Front of mind for the Report’s authors was the need to review the requirements regarding security and the retention of personal information, in light of recent high profile data breaches in Australia. They were also focused on addressing issues that have occurred in the reporting of those breaches.
Security requirements
In part, the proposals are aimed at providing greater clarity to entities about the measures that are considered to be 'reasonable steps' to protect personal information, and ensuring there is a more consistent implementation of foundational information security controls. To that end, the Report proposes to amend APP 11.1:
- to state that 'reasonable steps' include technical and organisational measures. This amendment reflects the GDPR equivalent requirements as well as current industry practices; and
- to include a non-exhaustive set of outcomes-based security factors (perhaps using the ACSC’s Cyber Security Principles as a starting point, but subject to industry consultation to determine what these factors might be).
These amendments would also be supported by enhanced OAIC guidance on what constitutes ‘reasonable steps’ to secure personal information.
In addition, to address the risks associated with de-identified information (as discussed in section 2 on The definitions of personal, sensitive and de-identified information, above), the requirements of APP 11.1 would be extended to de-identified information.
Retention of personal information
It is not uncommon for entities to retain personal information – sometimes for long periods of time – without necessarily considering their need to do so. However, as we have seen in recent data breaches, this practice can be risky, since it may enable threat actors to gain access to troves of personal (and perhaps even sensitive) information. The Report aims to address this issue through a range of proposals:
- enhanced OAIC guidance on APP 11.2, to more clearly articulate the steps that are considered 'reasonable' to destroy or de-identify personal information, noting that APP 11.1 would also apply to de-identified (i.e. not just personal) information;
- the Government to undertake a review of all legal provisions that require retention of personal information, and determine if they remain appropriately balanced with privacy and security objectives. This will no doubt be a significant endeavour, particularly if it were to result in amended retention requirements across an array of legislation. Therefore, entities should not expect changes to retention requirements in the short term; and
- amend APP 11 to require entities to establish their own minimum and maximum retention periods (and specify these in their privacy policy), and to ensure personal information is destroyed or de-identified in accordance with these requirements.
In respect of the last proposal, the information mapping exercise referred to in section 1, Overarching new concepts, above, will assist entities to understand the full range of personal information that they hold, and when retention that information will no longer be required for a lawful purpose.
Data breaches
In light of the significantly shorter timeframes for organisations to report data and cyber breaches under other Australian laws (such as under the security of critical infrastructure laws and the APRA CPS 234 requirements) and overseas laws (such as the GDPR), it is not surprising that the Report proposes to significantly reduce the timeframe for reporting a privacy breach to the OAIC – to 72 hours.
While the proposal will assist entities who are subject to other (stricter) reporting obligations to streamline their reporting, for many other entities, compliance with this requirement will necessitate significant operational change. The proposal also potentially raises issues, especially for individuals, who may receive multiple notifications as a cyber security incident evolves and more information comes to light. Although the amendment would allow for some flexibility in the timing of notices to individuals, it is possible that this approach may be confusing for individuals if entities are required to notify early, causing them unnecessary angst.
The content of a breach notice would also be updated to include (if appropriate) the steps taken to reduce any adverse impacts on the affected individuals, with further consideration given to an express requirement on entities to prevent or reduce harm that is likely to result from a data breach.
The Report also highlights the need to undertake further work to streamline the reporting process, including to assist the OAIC and entities with multiple reporting obligations. The Attorney-General would also be permitted (with appropriate safeguards) to share information with appropriate entities to reduce the risk of harm in the event of an eligible data breach.
Finally, following the introduction of the limited controller-processor concept (discussed in section 3, Partial removal of exemptions above), the distinction would operate so that only the 'controller' will be responsible for notifying individuals, but the 'processor' will prepare the statement and notify the OAIC. (This proposal operates in the opposite manner to the regime under the GDPR, pursuant to which controller manages all of the notification requirements.) If neither party notifies the OAIC, both parties will be in breach of the notification requirements.
Whilst on its face this proposal will be helpful, there could be situations in which confusion arises, particularly if a processor assesses the breach is an eligible data breach and notifies the OAIC, but the controller does not agree with the assessment and refuses to notify affected individuals. In addition, entities that are subject to both the Australian Privacy Act and the GDPR will need to operationalise these differing notification obligations.