With Australia finally set to have its own notifiable data breaches (NDB) scheme from 22 February 2018, the regulatory landscape for entities subject to the Privacy Act 1998 (Cth) is set to change significantly. The Office of the Australian Information Commissioner (OAIC) will play a critical role in the scheme, receiving notifications of eligible data breaches, encouraging compliance with the scheme, providing advice and guidance to regulated entities and enforcing compliance.
Veronica Scott, head of our national privacy team, was delighted to ask Mr Timothy Pilgrim, Australian Information Commissioner and Australian Privacy Commissioner, for his thoughts on Australian entities' readiness for the commencement of the NDB scheme.
Q&A with Mr Timothy Pilgrim
Over the last 12 months the OAIC has been helping the Australian public and private sectors prepare for the start of the NDB scheme. How have entities responded during this time and do you believe they are prepared to meet their new obligations?
The NDB scheme established mandatory data breach notification obligations for entities with personal information security requirements under the Privacy Act. The obligations of the NDB scheme are neither exceptional nor unexpected. In fact, they formalise existing community expectations. In our 2017 Australian Community Attitudes to Privacy Survey, 94 per cent said they should be told if a business loses their personal information, and 95 per cent said the same in relation to government agencies. This shows close to unanimous support for the requirements of the NDB scheme.
Because there is an expectation for transparency when a data breach occurs, the perception that an entity has concealed a serious data breach can have a severe impact on the entity’s reputation. This is likely the reason the OAIC has seen an upwards trend in the number of data breach notifications received by our office over the last few years, despite there being no legislative requirement to do so before the commencement of the NDB scheme.
There is also a trend in privacy regulation internationally towards establishing data breach reporting requirements, with a significant example being the mandatory reporting requirements of the European Union’s General Data Protection Regulation. As a result, a greater number of entities can be expected to have data breach notification processes in place.
The trifecta of know your data, have an incident response plan in place and provide regular staff training and awareness is the gold standard of organisational cyber security. Which of these do you think entities are struggling with most?
These components are all key to establishing and maintaining privacy and security best practice, however, in our experience knowing your data can have the biggest impact on ensuring entities are across all three components.
If an entity knows what information it holds, who handles it, who is responsible for it, where it is held, and how it is protected, then the entity can ensure its data breach response plan is as effective as possible. Knowing and documenting information holdings means that an entity can more accurately appreciate its risk profile and monitor for possible breaches. This can also help entities identify the cause of a data breach if one occurs, and therefore enable them to reduce the risk of reoccurrence. Further, understanding potential risks can help entities develop targeted and comprehensive data breach mitigation strategies.
Knowing your data, especially who handles particular information and the nature of that information, can also help an entity customise staff training and awareness according to its risk profile and areas of need.
Cyber attacks are a key risk for all entities and ransomware attacks in particular are on the rise. What do you believe the broader impact is of entities agreeing to pay ransoms to retrieve their data?
To minimise their vulnerability to cyber-attacks, including ransomware, all entities should ensure they have robust cyber security measures in place to protect the personal information that they hold.
Australian Privacy Principle 11 requires entities to take reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. The OAIC’s Guide to Securing Personal Information sets out our expectations about the ‘reasonable steps’ an entity could take to protect the personal information it holds. Entities should ensure they foster a privacy and security aware culture, such as through staff training and awareness exercises, and should regularly review their ICT security measures in place to protect against external and internal threats. In the context of ransomware, key ICT security measures include application and network patching against known vulnerabilities.
As well as the OAIC’s guidance, entities should consult other resources on identifying and protecting against key cyber security risks. In particular, the Australian Signals Directorate publishes a list of eight key Strategies to Mitigate Cyber Security Risks, known as the “Essential Eight”. CERT Australia has a range of resources that explain and provide mitigation strategies for a number of common cyber security threats, including ransomware.
However, even entities with a high standard of data security practices and processes can experience a cyber-attack. That is why it is essential to be prepared with a data breach response plan, which should clearly outline procedures and lines of authority to contain the breach, meet any legislative obligations, and reduce the risk of harm to affected individuals. Having a data breach response plan can also improve recovery time following a breach or attack, and help safeguard an entity’s operations and reputation. We have published a range of guidance on our website that may assist entities in developing their own data breach response plan.
Will the OAIC be publishing the name of entities who lodge statements notifying they have experienced an eligible data breach?
We will publish statistical information on the NDB scheme in the first 12 months of its implementation. This information will provide valuable insight, for entities and the broader community, into the risks to personal information security. This approach to publication is in line with jurisdictions with similar mandatory data breach reporting requirements, including the United Kingdom.
The OAIC will review the information the office publishes on the NDB scheme following the first year of the scheme to evaluate whether a different approach to publication would be more beneficial to either entities or the Australian community.
If regulatory action is taken in response to a notification, the usual principles of the OAIC’s Privacy regulatory action policy will apply. This includes information about the OAIC’s communications approach to conciliations, investigations, data breach notifications, CIIs, or the exercise of investigative powers.
What level of notification are you expecting to see in the early stages of the scheme? Do you expect entities to continue voluntarily notifying data breaches to meet their obligations under APP 11.2, which are not eligible data breaches?
It is difficult to predict exactly how many notifications the OAIC will receive once the NDB scheme comes into force, but we can expect a significant increase to the number of notifications we currently receive voluntarily, based on the experience of other jurisdictions.
For example, the Netherlands introduced a mandatory data breach reporting scheme in January 2016, which requires notification when there is a considerable likelihood of the breach having serious adverse effects on the privacy of the affected individuals. In the first 100 days of the scheme, the Dutch Data Protection Authority dealt with over 1,000 notifications, which is about ten times the number the OAIC currently receives in a year on a voluntary basis.
Regulated entities must notify my Office under Part IIIC of the Privacy Act if a data breach is likely to result in serious harm; otherwise, there is no requirement to notify my Office unless the mandatory reporting requirements relating to the My Health Records Act 2012 or National Cancer Screening Register Act 2016 apply.
However, there may be instances where entities wish to notify affected individuals of a data breach that is not an ‘eligible data breach’. I encourage entities to notify individuals affected by a data breach that falls outside the scope of the NDB scheme when notification would benefit the individuals (such as by reducing their risk of potential harm). However, entities should also be aware of the risk of over-notifying individuals about non-serious data breaches, resulting in ‘notification fatigue’.
There has been much discussion about how the period in which a suspected eligible data breach must be assessed is calculated. Can you provide an insight into your approach to this challenging aspect of the new scheme?
The requirement to conduct an assessment is triggered when an entity is aware that there are reasonable grounds to suspect an eligible data breach. Whether an entity is ‘aware’ of a suspected breach is a factual matter in each case, having regard to how a reasonable person who is properly informed would be expected to act in the circumstances.
For instance, an assessment should be done if a person responsible for compliance or personnel with appropriate seniority are aware of information that suggests an eligible breach may have occurred. An entity should not unreasonably delay an assessment, for instance by waiting until its CEO or board is aware of information that would trigger reasonable suspicion of a breach.
An assessment of a suspected data breach must be ‘reasonable and expeditious’. It is expected that entities have practices, procedures, and systems in place to comply with their information security obligations under APP 11, enabling suspected breaches to be promptly identified, reported to relevant personnel, and assessed if necessary.
Generally, entities have 30 calendar days to conduct this assessment. However, entities should treat this as a maximum time limit and endeavour to complete the assessment in a much shorter timeframe so that any risks of serious harm to individuals are addressed as quickly as possible.
If during the course of an assessment it becomes clear that there has been an eligible breach, then the entity must promptly notify affected individuals and my Office, regardless of whether the assessment has formally concluded.
If an entity cannot reasonably complete an assessment within 30 days, it is recommended that the entity document the steps taken to ensure the assessment was ‘reasonable and expeditious’, and the reasons for any delay.
The OAIC has a resource on conducting assessments of suspected eligible data breaches.
What do you expect to be the positive effects of the NDB scheme on privacy and data protection in Australia, and where do you think Australia will sit compared to other countries in terms of the adequacy of its data protection laws once the scheme commences?
The NDB scheme has the practical benefit of providing individuals with the opportunity to protect their personal information after a data breach, such as by changing the password to compromised online accounts. This can reduce individuals’ risk of experiencing harm as a result of a breach.
As a transparency measure, the NDB scheme also reinforces entities’ accountability for the personal information they hold. In doing so, it encourages a higher standard of personal information security and governance across industries, and engenders greater community and consumer trust in data handling.
The objectives of the NDB scheme are mirrored in developments in privacy regulation in other jurisdictions, including the European Union’s (EU) General Data Protection Regulation (GDPR), which incorporates mandatory data breach reporting requirements. This demonstrates that the NDB scheme follows the trajectory for privacy regulation that we are seeing unfold, which emphasises accountability and transparency in personal information management.
How do you see the new Australian and European data breach notification schemes aligning for Australian entities that are subject to the new General Data Protection Regulation?
Of course, entities operating in other jurisdictions will need to carefully consider the requirements of other mandatory data breach notification schemes, as well as the Australian requirements. However, the broadly complementary nature of the Australian scheme and similar schemes internationally may mean that the practices and processes entities have in place to manage and respond to a data breach may support compliance across regulatory jurisdictions.
Do you believe Australian entities have improved their approach to cyber resilience in the past few years?
Numerous high profile data breaches in recent years has spurred greater awareness across industries of the importance of both personal information security measures, and a strategy for when a data breach occurs. Ensuring a high standard of personal information security can reduce the risk of a data breach occurring. However, as mentioned previously, even entities with a high standard for personal information security can experience a data breach. An entities’ success in mitigating the potential negative impact of a breach will depend on how prepared they are to manage the incident.
About Mr Timothy Pilgrim
Australian Information Commissioner and Australian Privacy Commissioner
Timothy Pilgrim has been a senior privacy professional for over 20 years. After joining the OAIC in 1998, he has played a key role in driving some of Australia's most significant privacy reforms.
The OAIC has finalised and published practical and useful resources to help entities prepare their data breach response plan and respond to a NDB.
MinterEllison has also published reviews and guides on the various obligations in the NDB scheme and OAIC resources. We will soon be publishing further tips and commentary for entities still considering their obligations or with particular concerns.
Our national privacy team can help you prepare to comply with the NDB scheme and related obligations under the Privacy Act.