Australia will have a mandatory data breach notification regime within the next 12 months after the legislation passed parliament in February 2017. This was the third attempt by the Government to implement a system for entities holding personal information to notify the Office of the Australian Information Commissioner (OAIC) and customers if they have experienced a data breach.
In the face of growth of the digital economy and the ubiquity of big data collection and analytics by businesses, the legislation has undeniable practical significance.
The new laws do not differ substantially from the Government’s previous attempt in 2015, which we discussed in our blog here. However, the legislation greatly increases the practicality and enforceability of the regime. But what does the new regime mean for your business?
The Essentials of the Mandatory Data Breach Notification Regime
1. When does the regime start?
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Act) received royal assent on 22 February 2017. The Act gives the Government 12 months to specify a date for the regime to begin operation. If no date is chosen, the regime will automatically start 12 months from royal assent.
2. Who does the regime apply to?
The Act applies to APP entities governed by the Privacy Act 1988 (Cth) which are Australian Government agencies plus organisations with an annual turnover of more than $3 million. It also applies to credit providers and credit reporting bodies with credit related information and tax file number recipients.
3. When do I have to notify?
An entity must notify the OAIC and affected individuals “as soon as practicable” if the entity becomes aware that there are “reasonable grounds” to believe that an eligible data breach has occurred, or if directed to do so by the OAIC.
Where an entity suspects a data breach has occurred, it must undertake an assessment into the circumstances within 30 days to ascertain whether or not it has actually occurred, and therefore whether it needs to notify.
4. What is an eligible data breach?
The Act states that a data breach has occurred when there has been “unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.”
An eligible data breach giving rise to the notification obligation is one when a “reasonable person” would conclude there is “a likely risk of serious harm” to any individual affected by the data breach.
5. What is “serious harm”?
“Serious harm” is to be broadly interpreted and may include physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation. The Act sets out a non-exhaustive list of relevant factors to take into account when determining whether or not the breach is likely to result in serious harm. These include:
- The kind and sensitivity of the information;
- Whether the information is protected by security measures and if so, the likelihood that such measures could be overcome;
- The persons or kinds of persons who have or could obtain access to the information; and
- The nature of the harm.
6. Are there any exceptions?
There are various exceptions to the operation of the Act. A pertinent exception is that if remedial actions are taken to reduce harm to individuals, to such an extent that the harm is not serious, then the breach is not considered to be an eligible data breach and notification is not required.
Other exceptions include where the entity is already required to disclose the breach pursuant to the My Health Records Act 2012 (Cth) and if the notification is inconsistent with a secrecy provision in another law.
7. What if my IT service provider exposes the information?
If more than one entity holds the same personal information, a breach by one could constitute a breach by the other. However, both organisations will be taken to have complied with the notification obligations if only one entity notifies. The entities can choose who will notify.
The notification obligations will still apply even if the data breach occurred overseas by an overseas recipient. It is as if the entity held the information itself.
8. How do I notify?
Entities must prepare a statement to notify the OAIC and affected individuals setting out the entity’s name and contact details, a description of the eligible data breach, the kinds of information concerned and recommended actions those affected should take to protect themselves. Entities have the discretion to either notify their entire database or just those they decide are at risk as a result of the breach.
The entity must take “reasonable steps” to inform customers of the breach, such as through email, phone or post. If it is impracticable to notify all affected individuals, it can publish a copy of the statement on its website and take reasonable steps to publicise the content of the statement.
9. What if I don’t notify?
Penalties for non-compliance start from less severe sanctions such as public apologies and compensation payments, up to the civil penalties for “serious or repeated non-compliance”. A failure to comply with the regime can incur fines of up to $360,000 for individuals and $1.8 million for organisations.
Implications for Businesses
Businesses should take this time to ensure notification obligations are built into their data breach policies and procedures. It is also an ideal time to review how the business manages its data, take a stock of its data assets, review its data protection measures including disaster recovery and response activities and ensure it has systems in place to minimise the risk of a data breach in the first place.