Mandatory reporting for privacy breaches

Mandatory data breach notification appears to be inevitable. A Bill to amend the Privacy Act was recently introduced into the Parliament. The notification regime it seeks to impose is not materially different from the present voluntary notification scheme, but its mandatory nature should motivate entities to improve data security so as to prevent data breaches and thereby avoid the notification obligations.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) was introduced into the Commonwealth House of Representatives on 19 October 2016 by the Minister for Justice. If enacted,^[1] it will amend the Privacy Act 1988 (Cth) (the Act) to insert a Part IIIC implementing a mandatory data breach notification scheme. This article will provide a brief explanation of the key provisions of the Bill and their significance for entities. For convenience, provisions in clause 3 of schedule 1 to the Bill will be cited as if they are already part of the Act.

The amendment will operate prospectively; obligations will not be imposed retrospectively.^[2]

Why is the scheme being legislated?

This Bill was moved in response to a number of high profile data breaches worldwide and the serious harm to individuals which data breaches can cause.^[3] Advances in technology have enabled large datasets to be analysed quicker and cheaper than ever before, resulting in entities holding more and more personal information in electronic form, increasing the risk of the individuals to which the personal information relates becoming the victims of identity crimes or suffering personal embarrassment as a result of having their personal activities disclosed to the world at large.^[4] The Minister stated in the Second Reading speech that if an individual is at risk of serious harm because of a data breach, being informed of the breach will enable them to take steps to mitigate the potential harm that they might otherwise suffer.

In Australia, a mandatory data breach notification scheme was recommended as early as 2008 by the Australian Law Reform Commission^[5] and the Australia Privacy Commissioner (the Commissioner) has operated a voluntary notification scheme since then. Notifications under the voluntary scheme have increased significantly in recent years, but the Commissioner was nevertheless concerned that data breaches in Australia are being underreported.^[6] The previous Commonwealth Government had introduced a Bill to implement a mandatory notification scheme in 2013 but that Bill lapsed when the Parliament was dissolved for the 2013 election.^[7] In 2015, the advisory report of the Parliamentary Joint Committee on Intelligence and Security about proposed telecommunications data retention legislation again recommended the introduction of a mandatory data breach notification scheme.^[8]

What must you notify?

The mandatory data breach notification scheme centres on the concept of an ‘eligible data breach’. Notification obligations attach to an entity when they become aware that there are reasonable grounds to believe that there has been an eligible data breach. Section 26WE(2) defines two types of eligible data breach:

• If there is unauthorised access to, or unauthorised disclosure of, information and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.^[9]
• If information is lost in circumstances where there is likely to be unauthorised access to, or unauthorised disclosure of the information and if such access or disclosure were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.^[10]

The Explanatory Memorandum states that serious harm could include serious physical, psychological or emotional harm in addition to economic harm and reputational damage. However, mere distress or otherwise being upset are not intended to give rise to notification obligations in all but exceptional cases.^[11]

Loss, access or disclosure will not constitute an eligible data breach in certain circumstances where the entity that suffered the data breach takes remedial action to prevent serious harm from happening to any individual to which the data relates. Section 26WF provides that an eligible data breach does not occur, and is taken to never have occurred, in any of the following circumstances:

• there has been unauthorised access or disclosure but the entity takes action before the access or disclosure results in serious harm to any individual to whom the information relates and, as a result of that action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any such individual^[12]
• there is a loss of information, the entity takes action in relation to the loss before any unauthorised access or disclosure and, as a result of that action, no unauthorised access or unauthorised disclosure occurs,^[13] or
• There is a loss of information, the entity takes action in relation to the loss after there is unauthorised access or disclosure but, as a result of that action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any individual.^[14]

Even if there is an eligible data breach, an entity is not required to notify a particular individual of the content of a notification statement if, as a result of remedial action taken by the entity, a reasonable person would conclude that that individual would not be likely to suffer serious harm as a result of the unauthorised access or disclosure (even if other individuals are likely to suffer serious harm).

The Act will also provide guidance for assessing whether serious harm is reasonably likely to occur, with regard to be given to:

• the nature of the compromised information
• the kinds of persons who have obtained or could obtain the compromised information
• the security measures used to protect the information (e.g. encryption), and
• the likelihood that persons could circumvent such security measures and the nature of the harm.^[15]

However, the list of considerations given is not exhaustive and a court may have regard to any relevant matter.^[16]

Must you investigate for data breaches?

The objective of the Bill is to require an entity to provide notification of a data breach as soon as practicable after they become aware of the breach.^[17] An entity cannot, however, avoid their notification obligations by being wilfully blind to data breaches. Under the new scheme, an entity is required to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that an eligible data breach has occurred if it is aware that there are reasonable grounds to suspect that there may have been an eligible data breach, and to take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes so aware.^[18]

By making the obligation to investigate conditional on an entity’s awareness of facts that provide reasonable grounds to suspect an eligible data breach, s 26WH is intended to discourage entities from acting with excessive caution and notifying events that do not constitute eligible data breaches and thereby reduce the cost of complying with the new privacy obligations.^[19]

The focus of an investigation under s 26WH will depend on the circumstances of each case. In some cases, an entity may need to assess whether there has in fact been loss, access or disclosure. If the entity is already aware that there has been loss, access or disclosure, its assessment should focus on the seriousness of the likely harm to individuals.^[20]

When and how must you notify?

General notification obligation

The notification obligation is the core obligation introduced by the Bill. An entity is obliged to prepare and give to the Commissioner a statement (referred to hereafter as a ‘notification statement’) containing information about a data breach as soon as it becomes aware that there are reasonable grounds to believe that there has been an eligible data breach.^[21] The notification statement must set out:

• the identity and contact details of the entity
• a description of the eligible data breach
• the kind or kinds of information concerned, and
• recommendations about the steps that individuals should take in response to the eligible data breach.^[22]

An entity must also notify the contents of the notification statement to the individuals to whom the compromised information relates as soon as practicable after the notification statement has been prepared. If practicable, it must notify each individual to whom the compromised information relates.^[23] If that is not practicable, the entity must take reasonable steps to notify each individual who is at risk from the eligible data breach.^[24] If neither is practicable, the entity must publish a copy of the notification statement on its website and take reasonable steps to publicise the contents of the notification statement.^[25] Whether a method of notification is practicable depends on the time, effort and cost it entails. It is contemplated in the Explanatory Memorandum that the sheer volume of affected individuals may render notification to each affected individual impracticable due to the volume of resources required to identify and locate each such individual.^[26]

Notification at the direction of the Commissioner

If the Commissioner is aware that there are reasonable grounds to believe that there has been an eligible data breach of any entity, it may, by written notice given to the entity, direct the entity to prepare a notification statement, provide a copy of the notification statement to the Commissioner and provide such notification to the individuals to whom the compromised information relates as is practicable in the circumstances.^[27]

Before directing an entity to provide notification, the Commissioner must invite the entity to make a submission in relation to the proposed direction.^[28]

In deciding whether to give a direction, the Commissioner must have regard to the public interest, advice given by an enforcement body or the Australian Signals Directorate, any submission made by the entity and any other relevant matter.^[29]

What are the exceptions?

There are a number of largely policy-based exceptions to the general notification obligation. They are:

• if the entity is an enforcement body and its chief executive officer believes on reasonable grounds that notification would prejudice the body’s enforcement activities^[30]
• if notification would be inconsistent with a secrecy provision of a Commonwealth law (in this case, notification is not required only to the extent of the inconsistency)^[31]
• if notification would be inconsistent with a prescribed secrecy provision (in this case, notification is not required at all),^[32] or
• if the Commissioner has provided an exemption, having regard to the public interest, advice given by an enforcement body or the Australian Signals Directorate and any other relevant matter. The Commissioner may provide an exemption on their own motion on an application made by the entity.^[33]

The enforcement activity and secrecy provision exceptions to the general notification obligation also apply in substantially the same terms to an obligation to comply with a direction of the Commissioner.^[34]

Can the Commissioner’s directions be appealed?

The Bill also amends s 96 of the Act to make the discretions conferred on the Commissioner by Part IIIC reviewable by the Administrative Appeals Tribunal.^[35]

What if the breach involves other entities?

The Bill recognises that a particular dataset may be held jointly and simultaneously by multiple entities, so that an eligible data breach of one entity is a data breach of other entities.^[36]

Section 26WJ provides that if one such entity has investigated and assessed circumstances that may constitute an eligible data breach, the other affected entities are not required to conduct their own separate assessments. However, if neither entity conducts an assessment, each entity may be found to have breached s 26WH.^[37]

Likewise, s 26WM operates to require only one notification statement to be provided in the event of an eligible data breach affecting multiple entities.^[38] However, if the Commissioner directs an entity to notify a data breach under s 26WR, the Commissioner’s direction may require the notification statement to set out the identity and contact details of other entities of whom the breach is also an eligible data breach.

Do you need to notify data breaches of overseas entities?

If an APP entity discloses personal information to an overseas recipient and Australian Privacy Principle 8.1 applies to the disclosure of the personal information, the APP entity is deemed to hold that information and therefore remains accountable under s 16C of the Act if the overseas recipient suffers an eligible data breach.^[39]

Likewise, if a credit provider discloses credit eligibility information to bodies or persons that do not have an Australian link, the credit provider is deemed to hold the credit eligibility information for the purposes of s 21S(1)^[40] of the existing Act and the new Part IIIC and so remains accountable if the recipient suffers an eligible data breach.

How does the new mandatory notification scheme differ from the current voluntary notification scheme?

Aside from the fact that it is compulsory, the new mandatory data breach notification regime does not differ materially from the current voluntary notification scheme.^[41]

Under the voluntary scheme, when deciding whether or not to disclose a breach to the Office of the Australian Information Commissioner (OAIC) an entity should consider:

• whether there is a real risk of serious harm arising from the breach
• the number of people affected
• whether the information was recovered without further disclosure
• whether the affected individuals have been notified, and
• whether the OAIC is likely to receive complaints or inquiries about the breach.^[42]

Under the new Part IIIC, the relevant consideration is whether a reasonable person would conclude that the loss, access or disclosure is likely to result in serious harm to any individual.^[43] This appears to be a slightly higher threshold for disclosure than the ‘real risk’ standard in the voluntary scheme, especially as it requires a serious harm to an individual rather than serious harm generally.

In terms of the content of a notification, the new Part IIIC requires less information in a notification statement than is suggested by the Data Breach Notification Guide.

Under the voluntary scheme, in addition to information equivalent to that specified in s 26WK(3) (except recommendations about steps that individuals can take in response to the breach), it is expected that entities also include:

• a description of their response to the breach
• what assistance has been offered to affected individuals, and
• whether the breach has been notified to other external contacts.

Hence, whereas the voluntary scheme effectively requires participants to respond to a data breach and take action to assist affected individuals, the mandatory scheme imposes only notification obligations. The only purpose of responding to a data breach in under Part IIIC is to avoid being required to notify the Commissioner and any affected individuals.^[44]

In summary, the Bill, if passed by the Parliament, will effectively make the current voluntary data breach reporting scheme mandatory. Whilst the notification obligations do not appear to be unduly onerous, frequent notification of data breaches by an entity will undoubtedly cause it reputational damage. As such, it will impose practical discipline on entities which hold personal information and likely lead to better information security practices.