual’s health), government related identifiers (such as a Medicare number or driver licence number), or financial information.

Steps recommended to individuals in response to the eligible data breach

The statement must include recommendations individuals should take in response to the data breach, to mitigate the serious harm or likelihood of serious harm from the data breach.

The nature of recommendations will depend on the entity’s functions and activities, the circumstances of the eligible data breach, and the kind or kinds of information that were involved. Recommendations should include practical steps that are easy for the individuals to action.

For example, to help reduce the risk of identity theft or fraud, recommendations in response to a data breach that involved individuals’ Medicare numbers might include steps an individual can take to request a new Medicare card. Or in the case of a data breach that involved credit card information, putting individuals at risk of identity theft, recommendations might include that an individual contact their financial institution to change their credit card number, and also contact a credit reporting body to establish a ban period on their credit report.

Where the entity does not have the requisite knowledge or capacity to provide advice to affected individuals, they should seek specialist advice or assistance in preparing this section. In limited circumstances, after seeking advice, the entity may use this section to advise individuals that no steps are required.

Additional information to provide

Other entities involved in the data breach

If more than one entity holds personal information that was compromised in an eligible data breach, only one entity needs to prepare a statement and notify individuals about the data breach (s 26WM, and see Data breaches involving more than one organisation). This may occur when an entity outsources the handling of personal information, is involved in a joint venture, or where it has a shared services arrangement with another entity.

When a data breach affects more than one entity, the entity that prepares the statement may include the identity and contact details of the other entities involved (s 26WK(4)). Whether an entity includes the identity and contact details of other involved entities in its statement will depend on the circumstances of the eligible data breach, and the relationship between the entities and the individuals involved. The Privacy Act 1988 (Cth) (Privacy Act) does not require this information to be included on the statement, and it is open to entities to assess whether it is useful to provide this information to individuals.

The OAIC recognises that in some instances the identity and contact details of a third party may not be relevant to an individual whose personal information is involved in an eligible data breach, for example, where the individual does not have a relationship with the other entity. In these circumstances, rather than include the identity and contact details of the third party or parties, the entity that prepares the statement may wish to describe the nature of the relationship with the third party in its description of the data breach.

When to provide a copy of the statement to the Commissioner

Entities must prepare and give a copy of the statement to the Commissioner as soon as practicable after becoming aware of the eligible data breach (s 26WK(2)).

What is a ‘practicable’ timeframe will vary depending on the entity’s circumstances, and may include considerations of the time, effort, or cost required to prepare the statement. The OAIC expects that once an entity becomes aware of an eligible data breach, it will provide a statement to the Commissioner promptly, unless there are circumstances that reasonably hinder the entity’s ability to do so.

It may be appropriate in some circumstances for an entity to advise individuals about the contents of the statement before or at the same time that it gives the statement to the Commissioner, rather than waiting.

While a statement provided to the Commissioner and individuals must include certain information outlined above (s 26WK(3)), where additional relevant information becomes available after submitting this statement, the entity may provide this to the OAIC. The OAIC will include instructions about how to provide any supplementary information upon receipt of the statement.

….

The role of the OAIC in NDB scheme regulation

The Commissioner has a number of roles under the NDB scheme. These include:

• receiving notifications of eligible data breaches
• encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance
• offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.

The Australian Information Commissioner (the Commissioner) has a number of roles under the Notifiable Data Breaches (NDB) scheme in the Privacy Act 1988 (Cth) (Privacy Act). These include:

• receiving notifications of eligible data breaches
• encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance
• offering advice and guidance to regulated entities, and providing information to the community about the operation of the scheme.

……

Notifications of data breaches to the Commissioner

How to notify the Commissioner

Once an entity has reasonable grounds to believe there has been an eligible data breach and it is not exempted from notifying, it is required to provide notification to individuals at risk of serious harm and the Commissioner. When notifying the Commissioner, the entity must provide a notification statement that contains the following information (s 26WK(3)):

1. the identity and contact details of the notifying entity
2. a description of the data breach
3. the kind or kinds of information concerned
4. recommendations to individuals about the steps that they should take to minimise the impact of the breach.

…

Providing voluntary information

Although not required by the Privacy Act, entities may provide additional supporting information to the Commissioner to explain the circumstances of the data breach and the entity’s response in further detail. For example, entities may choose to provide the Commissioner with technical information, which may not be appropriate to include in the statement to individuals. This information will assist the Commissioner to decide whether to make further inquiries or to take any other action. It may also be used by the Commissioner when preparing statistical reports about notifications received.

When a data breach affects more than one entity, the entity that prepares the statement may also choose to include the identity and contact details of the other entities involved (s 26WK(4)). The Privacy Act does not require this information to be included on the statement, and it is open to entities to assess whether it is useful to provide this information in the statement.

Confidentiality of information provided in notifications

If an entity elects to provide additional supporting information to the Commissioner, it may request that the Commissioner hold that information in confidence. The Commissioner will respect the confidence of commercially or operationally sensitive information provided voluntarily in support of a data breach notification, and will only disclose such information after consulting with the notifying entity, and with the entity’s agreement or where required by law.

If the Commissioner receives a freedom of information (FOI) request for a notification statement or additional supporting information, the Commissioner will consult with the entity that made the notification before responding. As a matter of course, the Commissioner will offer to transfer any FOI requests relating to agencies to the agencies in question.

The Commissioner’s response to notifications

The Commissioner will acknowledge receipt of all data breach notifications.

The Commissioner may also make inquiries or offer advice and guidance in response to notifications. In deciding whether to make inquiries or offer advice and guidance in response to a notification, the Commissioner may consider the type and sensitivity of the personal information, the numbers of individuals potentially at risk of serious harm, and the extent to which the notification statement and any additional supporting information provided demonstrate that:

• the data breach has been contained or is in the process of being contained where feasible
• the notifying entity has taken, or is taking, reasonable steps to mitigate the impact of the breach on the individuals at risk of serious harm
• the entity has taken, or is taking, reasonable steps to minimise the likelihood of a similar breach occurring again.

The Commissioner may also decide to take regulatory action on the Commissioner’s own initiative in response to a notification, or a series of notifications. In deciding whether to take regulatory action, the Commissioner will have regard to the OAIC’s Privacy regulatory action policy and Guide to privacy regulatory action.

However, generally the Commissioner’s priority when responding to notifications is to provide guidance to the entity and to assist individuals at risk of serious harm.

The Commissioner’s enforcement of the NDB scheme

The Commissioner has a number of enforcement powers to ensure that entities meet their obligations under the scheme. A failure by an entity to meet any of the following requirements of the scheme is an interference with the privacy of an individual (s 13(4A)):

• conduct a reasonable and expeditious assessment of a suspected eligible data breach (s 26WH(2)), taking all reasonable steps to ensure that this assessment is completed within 30 days of becoming aware (s 26WH(2)(b))
• prepare a statement about the data breach, and give a copy to the Commissioner, as soon as practicable (s 26WK(2))
• notify the contents of the statement to individuals at risk of serious harm (or, in certain circumstances, publish the statement) as soon as practicable (s 26WL(3))
• comply with a direction from the Commissioner to prepare a statement and notify as soon as practicable (s 26WR(10)).

The enforcement powers available to the Commissioner in response to an interference with privacy, which range from less serious to more serious regulatory action, include powers to:

• accept an enforceable undertaking (s 33E) and bring proceedings to enforce an enforceable undertaking (s 33F)
• make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62)
• seek an injunction to prevent ongoing activity or a recurrence (s 98)
• apply to court for a civil penalty order for a breach of a civil penalty provision (s 80W), which includes a serious or repeated interference with privacy (s 13G).

The Commissioner is also required, in most circumstances, to investigate a complaint made by an individual about an interference with the individual’s privacy (s 36), which would include a failure to notify an individual at risk of serious harm of an eligible data breach where required to do so.

In deciding when to exercise enforcement powers in relation to a contravention of the NDB scheme, the Commissioner will have regard to the OAIC’s Privacy Regulatory Action Policyand the circumstances outlined in Chapter 9: Data breach incidents of the OAIC’s Guide to privacy regulatory action.

The preferred approach of the Commissioner is to work with entities to encourage and facilitate voluntary compliance with an entity’s obligations under the Privacy Act before taking enforcement action.

The Commissioner acknowledges that it will take time for all regulated entities to become familiar with the requirements of the NDB scheme. During the first 12 months of the scheme’s operation, the Commissioner’s primary focus will be on working with entities to ensure that they understand the new requirements and are working in good faith to implement them.

The Commissioner’s other powers and functions under the scheme

Direction to notify (s 26WR)

The Commissioner can direct an entity to notify individuals at risk of serious harm, as well as the Commissioner, about an eligible data breach in certain circumstances.

Before directing an entity to notify, the Commissioner will usually ask the entity to agree to notify. This might happen if a data breach comes to the attention of the Commissioner but has not come to the attention of the relevant entity, or if the Commissioner does not agree with the entity’s initial view about whether a data breach triggers an obligation to notify.

If the Commissioner and the entity cannot agree about whether notification should occur, the Commissioner will give the entity an opportunity to make a formal submission about why notification is not required, or if notification is required, on what terms. The Commissioner will consider the submission and any other relevant information before deciding whether to direct the entity to notify under s 26WR.

Declaration that notification need not be made, or that notification be delayed (s 26WQ)

The Commissioner may declare that notification of a particular data breach is not required (s 26WQ(1)(c)). The Commissioner may also modify the period in which notification needs to occur (s 26WQ(1)(d)).

The Commissioner cannot make a declaration under s 26WQ unless satisfied that it is reasonable in the circumstances to do so, having regard to the public interest, any relevant advice received from an enforcement body or the Australian Signals Directorate, and any other relevant matter. While the Commissioner is empowered to make a declaration if it is ‘reasonable in the circumstances to do so’, the Commissioner still has discretion about whether to make a declaration, and on what terms.

In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objects of the Privacy Act (s 2A) and other relevant matters. The Commissioner will consider whether the risks associated with notifying a particular data breach outweigh the benefits of notification to individuals at risk of serious harm.

Given the clear objective of the scheme to promote notification of eligible data breaches to affected individuals, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will be limited to exceptional cases.

An entity applying for a declaration will be expected to make a well-reasoned and convincing case detailing how the data breach is an eligible data breach, why any relevant exceptions do not apply, and why notification should not occur or should be delayed. The entity should provide detailed evidence or information in support of its application.

Advice, guidance, and community information

The Commissioner provides general information to the community about the Privacy Act, including the NDB scheme, via the OAIC’s website or its public enquiries service.

The Commissioner has developed a range of guidance material published on the OAIC’s website to help entities comply with the scheme.

However, the Commissioner will not generally be able to provide detailed advice about the application of the scheme to specific data breaches. Entities should seek their own legal and technical advice.

Part of the Commissioner’s role in the NDB scheme is to promote transparency in the way that entities handle personal information. To this end, the Commissioner will regularly publish de-identified statistical information about data breaches notified under the scheme.

Draft: Guide to OAIC Privacy Regulatory Action — Chapter 9: Data breach incidents

The Office of the Australian Information Commissioner (OAIC) published this resource as an exposure draft on 27 September 2017. Comments are now closed.