There has been exciting developments in Australia’s privacy regulations, the latest of which is the new mandatory data breach reporting legislation. The Office of the Australian Information Commissioner has also issued a guide on big data and the Australian Privacy Principles, was released in draft form back in May of 2016.
Mandatory breach reporting
Mandatory breach reporting has had a long gestation in Australia. In 2015, the Parliamentary Joint Committee on Intelligence and Security recommended that mandatory data breach reporting legislation be introduced. Bills were introduced in 2013, the dying days of our last Australian Labor Party government, which lapsed with the change of government.
In 2014, a private members bill was introduced that was deferred to committee stage. Then third time lucky. Finally, on the 19th of October 2016, following an extensive consultation period, the Privacy Amendment (Notifiable Data Breaches) Bill was introduced. The bill received royal assent on 22 February 2017 and comes into force 12 months later on 22 February 2018.
In broad terms, this Act involves a breach reporting requirement to provide notice to affected persons and the Australian Information Commissioner following the loss of, or unauthorised access or disclosure of personal information.
The breach reporting requirement applies to all private sector and government agencies (with the exception of employee records and small businesses – which are not regulated by the Australian Privacy Act). It includes:
credit bureaus like Veda, Experian, Dun & Bradstreet;
credit providers – organisations who are lenders, utilities and other entities who provide credit reporting information to these credit bureaus; and
tax file number recipients – every taxpayer has a tax file number. Entities who hold it are not allowed to use it as an identifier and will be subject to the mandatory data breach reporting notification requirements.
What is a Data Breach?
The legislation defines a “notifiable Data breach” as:
Unauthorised access to or unauthorised disclosure of relevant information; or
Loss of relevant information where unauthorised access to or unauthorised disclosure of personal information is likely to occur; and
where a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
It sets out factors to which regard must be had in determining whether reasonable person would conclude likely serious harm including:
the kinds of, and sensitivity of, information;
whether the information is protected by security measures, or technology designed to make the information meaningless to unauthorised persons and if so, the likelihood of them being overcome;
the persons or kinds of persons who could obtain information; and
the nature of harm.
A recent example can illustrate how this definition might work. Australia’s largest blood collection agency is the Australian Red Cross Blood Service. In the period from 5 September to 25 October 2016, approximately 1.3 million blood donor records were available online through the site of one of its service providers. Accordingly there was unauthorised disclosure of relevant information. The fact that it was inadvertent is irrelevant. The information disclosed falls within the “sensitive information” definition under the Australian Privacy Act. The harm that could result to persons from having it made freely available could be significant. Accordingly, the nature and sensitivity of the information and the harm that could arise from its unauthorised disclosure suggests that a reasonable person would conclude that serious harm would be likely to occur. Therefore, it must be concluded that in the Red Cross case, had the legislation been in place, the Red Cross would be subjected to the breach reporting requirement and have had to notify the data breach.
What steps are required?
The legislation involves certain mechanical steps that need to be taken. If the entity is aware that there are reasonable grounds to suspect that there is an eligible data breach, it is generally required to make an assessment within 30 days as to whether there is in fact, an eligible data breach,. If the entity concludes that there is an eligible data breach, the entity has to prepare a statement, provide that statement to the Australian Information Commissioner, and then notify the affected individuals.
The statement needs to:
set out the identity and contact details of the entity that is undertaking the breach reporting;
describe what the particular breach involves;
describe the particular information that is the subject of the breach; and
make recommendations about the steps individuals should take in response to the data breach.
How does the notification of a statement take place to the data subjects or the people who are affected? If practicable, it is either to be given to each individual to whom the information relates. There are two ways of doing this.. The notification can be given to all individuals whose information has been compromised, or alternatively it can be limited to those individuals whose at risk of serious harm from the compromise of their information. If it is not practicable to do either of those things, the notification must be published on a website and the organisation must take reasonable steps to publicise the content of the website.
Importantly, organisations need to have a proper data breach response plan in place by the time the legislation comes into effect in February 2018.
The Office of the Australian Information Commissioner’s guide on big data and the Australian Privacy Principles, was released in draft form in May of 2016. Comments have been received on the draft. It has not yet been finalised.
The guide adopts a Gartner definition of Big Data as being high volume, high velocity and or high variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight, decision making, and process optimisation.
It states that de-identification should be considered and be subject to appropriate risk assessment, including a privacy impact assessment.
The guide also makes the point that our big data needs to be considered within the context of an overall privacy management framework and suggests that the following steps should be taken:
Embedding a culture of privacy that enables compliance, and include big data specifically within all strategic documents and privacy management plans.
Implementing robust and effective privacy practices and procedures and systems, and so deal with big data in the context of privacy by design, privacy impact assessment, assessments, policies, and procedures, and the full life cycle of information.
Evaluating privacy practices, procedures and systems to ensure continued effectiveness. In other words, constantly monitor and have a ‘lessons learned’ approach.
Enhancing responses to privacy issues and continuously monitoring and changing where appropriate.
Big data and the Australian privacy principles
In Australia, the main way in which privacy is regulated is through the Australian Privacy Principles, or APPs provided for in the Australian Privacy Act. The Office of the Australian Information Commission in the guide has analysed particular APPs in the context of big data.
APP 3 provides that personal information collection must be reasonably necessary for one or more of the entities, functions, or activities.
Organisations have to be really careful to ensure the purposes for which data is collected are limited to those that are reasonably necessary for that business’s or that government agency’s functions or activities.
APP 3 says that collection must be directly from the individual, unless it is unreasonable or impracticable to do so. That of course, and as the Australian Information Commissioner points out, gives special considerations for big data.
This requires entities to give a collection notice before the collection of personal information, or as soon as reasonably practicable. One of the things that has to be stated in that notice of collection, is the fact and circumstances of collection, especially where it is collected from a third party. The guidelines say in terms of big data, organisations need to give particular consideration to how they describe the facts and circumstances of collection in the privacy collection notice.
Consents need to be very well thought through in the context of collection of information and use of information for big data purposes.
Finally, under the Australian privacy legislation, there are strict requirements in relation to direct marketing. If any personal information is used for direct marketing, organisations need to ensure that there isan appropriate relationship and that the data subject has consented to the use of the information for direct marketing and given opt out notices.
Finally, the guide indicates that organisations should conduct information security risk assessments as part of a privacy impact assessment, including things such as limiting internal access to the personal information, implementing network security measures, have some penetration testing of enterprise data warehouses, and have a data breach response plan.
EU vs Australia
What are the main differences between Australian Privacy regulation OAIC and the proposed EU General Data Protection Regulation (GDPR) ? In October 2016, the OAIC released a guide for Australian businesses on what they need to do to comply with GDPR applying from May 2018.
It appears that under the GDPR opt outs are not permitted. Under the GDPR there are rights for individuals to erasure and objecting at any time to processing. These obligations are not in the Australian legislation.
Under the GDPR there is a compulsory data protection impact assessment whereas in Australian that is not the case.
In Australia, the OAIC has developed the fine distinction of a “use” as opposed to a “disclosure”. A use is basically where an organisation gives a third party information, but maintains what is termed “effective control” over the information. In that circumstance, even though the third party has some physical control over the information, it hasn’t been disclosed to it so therefore it is not an offshore disclosure for the purposes of the Australian Privacy legislation. This fine distinction has largely been driven as a means to overcome practical problems with the cloud. Of course there is not this distinction in the EU GDPR.
Perhaps the most significant difference between EU Privacy regulation generally (including the GDPR) and Australian Privacy regulation is that in Australia, there are no separate concepts of the data processes and data controllers.
In conclusion, there are significant differences between the GDPR and the Australian Privacy legislation. The OAIC Guide will be a useful resource in this regard, particularly for cross-border data disclosure, which I always find, when dealing with multi-national clients, is probably the most vexing issue.