Privacy Amendment (Notifiable Data Breaches) Bill 2016
Australia finally looks set to have a new national mandatory notification laws for data breaches.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was introduced to the House of Representatives by the Federal Attorney-General on 19 October 2016 and read for the second time. Debate is expected to continue today.
History of the Bill
The history of the proposed laws for mandatory notification of serious data security breaches and the exposure Bill released by the Attorney-General's offices in December last year has been discussed previously in our Alert - Parliament begins consultation on new laws proposing Mandatory Notification of Serious Data Security Breaches.
Likelihood of the Bill passing
Assuming there is bi-partisan support for the Bill (as there was for the 2013 Bill which nearly made law), it can be expected that the Bill will progress to the Senate. Notwithstanding ongoing reservations about how the assessment and notification obligations can be met in practice and the overall benefits of notification, the passage of this Bill does seem more certain in the current environment and the rationale persuasive. The draft Exposure Bill was subject to detailed public consultation. There are many other jurisdictions introducing or planning to introduce their own mandatory notification laws. There are regular and high profile data breaches in the public and private sectors, cybersecurity poses complex challenges and the volume and type of data which organisations collect and handle is only increasing. Also, the Office of the Australian Information Commissioner (OAIC) now has an Australian Information Commissioner and Privacy Commissioner – both held by Timothy Pilgrim. The Information Commissioner's existing powers of enforcement in the Privacy Act will apply to the breach of the new obligations under the Bill.
New obligations under the Bill
The Bill inserts a new Part IIIC into the Privacy Act 1988 (Cth) which will apply to entities currently subject to the Privacy Act, namely Commonwealth agencies and private sector entities, credit reporting bodies, credit providers and tax file number recipients. It sets out when these entities must notify 'eligible data breaches' they experience to the Information Commissioner and to relevant individuals in connection with information they hold about the individuals.
The threshold for notification is where serious harm to any of the individuals is likely. The threshold tests which trigger the notice obligations are based on an objective test of what a reasonable person would conclude.
There are some important exceptions to notification, in particular where remediation taken by the entity has reduced the risk of serious harm.
An overview of the key provisions
This initial report the day after of the Bill's introduction explains the most critical provisions of the Bill. We will follow up with more communications on the Bill as it progresses.
What is an 'eligible data breach'?
An 'eligible data breach' occurs when, in respect of personal information, credit reporting information, credit eligibility information or tax file number information held by a relevant entity required to comply with data security obligations in the Privacy Act, the following conditions are satisfied:
- there is unauthorised access to, or unauthorised disclosure of, the information, or where the information is lost, unauthorised access to, or unauthorised disclosure of, the information, is likely to occur; and
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to which the information relates (in the case of lost information assuming that unauthorised access or unauthorised disclosure were to occur).
There are a number of exceptions to the definition of eligible data breach. Most critically the unauthorised loss, access or disclosure of the information will not be an eligible data breach where, as a result of remedial action taken by the relevant entity in relation to the breach, before it results in serious harm to any individual to whom the information relates, a reasonable person would conclude that the loss, access or disclosure of the information is unlikely to result in serious harm to any of those individuals.
Similarly, if such action were taken in respect of particular individuals prior to serious harm occurring and a reasonable person would conclude that, as a result the loss, access or disclosure would not be likely to result in serious harm to those particular individuals, the entity will not be required to notify those individuals of the loss, unauthorised access or unauthorised disclosure.
What is serious harm?
Serious harm is broadly construed. The explanatory memorandum accompanying the Bill explains that serious harm could include serious physical, psychological, emotional, economic and financial harm as well as serious harm to reputation. The Bill sets out a non-exhaustive list of relevant matters to have regard to when determining whether access or disclosure would likely to result in serious harm:
- the kind and sensitivity of the information;
- whether the information is protected by security measures and the likelihood any such security measures would be overcome including the use of an encryption key to circumvent the encryption technology or methodology;
- the persons or kinds of persons who have or could obtain the information;
- the likelihood that any persons who have or could obtain the information could obtain information or knowledge or circumvent any security technology or methodology applied to the information with the intent to cause harm;
- the nature of the harm; and
- any other relevant matters.
Assessment of suspected eligible data breaches by an entity
An entity is required to carry out an assessment if it:
- is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity; and
- is not aware that there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity.
The entity must take reasonable steps to ensure that the assessment is completed within 30 days after becoming aware of the reasonable grounds of the suspicion. The assessment must be a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible breach of the entity.
If the eligible data breach applies to more than one entity, only one entity needs to undertake an assessment for all entities to comply with this requirement.
Notification of eligible data breaches
If an entity becomes aware (whether by assessment, if required, or by other means) that there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity, the entity must meet the following notification obligations as soon as practicable:
1. Prepare a statement that sets out:
- the identity and contact details of the entity and, if the eligible data breach relates to more than one entity, it may set out the identity and contact details of those other entities;
- a description of the eligible data breach that the entity has reasonable grounds to believe has happened;
- the kind or kinds of information affected;
- recommendations about the steps that individuals should take in response; and
- If the statement is being made under a direction from the Commissioner (discussed below), any specified information from the Commissioner's direction.
2. Give a copy of this statement to the Commissioner.
3. If it is practicable, take such steps as are reasonable to notify the contents of the statement to:
- each individual to whom the information relates;
- each individual at risk from the eligible data breach; and
- in the method the entity normally communicates with the individual (if any).
4. If individual notification is not practicable, the entity must:
- publish a copy of the statement on the entity's website (if any); and
- take reasonable steps to publicise the contents of the statement.
The exemptions to the statement and notification obligations are:
- if the eligible data breach applies to more than one entity, only one entity needs to undertake the statement and notification for all entities to comply;
- where it would be likely to prejudice enforcement related activity of an enforcement body;
- where it is inconsistent with a secrecy provision; and
- at the Commissioner's direction (see below).
Multiple entities exemption
The exemption (at 1 above) allows for a situation where the eligible data breach applies to multiple entities, so that only one entity may undertake the assessment and notification. The Bill also provides (as noted at 1(a) in the preceding section above) that the required statement ‘may’ also include the identity and contact details of those other entities. This is an acknowledgement that it may not always be appropriate to include the additional entities. The explanatory memorandum indicates that these provisions are designed to address situations involving outsourcing, joint venture or shared services arrangements. A clear example is the use of cloud service providers. The Bill does not address which entity should be the one that complies with its requirements. This will be a matter for addressing in contracts with cloud service providers and other relevant entities.
The Commissioner may act on their own initiative or upon the application by the entity, to declare that the statement and notification obligations do not apply, or to extend the time for compliance. The Commissioner also has the power to direct an entity to comply with the statement and notification requirements. For this direction, the entity must be invited to make a submission.
In exercising the above powers, the Commissioner must be satisfied that the direction is reasonable in the circumstances, having regard to the public interest, any relevant advice of an enforcement body or the Australian Signals Directorate of the Defence Department and any other matters the Commissioner considers relevant.
An entity is not required to comply with a Commissioner's direction to comply with the statement and notification requirements, if it would be likely to prejudice enforcement related activity of an enforcement body or it is inconsistent with a secrecy provision.
MinterEllison has a depth of experience in helping our clients assess and manage the risks from data breaches. This includes breach notification decisions and communications to the OAIC and affected individuals to help meet existing data security obligations under the Privacy Act and advice on managing the broader impacts of data breaches. There is no 'one size fits all' approach, though the proposed Bill means there will be a more detailed legal framework within which to make the assessments and conduct notification. Additional guidelines from the Information Commissioner on key concepts should help to support the assessment and notice process. All relevant entities should have a data breach response and notification plan which they should start reviewing in light of their potential new obligations. We can assist with that process.