The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) introduced a Notifiable Data Breaches scheme in Australia which commenced on the 22 February 2018.
The reforms aim to strengthen Australia’s privacy laws by requiring entities subject to existing obligations under the Privacy Act 1988 (Cth) (the ‘Act’), to report certain data breaches that may adversely affect an individual.
The Act applies to Australian Government agencies, businesses with an annual turnover of $3 million or greater, credit reporting bodies, and smaller entities that collect personal information such as health care providers.
The Act sets out 13 Australian Privacy Principles (APPs) which regulate how certain organisations collect, store, manage and disclose personal information. Under APP 11, entities must take reasonable steps to prevent against personal information being lost, disclosed without authority, misused or modified. The reforms build upon APP 11 by imposing mandatory notification requirements for an ‘eligible data breach’.
What is an ‘eligible data breach’?
An eligible data breach happens if:
· there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
· the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
An entity must give notification of an eligible data breach:
· if it has reasonable grounds to believe that a breach has occurred; or
· if information has been lost and unauthorised access or disclosure of that information is likely to occur;
and, in either case, the breach would likely result in serious harm to the individuals to whom the information relates.
In determining whether an eligible data breach has occurred, an entity must assess whether the affected individual is at risk of serious harm. An objective approach must be used from the perspective of a reasonable person who is properly informed, and the likelihood of the harm must be more probable than not.
Serious harm may include physical, psychological, emotional, financial or reputational harm, which may be determined in consideration of:
· the type of information released;
· the level of sensitivity of the information – information regarding a person’s health, financial status, or documents that could be used for identity fraud will carry a high level of sensitivity;
· whether the information is protected by a security measure and, if so, the probability that such measures can be overcome;
· the likelihood of the recipient of the personal information using that information to cause harm to the individual;
· whether the information has any meaning to the recipient;
· the nature of the likely harm that could occur such as identity theft, threats to a person’s safety, damage to reputation, loss of business or employment opportunities;
· the circumstances of the breach.
How does an entity deal with an eligible data breach?
If a breach occurs, an entity must notify any affected individual and the Office of the Australian Information Commissioner (OAIC).
If an entity suspects a breach has occurred, it must investigate the circumstances of the possible breach within 30 days of becoming aware of it, to determine whether it is an eligible data breach.
Notification must include:
· the entity’s identity;
· details of the data breach – i.e. how the breach occurred;
· the information that is the subject of the breach;
· the recommended actions that individuals should take in response to the breach.
Notification is not required if an entity is able to quickly remedy a data breach so that it is unlikely to result in serious harm.
The form of notification will depend on the circumstances of the breach, and whether it is practicable to identify and notify each affected individual. If it is not practical to provide individual notification, alternate methods may be used such as publishing a statement on the entity’s website, advertising in newspapers, online or social media platforms.
Entities that fail to carry out the investigation and notification processes prescribed by the reforms will breach their obligations under the Act and may face civil penalties.
How might a data breach occur?
Advances in technology, sophisticated hacking devices, the prevalence of communicating via email, flexible work practices and poor data collection systems all have the potential to contribute to a data breach. Specific examples may include:
· information mistakenly provided to the wrong person, whether by email, post, facsimile or other means;
· unauthorised access of personal information given to a third party either by an employee or contractor of the entity, or externally by hacking;
· unauthorised disclosure of personal information, either intentionally or unintentionally, by an entity releasing that information to a third party;
· loss or theft of a storage device (USB, laptop) containing personal information.
Minimising risk of data breach – staying one step ahead
It is important for businesses to look at all potential risk factors within their organisation to identify strategies to minimise potential data breaches and comply with their obligations under the Act. Entities should:
· Review and, if necessary update, existing security software with the assistance of an IT professional, to ensure maximum protection.
· Implement a ‘data breach response plan’ and provide staff training on the entity’s privacy obligations and processes required in the event of a suspected data breach. Staff should be able to identify when an eligible data breach occurs using specific and plausible examples tailored to the organisation.
· Appoint a senior employee to oversee the entity’s privacy obligations, review and implement compliance measures and to advise on, and authorise action in response to a data breach.
· Implement policies on how to collect, store and manage personal information and ensure staff are trained in this area. Policies should identify systemic problems when collecting and handling information and set out appropriate solutions.
· Encourage staff to immediately report actual and potential data breaches with policies that focus on mitigation and future prevention, ahead of blame.