The Mandatory Data Breach Laws in Australia One Year On

The mandatory data breach notification laws have now been in force for over 12 months. While quite convoluted and amorphous in some respects, the regime imposes an obligation on APP entities to notify affected individuals and the Australian Information Commissioner of suspected eligible data breaches affecting personal information, credit information or tax file numbers, provided that there are reasonable grounds for this belief. APP entities that contravene their notification obligations could be fined up to $1.8 million.

The Commissioner has recently released the Notifiable Data Breaches Scheme 12 month Insights Report. In this blog post I will briefly recap how the mandatory data breach regime operates, before discussing key insights from the Commissioner’s report.

The Mandatory Data Breach Regime

What is an ‘eligible data breach?’

When an entity believes on reasonable grounds that there has been an eligible data breach affecting personal information, health records, credit information or tax file numbers, it will be required to report it to the Australian Information Commissioner and the people whose information has been lost or stolen. An entity must also give a notification if it is directed to do so by the Commissioner.

An eligible data breach happens if:

• (a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
• (b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

An APP entity is required to assess whether there has been an eligible data breach, having regard to matters such as the kind and sensitivity of information disclosed, relevant security measures, the persons who have obtained or could obtain the information, and the nature of the harm caused.

How does notification occur?

The APP entity will have to describe the breach and the kind or kinds of information concerned to affected individuals, and make recommendations about what the individuals should do.

APP entities that contravene the relevant notification obligations may be fined up to $1.8 million.

One Year On

The Insights Report examines the first four quarters of statistics from the scheme, and shows that:

• 964 eligible data breaches were notified to affected individuals and the OAIC from 1 April 2018 to 31 March 2019;
• 60 per cent of breaches were traced back to malicious or criminal attacks;
• The leading cause of data breaches during the 12-month period was phishing (people tricked into revealing information such as passwords) causing 153 breaches;
• More than a third of all notifiable data breaches were directly due to human error;
• That includes personal information being emailed to the wrong recipient, which caused 97 data breaches, or one in ten;
• The remaining 5 per cent of all notifiable data breaches involved system faults;
• 168 voluntary notifications were also received by the OAIC, where the reporting threshold or ‘serious harm’ test was not met, or the entity was not regulated under the Privacy Act.

The Commissioner has provided a media statement regarding key findings:

“Data breaches involving personal information may be prevented through effective training and enhanced systems, analysis of the first 12 months of mandatory notifications reveals.”

“Releasing the at the start of Privacy Awareness Week in Sydney today, Australian Information Commissioner and Privacy Commissioner Angelene Falk called on regulated entities to heed its lessons.”

“By understanding the causes of notifiable data breaches, business and other regulated entities can take reasonable steps to prevent them,” Ms Falk told the Privacy Awareness Week Business Breakfast this morning.

“Our report shows a clear trend towards the human factor in data breaches — so training and supporting your people and improving processes and technology are critical to keeping customers’ personal information safe.

“After more than 12 months in operation, entities should now be well equipped to meet their obligations under the scheme, and take proactive measures to prevent breaches of personal information.”

“The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity — transparency and accountability.”