BY SARAH CAMM
Amendments to the Privacy Act 1988 (Cth) are now in effect, introducing a mandatory notification scheme for data breaches.
What are the changes?
The scheme imposes notification and reporting obligations upon APP entities where they know or suspect there has been an eligible data breach, that is, a data breach involving personal information that is likely to result in serious harm to any individual affected.
So let’s unpack this a little.
The obligation imposed is to prepare a statement to report the breach to the Office of the Australian Information Commissioner (OAIC) and notify any individual affected. If it is not practical to notify individuals, the statement must be published on the entity’s website.
Organisations and federal government agencies subject to the Privacy Act, which include:
- NGOs, Government Agencies and Businesses with an annual turnover of $3 million;
- Credit reporting bodies that hold credit information;
- Health service providers who hold personal information; and
- Tax file number recipients.
Know or suspect
The obligations under the amendments arise when the entity has reasonable grounds to suspect that there may have been an eligible data breach, even if there are not reasonable grounds to believe that the circumstances amount to an eligible data breach. The obligation on the entity in these circumstances is to commence and carry out an assessment within thirty days.
There are three main circumstances:
- Unauthorised disclosure: where an entity (including by its employee) makes information accessible or visible to a third party, whether intentionally or not.
- Unauthorised access: may be where a third party contractor or other person accesses information they are not permitted to access. This includes instances of hacking.
- Loss: for example where a phone, USB, file or hard drive is left on a bus, particularly if there is no password or encryption on the device where unauthorised disclosure/access is likely.
Likely to result
The risk of serious harm must be higher than a possible risk; it must be more probable than not.
This criteria is considered objectively, and the decision is whether a ‘reasonable person’ standing in the position of the entity, with the knowledge of the entity (not of the affected person) would consider that serious harm is more probable than not.
This depends on the nature of the information, and in a broad sense, the type of person the information may relate to. The entity is not however required to make external enquiries of the individuals affected.
For example, if the addresses of clients of a domestic violence victims support group are involved in a data breach, the entity would be aware that the persons involved are likely to be victims of domestic violence and therefore are likely to be at risk of serious harm where this information is disclosed.
While not defined in the Act, the phrase is likely to include physical, psychological, emotional, financial or reputational harm.
The Act contains a list of relevant matters to assist an entity in evaluating whether serious harm is likely, including:
- The type/sensitivity of information involved;
- Health/person information;
- Documents used for identity fraud;
- Location/contact information.
- Whether there are any security measures protecting the information (such as encryption, passwords on phones and devices, codes), and the likelihood of these security measures being overcome;
- The identity or class of persons who have obtained / might obtain the information and the likelihood that they want to cause harm;
- The nature of possible harm; and
- Any other relevant matters.
Any individual affected
As discussed above the entity is not required to look into the particular circumstances of the persons whose information may be compromised, however it is expected to make general enquiries to determine the matters outlined above. All of these matters, including the type of information, how long it was available and who accessed it are relevant.
The more people whose information was accessed and who may be affected by the breach, the higher the likelihood that one person will suffer serious harm.
Are there any exceptions?
There are a number of exemptions, most importantly that notification will not be required if the entity takes action to prevent serious harm before it is caused.
What are the penalties for non-compliance?
Failure to comply is considered an interference with the privacy of an individual and substantial penalties apply for entities who fail to comply with their reporting obligations. The OAIC can investigate complaints and, in the case of serious or repeated instances of non-compliance, apply to the Court for civil penalties of up to $2.1 million.
Is your business ready for the new Data Breach Notification laws? Do you need help evaluating a breach or drafting a compliant Statement to notify the OAIC and affected individuals? Just Us Lawyers can help your business organisation put policies into place to reduce the likelihood of Data Breaches and to help you evaluate and respond to a Data Breach if it occurs.