It is the Bill that has done the rounds of Parliament and been the subject of much anticipation and commentary. Privacy nerds everywhere (read: Griffin Legal staff) were waiting with baited breath to see if the latest amendments to the Privacy Act 1988 (Cth) would be passed.
On 13 February 2017, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Notifiable Data Breaches Bill) was passed by the Senate. The Bill will become law within the next 12 months.
The Notifiable Data Breaches Bill follows persuasive reports from both the Parliamentary Joint Committee on Intelligence and Security’s Advisory and the Australian Law Reform Commission to enact such laws.
The notification scheme will require those organisations and agencies regulated by the Privacy Act 1988 (Cth) and the Australian Privacy Principles to report any “eligible data breaches” to the Australian Privacy and Information Commissioner and to notify impacted individuals as soon as possible.
In theory, this mandatory notification scheme seeks to establish a well-balanced privacy framework that provides a safer and more transparent method of dealing with data breaches.
When is notification required?
Pursuant to the Notifiable Data Breaches Bill, entities are required to notify the Australian Information Commissioner and affected individuals if there has been an “eligible data breach”. An eligible data breach occurs when:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; or
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Furthermore, an entity must give notification if:
- it has reasonable grounds to believe that an eligible data breach has happened; or
- it is directed to do so by the Commissioner.
Upon receiving the notification of an eligible data breach, the Commissioner will determine if further action is required, and can direct an agency or organisation to notify impacted individuals of the data breach.
How do you assess whether the data breach is “likely to result in serious harm”?
An individual has been the subject of an eligible data breach, and is at risk, when a reasonable person would conclude that the access or disclosure to the personal information would be likely to result in serious harm to any of the individuals to whom the information relates.
Factors which may be considered in determining whether a reasonable person would conclude that an access to, or a disclosure of, information would be likely to result in serious harm to the individuals to whom the information relates, includes:
- the kind of information;
- the sensitivity of the information;
- whether the information is protected by one or more security measures and the likelihood that any such measures could be overcome (i.e. encryption);
- the persons, or the kinds of persons, who have obtained, or who could obtain, the information; and
- the nature of the harm.
What is included in a notification?
The notification to the Commissioner and affected individuals must include a description of the data breach, the kind of information that has been compromised and steps the individual can take to respond to the incident.
Your next steps
The passing of the Notifiable Data Breaches Bill was welcomed by the Information Commissioner, Tim Pilgrim. In a recent media report, Mr Pilgrim noted:
“I look forward to working with government, business and consumer groups during transition to this new scheme; which will help protect the privacy rights of individuals, and strengthen community trust in businesses and agencies.”
Although the mandatory notification scheme is not yet operative, a prudent response would be to start adopting these changes now.
As noted in the Notifiable Data Breaches Bill, even if an entity acts vigilantly to reduce the harm of a potential data leak, they are not exempt from notifying. This stresses the importance for organisations and agencies to be proactive in the way they handle personal information.
Accordingly, agencies and organisations should continue to take reasonable steps to make sure personal information is held securely. This includes being equipped with a clear response plan in the event of a data breach.
For assistance in developing or updating your agencies or organisations data breach response plan, please contact Carina Zeccola.