Privacy Act Update
Introduction of Mandatory Notifiable Data Breaches
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) introduced a Notifiable Data Breaches scheme (‘NDB Scheme’) in Australia which commenced on the 22 February 2018.
The NDB Scheme aims to strengthen Australia’s privacy laws by requiring all agencies and organisations subject to existing personal information security obligations under the Privacy Act 1988 (Cth) (the ‘Act’), to report certain data breaches.
The Act applies to most Australian Government agencies, businesses with an annual turnover of $3 million or greater, private health service providers, and some small businesses (‘APP Entities’).
The Act sets out 13 Australian Privacy Principles (APPs) which regulate how APP Entities collect, store, manage and disclose personal information. Under APP 11, APP Entities must take reasonable steps to prevent against personal information being lost, disclosed without authority, misused or modified. The NDB Scheme imposes mandatory notification requirements for an ‘eligible data breach’.
What is an ‘eligible data breach’?
An eligible data breach happens if:
• there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an APP Entity;
• the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates; and
• such APP Entity has not been able to prevent the likely risk of serious harm with remedial action.
An APP Entity must give notification of an eligible data breach:
• if it has reasonable grounds to believe that an eligible data breach has occurred; or
• if information has been lost and unauthorised access or disclosure of that information is likely to occur;
and, in either case, the breach would likely result in serious harm to the individuals to whom the information relates.
In determining whether an eligible data breach has occurred, an APP Entity must assess whether the affected individual is at risk of serious harm. An objective approach must be used from the perspective of a reasonable person who is properly informed, and the likelihood of the harm must be more probable than not.
Serious harm may include physical, psychological, emotional, financial or reputational harm, which may be determined in consideration of:
• the type of information released;
• the level of sensitivity of the information – information regarding a person’s health, financial status, or documents that could be used for identity fraud will carry a high level of sensitivity;
• whether the information is protected by a security measure and, if so, the probability that such measures can be overcome;
• the likelihood of the recipient of the personal information using that information to cause harm to the individual;
• whether the information has any meaning to the recipient;
• the nature of the likely harm that could occur such as identity theft, threats to a person’s safety, damage to reputation, loss of business or employment opportunities;
• the circumstances of the breach.
How does an entity deal with an eligible data breach?
If an eligible data breach occurs, an APP Entity must notify any affected individual and the Office of the Australian Information Commissioner (OAIC).
If an APP Entity suspects an eligible data breach has occurred, it must investigate the circumstances of the possible breach within 30 days of becoming aware of it, to determine whether it is an eligible data breach.
Notification must include:
• the APP Entity’s identity;
• details of the eligible data breach – i.e. how the breach occurred;
• the information that is the subject of the breach;
• the recommended actions that individuals should take in response to the breach.
Notification is not required if an APP Entity is able to quickly remedy a data breach so that it is unlikely to result in serious harm.
The form of notification will depend on the circumstances of the eligible data breach, and whether it is practicable to identify and notify each affected individual. If it is not practical to provide individual notification, alternate methods may be used such as publishing a statement on the APP Entity’s website, advertising in newspapers, online or social media platforms.
APP Entities that fail to carry out the investigation and notification processes prescribed by the NDB Scheme will breach their obligations under the Act and may face civil penalties.
How might a data breach occur?
Advances in technology, sophisticated hacking devices, the prevalence of communicating via email, flexible work practices and poor data collection systems all have the potential to contribute to a data breach. Specific examples may include:
• information mistakenly provided to the wrong person, whether by email, post, facsimile or other means;
• unauthorised access of personal information given to a third party either by an employee or contractor of the entity, or externally by hacking;
• unauthorised disclosure of personal information, either intentionally or unintentionally, by an entity releasing that information to a third party;
• loss or theft of a storage device (USB, laptop) containing personal information.
Minimising risk of data breach – staying one step ahead
It is important for APP Entities to look at all potential risk factors within their organisation to identify strategies to minimise potential data breaches and comply with their obligations under the Act. APP Entities should:
• review and, if necessary update, existing security software with the assistance of an IT professional, to ensure maximum protection.
• implement a ‘data breach response plan’ and provide staff training on the entity’s privacy obligations and processes required in the event of a suspected data breach. Staff should be able to identify when an eligible data breach occurs using specific and plausible examples tailored to the organisation.
• appoint a senior employee to oversee the entity’s privacy obligations, review and implement compliance measures and to advise on, and authorise action in response to a data breach.
• implement policies on how to collect, store and manage personal information and ensure staff are trained in this area. Policies should identify systemic problems when collecting and handling information and set out appropriate solutions.
• encourage staff to immediately report actual and potential data breaches with policies that focus on mitigation and future prevention, ahead of blame.
As technology advances, the potential for personal information to be stolen, misused and disseminated, increases. Business owners and managers must play their part by implementing genuine measures to protect their customers’ personal information.
Breach of privacy can have significant consequences for an individual and the APP Entity.
Exempt businesses are also encouraged to be familiar with the obligations under the Act and the NDB Scheme, to assist in developing processes that reflect best practice for the collection and management of personal information.
If you or someone you know wants more information or needs help or advice, please contact us on 61 2 9212 1099 or email firstname.lastname@example.org.