Following the passage of a new mandatory data breach notification bill in Parliament on 13th February 2017, many Australian businesses will soon need to notify the Office of the Australian Information Commissioner and potentially affected individuals of “eligible data breaches.” This brings Australian law in line with developments internationally, with some regions of Europe and the US enacting mandatory data breach notification laws. In the wake of this new law, organisations that are required to comply with the Privacy Act should consider taking preparatory compliance measures such as adopting a data breach response plan and better training, systems and practices.
The Mandatory Data Breach Notification Laws in Brief
The new regime imposes an obligation upon an APP entity to notify affected individuals and the Australian Information Commissioner of suspected eligible data breaches affecting personal information, credit information or tax file numbers, provided that there are reasonable grounds for this belief. An eligible data breach arises where there is unauthorised access to, unauthorised disclosure of, or loss of this information and the relevant transgression is likely to cause serious harm to affected individuals (s 26WE(2)). APP entities that contravene their notification obligations could be fined up to $1.8 million (s 26WK(3)). There are several common sense exceptions embedded in the new law, including a remedial action exception, a law enforcement exception, declarations by the Commissioner, and inconsistency with secrecy provisions.
What is an ‘eligible data breach?’
When an entity believes on reasonable grounds that there has been an eligible data breach affecting personal information, health records, credit information or tax file numbers, it will be required to report it to the Australian Information Commissioner and the people whose information has been lost or stolen: s 26WK. An entity must also give a notification if it is directed to do so by the Commissioner: s 26WR.
An eligible data breach happens if (s 26WE(2)):
- (a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- (b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
An APP entity is required to assess whether there has been an eligible data breach, having regard to matters such as the kind and sensitivity of information disclosed, relevant security measures, the persons who have obtained or could obtain the information, and the nature of the harm caused: s 26WG.
How does notification occur?
The APP entity will have to describe the breach and the kind or kinds of information concerned to affected individuals, and make recommendations about what the individuals should do: s 26WR(4).
APP entities that contravene the relevant notification obligations could be fined up to $360,000 and organisations up to $1.8 million: s 26WK(3).
A Supplement to the APPs
It is envisaged that the new scheme is to operate in a supplementary fashion alongside existing APP obligations, thereby ensuring coherence with current privacy laws and reinforcing compliance. Most notably, the new law builds upon the bedrock of existing privacy law obligations under APP 11.1 APP 11.1 provides that an APP entity holding personal information must take reasonable steps to protect said information from misuse, interference and loss, and from unauthorised access, modification or disclosure. A parallel can be drawn between this existing terminology and the wording of the new mandatory data breach notification laws, which refers to ‘unauthorised access to,’ ‘unauthorised disclosure of’ or ‘loss of’ personal information causing serious harm: s 26WE(2).
Given that the new legislation effectively borrows pre-existing terms from APP 11, the relevant Commissioner-issued APP guidelines which define these terms provides some guidance as to how the new law will likely be interpreted.
In particular:
- ‘Unauthorised access’ of personal information occurs when personal information held by an APP entity is accessed by an unpermitted individual or entity. According to the APP Guidelines, unauthorised access could occur by an employee or independent contractor of the entity, or an external third party.
- ‘Loss’ of personal information covers accidental or inadvertent loss of information held by an APP entity, whether said information is lost physically or electronically.
- ‘Unauthorised disclosure’ of personal information occurs when an APP entity makes personal information accessible to others outside the entity and releases that information from its control in an impermissible manner under the Privacy Act. While disclosure is not defined in the Privacy Act, the APP Guidelines suggest that the relevant release may be a proactive or accidental release, a release in response to a request, or an unauthorised release by an employee. In determining whether release was justified under the Privacy Act, regard should be had to whether APP 6 has been complied with. Effectively, under APP 6.1, an APP entity can only disclose information for the purpose for which it was collected, unless an exception applies such as consent, a permitted general or health situation, or an enforcement related activity exception.
However, while this framework provides guidance in substantiating relevant terminology, ultimately the new reforms impose unprecedented privacy obligations that never existed under APP 11. Under the new Act, even if an APP entity is totally compliant with its existing obligations under APP 11, it may nevertheless become liable under the amendments regardless of whether or not reasonable steps have been taken. The new law is applicable in any case where there has been unauthorised access, unauthorised disclosure or loss of personal information likely to occasion serious harm within the meaning of the Act to affected individuals. It appears to be immaterial whether an eligible data breach has arisen as a result of unavoidable human error, or whether the breach could have been anticipated in advance.
It is likely that in the course of investigating non-compliance with mandatory data breach notification laws, a number of APP obligations will incidentally become relevant. In addition to APP 11, there is a strong potential for an interrelationship between the mandatory data breach laws and APPs 6 and 12.
It is likely that APP 6 will often arise where the Commissioner investigates a breach of the mandatory data breach notification laws. Breach of APP 6.1 occurs where an APP entity holds personal information about an individual that was collected for a particular purpose, and the entity uses or discloses the information for another purpose. There are great prospects of overlap between APP 6 and mandatory data breach notification laws, as an unauthorised disclosure will breach both obligations. Furthermore, both APP 6 and the new law confer an exception where the APP entity believes the use or disclosure of the information is reasonably necessary for law enforcement related activities.
Under APP 12.1, an APP entity must give an individual access to the personal information they hold about them. However, an APP entity needs to take precautions not to provide information that could relate to personal information of other individuals, or else could be held liable for unauthorised access under the mandatory data breach laws. There could also be a breach of other APPs in this situation, such as APP 11.1 or APP 6.1. Complying with APP 12.1 by giving individuals access to their personal information when they request it could also help APP entities comply with the mandatory data breach laws as individuals may seek to correct irrelevant, incorrect or misleading information under APP 13. By having information like this corrected, the risk of a data breach occurring that is likely to cause serious harm could be reduced.
Overall the mandatory data breach laws have been designed to work in conjunction with the existing array of privacy obligations. This signals that the new laws are intended to empower the Commissioner to broadly investigate potential privacy infringements, and were not designed to be standalone provisions to consider in isolation from existing privacy requirements.
Remedial Action Exception
APP entities would be well advised to proactively revise their privacy policies and data security practices, policies and systems, to ensure compliance with APP 11.1 and mitigate the risk of an eligible data breach. The new law provides a ‘remedial action’ exception that rewards swift and effective data breach responses. This applies where an APP entity has taken action before serious harm is sustained to individuals to whom the personal information relates, and therefore it is objectively unlikely that the individuals will suffer harm: s 26WF. The implication of this provision is that APP entities should consider monitoring systems and adopting a formal data breach plan to strengthen their position to respond swiftly to data breach threats.
Disclosure by Overseas Entities
In certain circumstances, the amending legislation also renders an APP entity accountable for the eligible data breach of an overseas third party to whom personal information has been disclosed. The new laws state that where APP 8.1 applied to a disclosure, the mandatory notification laws will have effect as if the personal information were held by the relevant APP entity. This requirement (s 26WC), known as the ‘deemed holding of information’ provision, means that an APP entity will be required to notify affected individuals and the OAIC where the third party recipient entity has committed an eligible data breach.
Enhancing the Commissioner’s Power to Investigate
The ultimate effect of the laws is to afford the Commissioner greater scope to investigate a wide suite of potential breaches, including the APPs and the mandatory data breach notification rules. The Commissioner is empowered upon complaint to investigate or can commence an own motion investigation, as will be discussed below.
Under the new regime there are two broad triggers that would result in an ‘interference with the privacy of an individual’: s 13(4), which will provide the Commissioner with an avenue to pursue an investigation.
The first trigger occurs where an APP entity has failed to assess a suspected eligible data breach where there are reasonable grounds to believe that one exists (s 26WH(2)), or where the entity has not prepared a notification statement and given a copy to the Commissioner where there are reasonable grounds (s 26WK(2)), or where the entity has not notified affected individuals where there are reasonable grounds (s 26WL(3)).
A second possibility is that a Commissioner may direct an entity to notify affected individuals of an eligible data breach of an entity where the Commissioner believes on reasonable grounds that this has occurred: s 26WR(1). Before directing an entity to provide notification, the Commissioner must invite the entity to make a submission in relation to the proposed direction: s 26WR(3). Non-compliance with this direction as soon as practicable after it is given amounts to an interference with the privacy of an individual under s 13(4).
Own Motion Investigations
Under the Privacy Act, the Australian Information Commissioner, on the Commissioner’s own initiative, is empowered to investigate an act or practice if there could be a breach of the privacy of an individual, or if the Commissioner thinks it is desirable that the act or practice be investigated: s 40(2). This will clearly occur where one of the two triggers above is satisfied so that the entity’s conduct amounts to an ‘interference with the privacy of an individual.’ Thus, an interference will open up an avenue for the Commissioner to carry out an own motion investigation and exercise their broad investigatory and enforcement powers.
Complaints by Individual
The Commissioner could also investigate a suspected data breach where an individual makes a complaint to the Commissioner under s 36 (or a representative complaint under s 38): s 40(1). The Commissioner may decide not to investigate in certain circumstances. For example, if the complaint is frivolous or vexatious, or the act or practice is not an interference with the privacy of an individual, or the investigation is not warranted, the Commissioner may refuse to investigate: s 41. To decide whether the Commissioner has the power to investigate the complaint, preliminary inquiries can be made of the respondent or any other person: s 42.
The Commissioner is entitled to carry out an investigation in such manner as he or she sees fit. In the course of the Commissioner’s investigation, the Commissioner boasts a range of powers including the power to examine witnesses (s 45) and compel production of documents (s 47) and may discover potential APP breaches. The Commissioner is therefore well-equipped under the new laws to examine privacy law transgressions broadly, including existing obligations under the APPs.
Enforcement
Where a complaint is made by an individual, the Commissioner may make a determination dismissing the complaint or declaring that an individual’s privacy has been interfered with and steps (including compensatory measures) to be taken by the entity (s 52(1)). Similar enforcement powers, including the power to compensate, reside in the Commissioner in the event that they launch an own motion investigation (s 52(1A)). The Commissioner may also impose civil penalties of up to 2000 penalty units, or $1.8 million, upon a non-complying entity if the interference with privacy is serious or repeated: s 13G(b). A final enforcement power available to the Commissioner is to seek an enforceable undertaking under s 33E. There are ostensibly a range of tools at the Commissioner’s disposal to enforce compliance with the mandatory data breach laws and the APP obligations more broadly.
Key Takeaways
- Consider adopting a robust data breach response plan, implementing better policies and practices, and ensuring better staff training. This will help to mitigate risks in relation to data breaches, and could also bring your company within exceptions such as the ‘remedial action’ exception.
- Consider existing guidance from the OAIC to work out the potential scope of future obligations under the new legislation. The OAIC also previously operated a voluntary data breach notification scheme and has published resources online to assist APP entities in strengthening their data breach prevention and management practices.
- APP entities should revisit their information sharing agreements in light of the ‘deemed holding’ provision. Furthermore, APP entities should consider inserting obligations into contracts with overseas information processors requiring notification where there has been a serious data breach.
Australian Privacy Law Developments 