Data breach! Update to Australian privacy law

In our increasingly online economy, data breaches are an unfortunate reality for all businesses, and a threat to consumer privacy and safety. A data breach is essentially any intentional or unintentional release of secure or private or confidential information to an untrusted environment.

Now, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (‘the Amendment) will make it mandatory for businesses to disclose certain data breaches. This bill has been a long-time coming, and one carefully negotiated by the major parties, following a recommendation from the Australian Law Reform Commission in 2008. The overriding purpose of these changes is to keep consumers safe from significant harm, and as such, heavy penalties of up to $1.8 million are in place in cases of non-compliance.

The Amendment

The Amendment will apply to all businesses with responsibilities under the Privacy Act 1988 (Cth) (known as APP entities). It provides that such organisations who have reasonable grounds to believe they have suffered an eligible data breach must notify affected individuals and the Office of the Australian Information Commissioner (‘OAIC’). The Amendment also provides that an entity must give such notification if it has been directed to do so by the Commissioner.

So what is an eligible data breach? The Amendment sets out a two-part test to determine what constitutes an eligible data breach.
1. There has been unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
2. the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

It is important to note that not all data breaches are made reportable under the Amendment. Only eligible data breaches, that is those likely to result in serious harm, are reportable.

The key question here is what sort of breach will be considered “likely to result in serious harm”? This will be particularly difficult to answer given the lack of legal precedent. For example, while the leaking of email addresses may seem innocuous, when paired with other information or in light of who has received unauthorised access to such information, this breach can in fact be very serious.

In the coming months, Data Governance Australia and the Association for Data-Driven Marketing & Advertising will create a joint guideline to outline how businesses can assess the likelihood and seriousness of harm to ensure that businesses have some guidance in determining whether a breach is an eligible breach and thus reportable.

How will this impact businesses?
Entities that have reasonable grounds to suspect an eligible data breach has occurred must carry out a reasonable and expeditious assessment of whether such breach has in fact occurred and take all reasonable steps to ensure this is completed within 30 days after becoming aware of that fact.

After identifying that such a breach has occurred, entities must as soon as practicable thereafter provide a statement to affected individuals and also give a copy of that statement to the Commissioner.

A compliant statement will set out:
• the identity and contact details of the entity;
• a description of the eligible data breach that the entity has reasonable grounds to believe has happened;
• the kind or kinds of information concerned; and
• recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened.

Realistically, many businesses already disclose breaches to affected customers as this is good business practice for consumer trust. Also, the burden on businesses is reduced as only affected individuals must be notified – not the entire customer base. It is likely that the impact of the Amendment will be felt more by smaller organisations who now need to put in place new procedures to comply with the law. The good news is that these disclosure obligations do not come into effect until 22 February 2018, giving businesses one year to ready themselves with the necessary processes to identify, recognise and notify of eligible data breaches to the OAIC and affected individuals.

What now?
The key message for businesses is to be prepared and proactive, and ensure that your business has procedures in place to identify breaches that require reporting when they occur and deliver timely action. Furthermore, when it comes to notifying consumers, it is important that a notification is not an act of fear mongering, but rather helping consumers understand what has occurred, how it impacts them, and the necessary next steps the individuals should take, and any being taken by the business, to remedy the breach.

We will provide updates over the next twelve months as further guidance from the OAIC and relevant industry bodies regarding implementation of the Amendment comes to light. If you require any assistance, please feel free to call us on (02) 8599 1280.