On 3 December 2015 the Attorney-General George Brandis released a discussion paper, a consultation draft explanatory memorandum and exposure draft legislation in relation to mandatory notification of serious data breaches.
The current approach is similar to a number of overseas jurisdictions and looks to balance the benefits of mandatory reporting with the risk of "notification fatigue" that may be experienced by individuals which would undermine the intent of the law. The exposure draft very importantly defines what is a serious data breach and then specifies what needs to be notified, and who needs to be notified.
What is a serious data breach?
A serious data breach is defined as one that occurs in relation to personal information including credit reporting information, credit eligibility information, or tax file number information and would put the individual to whom that information relates at "real risk of serious harm". For this purpose a new Section has been inserted into the Privacy Act which provides that for the purposes of this legislation harm includes physical harm, psychological harm, emotional harm, harm to reputation, economic harm, and financial harm.
Similarly, real risk is defined to mean a risk that is not a "remote" risk.
When does an organisation need to notify?
The draft legislation provides that notification is required when an entity has reasonable grounds to believe that a serious data breach has occurred. However, in the event that an entity is uncertain they will have a period of 30 days in which to assess whether there are reasonable grounds to consider a serious data breach has occurred and to then make notification if it has.
If an organisation does not consider there has been a serious data breach but the OAIC considers that there has by virtue of complaints or other information provided to the OAIC, it may direct the entity to report the data breach.
An objective or subjective test?
In determining whether a serious data breach has occurred, the draft legislation provides relevant matters that might be taken into consideration and these include persons or the kinds of persons who have obtained, or who could obtain, the information and it also includes, in considering whether the information is in a form intelligible to an ordinary person, the assumption needs to be made that the person has access to software or other technology that is publicly available and commonly used. Accordingly, the level of security encryption and whether it could easily be broken is one of the relevant matters to take into consideration.
What must a notice include?
Throughout the commentary and in the legislation there is an assumption that the OAIC will provide guidance to entities in relation to this legislation. This is consistent with the way in which the amendments to the Privacy Act were passed in 2012 but did not come into operation until 2014.
The notification that an entity needs to make is specified in Section 26WB and includes in relation to mitigating the harm to the affected individuals, the nature of the steps being taken, how quickly those steps have been taken or will be taken, and the extent to which those steps will mitigate or are likely to mitigate the harm.
When is it likely to apply?
The first hurdle is for the legislation to retain its form after the consultation period, open until 4 March 2016, ends.
Assuming that the legislation proceeds as outlined, the exposure draft states it will commence on a date to be proclaimed or one year from the date it is passed into law. Accordingly, it is unlikely to apply before 2017.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.