There has been exciting developments in Australia’s privacy regulations, the latest of which is the new mandatory data breach reporting legislation. The Office of the Australian Information Commissioner has also issued a guide on big data and the Australian Privacy Principles, was released in draft form back in May of 2016.
Mandatory breach reporting
Mandatory breach reporting has had a long gestation in Australia. In 2015, the Parliamentary Joint Committee on Intelligence and Security recommended that mandatory data breach reporting legislation be introduced. Bills were introduced in 2013, the dying days of our last Australian Labor Party government, which lapsed with the change of government.
In 2014, a private members bill was introduced that was deferred to committee stage. Then third time lucky. Finally, on the 19th of October 2016, following an extensive consultation period, the Privacy Amendment (Notifiable Data Breaches) Bill was introduced. The bill received royal assent on 22 February 2017 and comes into force 12 months later on 22 February 2018.
In broad terms, this Act involves a breach reporting requirement to provide notice to affected persons and the Australian Information Commissioner following the loss of, or unauthorised access or disclosure of personal information.
The breach reporting requirement applies to all private sector and government agencies (with the exception of employee records and small businesses – which are not regulated by the Australian Privacy Act). It includes:
- credit bureaus like Veda, Experian, Dun & Bradstreet;
- credit providers – organisations who are lenders, utilities and other entities who provide credit reporting information to these credit bureaus; and
- tax file number recipients – every taxpayer has a tax file number. Entities who hold it are not allowed to use it as an identifier and will be subject to the mandatory data breach reporting notification requirements.
What is a Data Breach?
The legislation defines a “notifiable Data breach” as:
- Unauthorised access to or unauthorised disclosure of relevant information; or
- Loss of relevant information where unauthorised access to or unauthorised disclosure of personal information is likely to occur; and
where a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
It sets out factors to which regard must be had in determining whether reasonable person would conclude likely serious harm including:
- the kinds of, and sensitivity of, information;
- whether the information is protected by security measures, or technology designed to make the information meaningless to unauthorised persons and if so, the likelihood of them being overcome;
- the persons or kinds of persons who could obtain information; and
- the nature of harm.
A recent example can illustrate how this definition might work. Australia’s largest blood collection agency is the Australian Red Cross Blood Service. In the period from 5 September to 25 October 2016, approximately 1.3 million blood donor records were available online through the site of one of its service providers. Accordingly there was unauthorised disclosure of relevant information. The fact that it was inadvertent is irrelevant. The information disclosed falls within the “sensitive information” definition under the Australian Privacy Act. The harm that could result to persons from having it made freely available could be significant. Accordingly, the nature and sensitivity of the information and the harm that could arise from its unauthorised disclosure suggests that a reasonable person would conclude that serious harm would be likely to occur. Therefore, it must be concluded that in the Red Cross case, had the legislation been in place, the Red Cross would be subjected to the breach reporting requirement and have had to notify the data breach.
What steps are required?
The legislation involves certain mechanical steps that need to be taken. If the entity is aware that there are reasonable grounds to suspect that there is an eligible data breach, it is generally required to make an assessment within 30 days as to whether there is in fact, an eligible data breach,. If the entity concludes that there is an eligible data breach, the entity has to prepare a statement, provide that statement to the Australian Information Commissioner, and then notify the affected individuals.
The statement needs to:
- set out the identity and contact details of the entity that is undertaking the breach reporting;
- describe what the particular breach involves;
- describe the particular information that is the subject of the breach; and
- make recommendations about the steps individuals should take in response to the data breach.
How does the notification of a statement take place to the data subjects or the people who are affected? If practicable, it is either to be given to each individual to whom the information relates. There are two ways of doing this.. The notification can be given to all individuals whose information has been compromised, or alternatively it can be limited to those individuals whose at risk of serious harm from the compromise of their information. If it is not practicable to do either of those things, the notification must be published on a website and the organisation must take reasonable steps to publicise the content of the website.
Importantly, organisations need to have a proper data breach response plan in place by the time the legislation comes into effect in February 2018.