The Privacy Amendment (Notifiable Data Breaches) Bill 2016 has been introduced into the House of Representatives. If passed, the Bill will insert a new Part IIIC into the Privacy Act to require government agencies and organisations currently regulated by the Privacy Act to provide notice to the Australian Information Commissioner and affected individuals of an eligible data breach. The Bill also applies to credit reporting bodies, credit providers and recipients of tax file number information.
The Bill’s notification scheme will commence within 12 months after the Bill receives Royal Assent.
UPDATE: The scheme commenced on 22 February 2018.
What is an eligible data breach?
An eligible data breach happens if:
(a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
(b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
An entity must give a notification if:
(a) it has reasonable grounds to believe that an eligible data breach has happened; or
(b) it is directed to do so by the Commissioner.
Serious harm could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach. In deciding whether there is an eligible data breach, entities are required to have regard to a list of ‘relevant matters’ included in the Bill. It is not intended that every data breach be subject to a notification requirement.
Suspected eligible data breach
If an entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity the entity must: (a) carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity; and (b) take all reasonable steps to ensure that the assessment is completed within 30 days after the entity suspects there may have been an eligible data breach.
How do you give a notification?
In the event of an eligible data breach, an entity is required to notify the Commissioner and affected individuals as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (unless an exception applies).
The notification must include:
- the identity and contact details of the entity
- a description of the serious data breach
- the kinds of information concerned, and
- recommendations about the steps that individuals should take in response to the serious data breach.
In providing the information described above to affected individuals, the entity also has discretion to notify either each affected individual or, if not all affected individuals are deemed to be ‘at risk’ from an eligible data breach, only those affected individuals who are deemed to be at risk.
Exceptions
There may be circumstances in which it is impracticable to provide a notification to affected individuals, either collectively or only to those at risk. The Bill provides that, in these circumstances, an entity will not be required to provide notice directly to each affected individual but will rather be required to provide the information described above on its website (if any) and to take reasonable steps to publicise the information. There is no obligation to give a notification where entities have taken remedial action following an eligible data breach or potential eligible data breach and a reasonable person would conclude that, as a result of the remedial action, the unauthorised access or unauthorised disclosure of personal information (including an unauthorised access or unauthorised disclosure following loss of the information) is not likely to result in serious harm to the affected individuals. In addition, the Commissioner may exempt an entity from providing notification of an eligible data breach where the Commissioner is satisfied that it is reasonable in the circumstances to do so, having had regard to several matters prescribed in the Bill.
Commissioner’s powers
In circumstances where the Commissioner believes that an eligible data breach has occurred and no notification has been given by the entity that suffered the breach, the Commissioner may give a written direction to the entity requiring it to provide notification of the data breach. Failure to comply with an obligation included in the Bill will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act. In such cases the Commissioner has the capacity to undertake Commissioner initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.