Australia: Mandatory data breach notification to commence – Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), which amends the Privacy Act 1988 (Cth) (Privacy Act) was passed on 22 February 2017 and will commence on a date to be proclaimed within 12 months.

The amendments will apply to all organisations which are subject to the Privacy Act, including private sector health care providers who collect, use and disclose health information.

Health care providers must update their privacy policies and procedures now in preparation for the new changes, including internal monitoring and reporting of data breaches and procedures to deal with data breaches. Maintaining the status quo is no longer an acceptable option.

Examples of unauthorised access to, unauthorised disclosure of, or loss of, personal information include:

• Malicious breach of security – e.g. cyber security incident
• Accidental loss of IT equipment or hard copy documents
• Negligent of improper disclosure of information

Penalties for serious or repeated interference with Privacy under the Privacy Act are up to $1.8 million for a corporation or $360,000 for an individual.

The amendments set up a scheme for notification of "eligible data breaches".

What are your obligations concerning the security of personal information?

Under Australian Privacy Principle 11, an entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorized access, modification or disclosure.

Where an entity no longer needs personal information for any purpose for which the information may be used or disclosed in accordance with the Australian Privacy Principles, the entity must take reasonable steps to destroy the information or ensure that it is de-identified.

What is an "eligible data breach"?

An "eligible data breach" happens if:

1. both of the following conditions are satisfied:
2. 1. there is unauthorised access to, or unauthorised disclosure of, the information;
   2. a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or

2. the information is lost in circumstances where:
3. 1. unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
   2. assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.³⁶

There is an exception for remedial action if the entity takes remedial action before access or disclosure results in serious harm to any of the individuals to whom the information relates and as a result a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals.³⁷

Matters to consider when determining whether or not the disclosure would result in serious harm

In determining whether a reasonable person would conclude that access to, or a disclosure of information would or would not be likely to result in serious harm to the individual to which the information relates, regard should be had to the following:

• the kind or kinds of information;
• the sensitivity of the information;
• whether the information is protected by one or more security measures;
• if the information is protected by one or more security measures — the likelihood that any of those security measures could be overcome;
• the persons, or the kinds of persons, who have obtained, or who could obtain, the information;
• if a security technology or methodology:
• • was used in relation to the information; and
  • was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information;
• the likelihood that the persons, or the kinds of persons, who:
• have obtained, or who could obtain, the information; and
• have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates;
• have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology;
• the nature of the harm;
• any other relevant matters.³⁸

Whilst serious harm is not defined in the Privacy Act, the Guidelines mentioned below includes examples of harm as including reputational damage, loss of assets, financial disclosure, extortion and legal liability.

Examples of serious harm could include:

• Unauthorised disclosure of credit card details which could be used fraudulently.
• Unauthorised loss or disclosure of health records which can adversely impact upon the mental health and reputation of an individual or family court proceedings.

Assessment of suspected eligible data breaches

An entity must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach and take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes aware.³⁹

Notification requirements

If there are reasonable grounds to believe that there has been an eligible data breach, then the entity must, as soon as practicable it becomes aware:

• prepare a statement that complies with the Privacy Act; and
• give a copy of the statement to the Office of the Australian Information Commissioner.⁴⁰

The statement must set out:

• the identity and contact details of the entity;
• a description of the eligible data breach that the entity has reasonable grounds to believe has happened;
• the kind or kinds of information concerned;
• recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened; and
• if the breach if of one or more entities, the identify of those other entities.⁴¹

If practical, the entity must notify the content of the statement to each of the individuals to whom the relevant information relates and/or individuals who are at risk from the eligible data breach.

Otherwise, the entity must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement.⁴²

Guidelines

The Office of the Australian Information Commissioner has previously published a Data Breach Notification Guide: A Guide to Handling Personal Information Security Breaches which will be updated ahead of the amendments:

Footnotes

³⁶ Section 26WE(2) Privacy Act 1988 (Cth)

³⁷ Section 26WF Privacy Act 1988 (Cth)

³⁸ Section 26WG Privacy Act 1988 (Cth)

³⁹ Section 26WH Privacy Act 1988 (Cth)

⁴⁰ Section 26WK(2) Privacy Act 1988 (Cth)

⁴¹ Section 26WK(3) Privacy Act 1988 (Cth)

⁴² Section 26WL Privacy Act 1988 (Cth)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.