Save Search

Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Privacy Amendment (Privacy Alerts) Bill 2013

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

 

2010-2011-2012-2013

 

 

 

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

 

 

 

HOUSE OF REPRESENTATIVES

 

 

 

Privacy amendment (privacy alerts) Bill 2013

 

 

 

EXPLANATORY MEMORANDUM

 

 

 

(Circulated by authority of the

Attorney-General, the Hon Mark Dreyfus QC MP)

 



privacy Amendment (privacy alerts) Bill 2013

general Outline

This Bill amends the Privacy Act 1988 ( the Privacy Act ) to introduce mandatory data breach notification provisions for agencies and organisations that are regulated by the Privacy Act ( entities ).  The Bill will commence immediately after the amendments to the Privacy Act contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 commence on 12 March 2014.  Accordingly, references to the Privacy Act in this document are references to the Privacy Act as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 .

Mandatory data breach notification commonly refers to a legal requirement to provide notice to affected persons and the relevant regulator when certain types of personal information are accessed, obtained, used, disclosed, copied, or modified by unauthorised persons.  Such unauthorised access may occur following a malicious breach of the secure storage and handling of that information (e.g. a hacker attack), an accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise.

In its Report 108, For Your Information: Australian Privacy Law and Practice, the Australian Law Reform Commission ( ALRC ) noted that, with advances in technology, entities were increasingly holding larger amounts of personal information in electronic form, raising the risk that a security breach around this information could result in others using the information for identity theft and identity fraud.  A notification requirement on entities that suffer data breaches will allow individuals whose personal information has been compromised by a breach to take remedial steps to lessen the adverse impact that might arise from the breach.  For example, the individual may wish to change passwords or take other steps to protect his or her personal information.

The ALRC recommended that the Privacy Act be amended to require that such notification be given.  Under the ALRC’s proposed test, notification would be provided to those whose privacy had been infringed when data breaches causing ‘a real risk of serious harm’ occurred.  Notification would be compulsory unless it would impact upon a law enforcement investigation or was determined by the regulator to be contrary to the public interest. 

This Bill implements the ALRC’s recommendation by requiring agencies and organisations regulated by the Privacy Act to provide notice to the Australian Information Commissioner ( the Commissioner ) and affected individuals of a serious data breach.  The Bill contains general rules for the majority of entities regulated by the Privacy Act as well as analogous rules for credit reporting bodies and credit providers that are subject to specific regulation under Part IIIA, which deals with consumer credit reporting.  The provisions in the Bill also apply to recipients of tax file number information.  Each type of entity is subject to common requirements under the Privacy Act to protect the types of personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.

A data breach arises where there has been unauthorised access to, or disclosure of, personal information, or where personal information is lost in circumstances that could give rise to unauthorised loss or disclosure.  A data breach is a serious data breach where there is a real risk of serious harm to the individual to whom the information relates as a result of the



breach.  This is the standard recommended by the ALRC and also incorporated in the current voluntary data breach guidelines issued by the Office of the Australian Information Commissioner.  In addition, the Bill provides for regulations to specify particular situations that may also be serious data breaches even if they do not necessarily reach the threshold of a real risk of serious harm.  For example, this could include the release of particularly sensitive information such as health records which may not cause serious harm in every circumstance but should be subject to the highest level of privacy protection.

Serious harm, in this context, includes physical and psychological harm, as well as injury to feelings, humiliation, harm to reputation and financial or economic harm.  The risk of harm must be real, that is, not remote, for it to give rise to a serious data breach.  It is not intended that every data breach be subject to a notification requirement.  It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of notification fatigue on the part of individuals, and the lack of utility where notification does not facilitate mitigation.

In the event of a serious data breach, the regulated entity is required to provide notification to the Commissioner and affected individuals as soon as practicable after the entity believes on reasonable grounds that there has been a serious data breach.  The notice must include:

·          the identity and contact details of the entity

 

·          a description of the serious data breach

 

·          the kinds of information concerned

 

·          recommendations about the steps that individuals should take in response to the serious data breach, and

 

·          any other information specified in the regulations.

When providing the information described above to affected individuals, the entity may use the method of communication (if any) that it normally uses to communicate with the individual.  This is designed to reduce the cost of compliance for entities, and also to ensure that individuals trust and act upon the information provided.  Information received from an entity using a different method of communication may be dismissed as a scam resulting in individuals failing to take steps to protect the security of their personal information.  Where there is no normal mode of communication with the particular individual, the entity must take reasonable steps to communicate with them.  Reasonable steps could include making contact by email, telephone or post.

There may be circumstances in which it is impossible or impracticable to provide a notification to each affected individual.  The Bill provides for regulations to be made describing those circumstances.  If such regulations are made and the circumstances described in them are met, an entity will not be required to provide notice directly to each affected individual but will rather be required to provide the information described above on its website and to publish the information in a newspaper circulating generally in each State and Territory.

Not all entities will be subject to the data breach notification requirement.  Those entities already exempt from the operation of the Privacy Act such as intelligence agencies and small business operators will enjoy the same exemption in relation to the measures in this Bill.  In addition, law enforcement bodies will be exempt if compliance with a requirement to notify would be likely to prejudice law enforcement activities.

In addition, the Commissioner may exempt an entity from providing notification of a serious data breach where the Commissioner is satisfied that it is in the public interest to do so.  The Commissioner may issue an exemption on application from an entity or on the Commissioner’s own initiative.

In circumstances where the Commissioner believes that a serious data breach has occurred and no notification has been given by the entity that suffered the breach, the Commissioner may issue a written direction to the entity requiring it to provide notification of the data breach.  The information to be provided to the Commissioner and affected individuals will be the same as if the entity had initiated the notification itself.  Similarly, the requirements as to communicating with individuals will be the same.  A law enforcement body that reasonably believes that compliance with the Commissioner’s direction would be likely to prejudice law enforcement activities will be exempt from complying with the direction.

Failure to comply with an obligation included in the Bill will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act.  This will engage the Commissioner’s existing powers (and those that will commence in March 2014) to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act.  This includes the capacity to initiate own motion investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.

This approach will permit the use of less severe sanctions before elevating to a civil penalty.  These less severe penalties would follow a Commissioner investigation and could include public or personal apologies, compensation payments or enforceable undertakings.  A civil penalty would only be applicable where there has been a serious or repeated non-compliance with mandatory notification requirements.  Civil penalties would be imposed by a Court on application by the Commissioner.

A decision by the Commissioner to refuse to grant an exemption or to give a direction that an entity provide notification of a serious data breach will be reviewable by the Administrative Appeals Tribunal.

FINANCIAL IMPACT STATEMENT

This Bill has no significant impact on Commonwealth expenditure or revenue.



 

REGULATION IMPACT STATEMENT

Background

Australian Law Reform Commission report on privacy

In May 2008, the Australian Law Reform Commission ( ALRC ) concluded a 28-month inquiry into the effectiveness of the Privacy Act 1988 ( Privacy Act ) and related laws as a framework for the protection of privacy in Australia [1] .   In its report, the ALRC made 295 recommendations for reform in a range of areas, including creating unified privacy principles, updating the credit reporting system, and strengthening the powers of the Privacy Commissioner.  The Government has responded to the majority of their recommendations through the passage of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 in Parliament in December.  As a result of that Act, major privacy reforms will commence in March 2014.

One of the ALRC’s other recommendations was that a mandatory data breach notification scheme be introduced (rec 51-1).   The ALRC noted that, with advances in technology, entities were increasingly holding larger amounts of identifying information in electronic form, raising the risk that a breach of this information could result in another individual using the information for identity theft and identity fraud.  Stalking, embarrassment, or discrimination can also sometimes result from the unauthorised release or loss of information held by an agency or organisation.

Submissions to the ALRC’s inquiry indicated strong support for the introduction of a mandatory requirement, although some key private sector organisations were not supportive such as banks and telecommunications providers [2] .

Under the Office of the Australian Information Commissioner’s ( OAIC ) guide ‘ Data Breach Notification: A guide to handling personal information security breaches ’, a data breach is defined as the situation where ‘personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse’ [3] .  The OAIC guide notes that breaches are not limited to malicious actions, such as theft or ‘hacking', but may arise from internal errors or failure to follow information-handling policies that cause accidental loss or disclosure.  The OAIC guide provides some common examples:

  • lost or stolen laptops, removable storage devices, or paper records containing personal information;

·          hard disk drives and other digital storage media (integrated in other devices, for example, multifunction printers, or otherwise) being disposed of or returned to equipment lessors without the contents first being erased;

·          databases containing personal information being ‘hacked' into or otherwise illegally accessed by individuals outside of the agency or organisation;

·          employees accessing or disclosing personal information outside the requirements or authorisation of their employment;

·          paper records stolen from insecure recycling or garbage bins;

·          an agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address, and

·          an individual deceiving an agency or organisation into improperly releasing the personal information of another person.

The ALRC believed that the key objective of a notification requirement is that it would allow individuals whose personal information had been compromised by the breach to take remedial steps to lessen the adverse impact that might arise from the breach.  The ALRC believed that, by arming individuals with the necessary information, they will have the opportunity to take appropriate action, such as monitor their accounts, or take preventative measures such as change passwords and cancel credit cards.

A mandatory scheme would also encourage agencies and organisations to be transparent about their information-handling practices, and result in an improvement in compliance with privacy obligations.  The reputational damage that can follow a high-profile data breach, and the commercial consequences of such a breach, can provide powerful incentives to improve security.  On the other hand, reputational damage is often cited as a reason why some private sector organisations do not notify regulators or affected individuals about data breaches.

The ALRC noted that the Privacy Act contained requirements for the handling of personal information that are relevant to the issue of data breach.  It noted that a data breach may occur because an agency or organisation has failed to comply with its obligations in regards to the use and disclosure of personal information, or where it had failed to take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.    However, a data breach may also occur where an agency or organisation has been in compliance with the Privacy Act but the information it holds has been stolen or ‘hacked’ into.

A recent example of this can be found in the Privacy Commissioner’s report on an investigation into a major data breach on the Sony PlayStation Network /Qriocity [4] .  In that case, the Privacy Commissioner was satisfied that, at the time of the incident, ‘reasonable steps' had been taken by the company involved in accordance with the requirements of the Privacy Act.  Those reasonable steps ensured that customers' personal information was secure and protected from misuse and loss, and from unauthorised access, modification and disclosure.  However, the Privacy Commissioner also commented that affected individuals could have been notified earlier, rather than seven days being allowed to elapse after the discovery of the cyber-attack.  The Privacy Commissioner believed that the delay may have increased the risk of a misuse of the personal information of affected individuals. 

The ALRC also noted developments in international jurisdictions where legislative reform has been implemented.  For example, nearly all US states have implemented some form of mandatory data breach notification legislation, and steps have been taken to consider a national model.  Since the ALRC report and the release of the Government’s discussion paper (noted below), the European Union has also announced proposals to require companies to disclose certain data breaches within 24 hours of their occurrence.  Therefore, the trend in international jurisdictions appears to be moving towards the development and implementation of legislative requirements for notification of data breaches. 

After considering submissions and consultations, the ALRC recommended that a data breach notification requirement be introduced in the Privacy Act.  The ALRC considered that the test should set a higher threshold for notification than is provided in most other tests (i.e. a test based on a real risk of serious harm to an affected individual).  Amongst other things, the ALRC believed that a higher threshold for notification should also reduce the compliance burden on agencies and organisations.

The ALRC believed that the agency or organisation should decide on whether the triggering event has occurred. This will allow organisations and agencies to develop their own standards about what constitutes a real risk of serious harm in the context of their own operations.

The ALRC also believed that it would be appropriate to allow for a civil penalty to be imposed where an agency or organisation has failed to notify the Privacy Commissioner of a data breach.  The rationale behind this recommendation was that it would provide a strong incentive for agencies and organisations to disclose data breaches where required, and encourage these entities to consult with the OAIC where a data breach has occurred to ensure they are in full compliance with the requirements.

The ALRC’s recommendation (51-1) in full is at Attachment A .

Government response

On 14 October 2009, the Government released a First Stage Response to the Australian Law Reform Commission's report, which committed to address 197 of the Commission's 295 recommendations.  Recommendation 51-1 was not part of the 197 recommendations and was identified along with a number other recommendations as requiring more consultation and consideration. 

Discussion paper

On 19 October 2012, the Government released a discussion paper seeking public comments on whether Australia’s privacy laws should include a mandatory data breach notification requirement and, if so, the possible elements of such a requirement.  The content of the discussion paper and the responses to it are outlined and analysed in more detail in the ‘Impact Analysis’ and ‘Consultation’ sections below.

 

Further targeted consultation

In April 2013, the Government undertook confidential targeted consultation on a more detailed legislative model.  This consultation process invited comments on the legislative model, and sought particular views on the possible costs on business.   Further details of this consultation are outlined and analysed in more detail in the ‘Impact Analysis’ and ‘Consultation’ sections below. 

Assessing the problem

Magnitude

The ALRC found that, with advances in technology, agencies and organisations are storing vast amounts of identifying information electronically.  The increased use of the internet and other current and emerging mobile technologies pose new challenges for privacy protection, as Australians increasingly transact commercially and engage socially in the online environment.  Personal information such as medical records, bank account details, photos, videos, and even information about what you like, your opinions and where you work are increasingly transitioning to web pages and data centres, with varying degrees of accessibility and security. 

There are studies and anecdotal evidence suggesting that breaches of data security are increasing in frequency and scope. [5]   Some recent US reports have found that up to 88 per cent of organisations surveyed have had at least one data breach during the course of a year [6] .  In its most recent annual report about incidences of data breaches, Verizon found that there had been a large spike in the number of incidents, and that 98% of these incidents were caused by outside parties, such as hackers [7] .  A more recent Australian survey found that more than 20% of surveyed businesses to admitted to data breaches [8]

In a recent media article from Canada, it was reported that the Canadian Federal Government had experienced more than 3,000 data and privacy breaches over the past 10 years, breaches that have affected more than 725,350 Canadians [9] .  The same article reported that this was not a complete accounting of breaches, suggesting that there the number of breaches may be higher than reported.  The list also turned up at least three instances where the data loss led to criminal activity. 

The harm impact on consumers from data breaches could include financial loss, and psychological and physical harm.

An example of financial loss occurred in the February 2005 case involving the data broker, ChoicePoint, which disclosed a security breach, as required by the California Security Breach Act, involving the personal information of 163,000 persons [10] .  According to the US Federal Trade Commission, ChoicePoint employees were duped into handing over sensitive data of consumers to an organised identity theft ring, which resulted in at least 800 victims having their names, addresses and social security numbers used for a variety of unauthorised purposes.  A settlement order was entered into in 2006 by ChoicePoint with the FTC including a commitment to improve privacy procedures.  In October 2009, ChoicePoint settled charges that it violated the 2006 settlement order and agreed to a modified court order that expanded its data security assessment and reporting duties, and required the company to compensate affected consumers for the time they may have spent monitoring their credit or taking other steps in response [11]

In Australia, there are fewer examples that estimate, or show, the links between data breaches and activities that can cause serious harm to individuals such as identity theft.  The Centre for Internet Safety at the University of Canberra has estimated that the potential for personal or business data to be stolen had grown in recent years, with a decline in the prices charged by cyber criminals for access to data such as credit card details [12]

In terms of whether a notification scheme would operate to limit the harmful effects of a data breach, some private sector stakeholders in responses to the Discussion Paper and in the targeted consultation process queried whether there was empirical evidence to suggest that notification of itself has been effective in reducing the likelihood or impact of a data breach in overseas countries.  This observation was reiterated by some industry groups in responding to the targeted consultation process.

The US cases are limited but provide some evidence on this issue.  Of the limited studies to date, there is empirical evidence to show that notifying affected consumers can reduce harmful effects such as identity theft.  A 2008 study appeared to show that connection between data breaches and identity theft does exist.  In that paper, a study of US jurisdictions using data from between 2002 and 2007 showed that the adoption of data breach notification laws ‘reduce the identity theft rate by just 2%, in average’.  Although this figure may seem low, a 1.8% reduction in identity theft would lead to savings of approximately $US1 billion.  When that study was updated in 2011, the conclusion was that, based on data from 2002 to 2009, an empirical analysis revealed that these laws have reduced identity thefts by about 6.1% [13] .  It is therefore open for the conclusion to be drawn that data breach laws are a longer term effective measure in combating identity theft.

In terms of the size of harm that consumers may experience, there is no information to accurately quantify that impact on consumers in Australia.

While annual studies undertaken by Verizon and Symatec appear to indicate that that there is an increase in the number of data breaches, the actual amount of under-reporting of these breaches is difficult to quantify.  However, there is some anecdotal evidence that this is occurring.  For example, the Privacy Commissioner has publicly stated that, based on media reports citing information technology security experts, the OAIC has only been notified of a small percentage of data breaches that are occurring [14] .   In its submission to the Discussion Paper, the Centre for Internet Safety also asserted that significant amounts of underreporting had been occurring. 

In its submission to the Discussion Paper, the Victorian Privacy Commissioner noted that data breach notifications to the OAIC increased 27 per cent in the previous financial year (i.e. from 2009/2010 to 2010/2011).  However, in the most recent reporting period (2011/2012) data breach notifications decreased 18 per cent.  Respondents to the discussion paper have argued that this may lead to the conclusion that underreporting is occurring because the number of reports should be increasing in proportion with the increasing number of larger scale data breaches. 

On the other hand, some respondents to the discussion paper have argued that the lack of clear information about the level of underreporting shows that there is no evidence of regulatory or market failure that has created a consumer protection risk warranting a response.  Further, the response to the discussion paper revealed that attempting to quantify the problem is difficult because many organisations do not have the capability of detecting whether data loss has occurred, and whether there has been a significant impact or harm caused by such data loss. 

Data breach notification schemes are generally underpinned by the notion that only those breaches that give rise to the likelihood of serious harm should be reported.  One problem is that individuals have different attitudes to privacy protection and some are less concerned about the risks of providing large amounts of personal information, and may react differently to the idea that their personal information may be compromised [15] .  This is particularly the case if the information that is accessed or disclosed is likely to cause some form of psychological harm.  Therefore, the views about what is ‘serious harm’ to someone can be varied, and difficult to quantify.

Existing regulation

There is no requirement under the Privacy Act to notify the OAIC or any other individual in the event of a data breach.  If an entity does not contact the OAIC and implement the guidelines, it does not face a legal sanction.

Under the Privacy Act, agencies and organisations are subject to requirements to provide adequate security protection to personal information in their possession. These are contained in the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs), which both require entities to take reasonable steps to protection personal information from misuse, loss or unauthorised access, modification, or disclosure [16] .  

Section 18G(b) of the Privacy Act imposes equivalent obligations on credit reporting agencies and all credit providers. Similarly, guideline 6.1 of the statutory Tax File Number (TFN) guidelines requires TFN recipients to protect TFN information by such security safeguards as are reasonable in the circumstances [17] .

In March 2014, new reforms will come into effect including the commencement of the Australian Privacy Principles (APPs), which will create one set of privacy principles for agencies and organisations.  New APP 11, will replace NPP 4 and IPP 4, and require agencies and organisations (known as APP entities) to take such steps as are reasonable in the circumstances to protect the information from:

  • misuse, interference and loss; and
  • unauthorised access, modification or disclosure.

The OAIC’s view is that notification may be a ‘reasonable step’ where a data breach has occurred.  However, it believes an express mandatory data breach notification law would provide agencies and organisations with greater clarity and certainty regarding their obligation to notify, and the circumstances in which notification should be made. 

These data security requirements are aimed at encouraging entities to provide sufficiently high levels of security to minimise the possibility that personal information could be compromised.  Provided an entity implemented these requirements, it would not be in breach of its existing Privacy Act obligations, even if it suffered a data breach involving large amounts of personal information.

In the absence of a legal requirement, entities are encouraged to adhere to the OAIC data breach notification guide.  The guide provides general guidance on key steps and factors for agencies and organisations to consider when responding to a data breach involving the personal information that they hold.  That guide provides some guidance around the Privacy Act obligation to put in place reasonable security safeguards and to take reasonable steps to protect the personal information from loss and from unauthorised access, use, modification or disclosure, or other misuse.  Depending on the circumstances, those reasonable steps may include the preparation and implementation of a data breach policy and response plan.

The OAIC guide contains 4 key steps for an agency or organisation to take when a data breach occurs.  These are: (1) Contain the breach and do a preliminary assessment;

(2) Evaluate the risks associated with the breach; (3) Notification; and (4) Prevent future breaches.

A key issue is whether the voluntary OAIC guide is operating as an effective means to encourage widespread notification of breaches.  As noted above, there has been an 18% decrease in 2011-12 from the number of data breach notifications received in 2010-11 [18] .  The Privacy Commissioner has commented that that this decrease in notifications was difficult to explain but noted that media reports citing information technology security experts had suggested that only a small percentage of data breaches were being notified to the OAIC. 

Although there are arguments noted above that claim this is evidence that data breaches are decreasing in frequency, there are figures in other studies indicating that there has been an increase in breach incidents (see Verizon and Symantec reports referred to above).   These studies indicate that there are more entities holding larger amounts of personal information in electronic form, and the incidence of hacking (which are the cause of most data breaches) are generally agreed to be on the increase.

There are some high-profile cases to date where the issue of providing timely notification has been considered important.  For example, as noted above in the Sony PlayStation Network / Qriocity [19] investigation, the Privacy Commissioner commented that affected individuals could have been notified earlier, rather than seven days being allowed to elapse after discovering the cyber-attack had occurred.  The Privacy Commissioner believed that the delay may have increased the risk of a misuse of the personal information of affected individuals.

Relevant risks

A key risk is that an ineffective regulatory framework may raise challenges in encouraging community confidence to fully participate in the continued growth of e-commerce and the digital economy.  Studies show that individuals have significant privacy concerns related to the handling of personal information, particularly in the online environment [20] .  A key element in the Government’s digital economy strategy is to provide for a safe and secure online environment for Australian users [21] .  That will assist Australian businesses to harness and fully realise the potential that developments in information and communications technologies enable. 

For example, respondents to a survey published by the Centre for Internet Safety at the University of Canberra indicated that perception on privacy is a determinant in their online activities, particularly their decision to buy and sell goods and services online [22] .  Respondents rated identity theft (86%) and loss of financial data (83%) as their areas of greatest privacy concern online.  The study also found that 85% of Australians believed that data breach notification should be mandatory for business.

In its submission to the Discussion Paper, the Australian Information Security Association (AISA) advised that 78% of members who commented on the issues in the paper reported that general information and communications technology staff do not have the necessary skills to securely design or operate information systems that store or process information assets.   The AISA further advised that 62% of their respondent members thought that their organisations did not fully appreciate the security threats they faced.  This suggests that increased transparency about data breach incidents may assist in the development of appropriate measures to combat them in the future, and improve awareness amongst entities about the threats. 

There is also a risk that Australian businesses could leave themselves in a position to suffer financial loss.  For example, in its submission to the Discussion Paper, the Australian Institute of Criminology noted that while there are benefits to an individual in early detection of data breaches, ‘these benefits may also carry over to financial institutions and other businesses with early fraud detection reducing financial loss and saving time in the long term’. 

Potential for market development

In response to the discussion paper, a number of private sector stakeholders argued that private sector organisations have developed good privacy practices since the application of the Privacy Act to the private sector in 2001, and understand the importance of seeking the assistance of the OAIC where appropriate and in dealing with the privacy concerns of their customers.  They also argue that, contrary to anecdotal reports, there is no real evidence in Australia of underreporting of significant data breaches to the OAIC, or not at the level to warrant a legislative requirement.

Respondents to the discussion paper believe there are existing commercial incentives for providing high level security and for prompt responsiveness in the event of a significant data breach.  Consumers have identified security as a major privacy issue and may be less likely to transact with a company that has lax privacy protection record, or has inadequate privacy policies [23] .  If consumer perceptions and behaviours develop in this way, that may drive private sector companies to develop better privacy practices (i.e. a ‘market solution’), including notification of data breaches. 

Objectives of government action

The existing Privacy Act does not include an objects clause, although section 29 of the Act requires the Privacy Commissioner to have regard to a number of matters in performing his or her functions.  These include the protection of important human rights and social interests that compete with privacy such as the general desirability of a free flow of information, through the media and otherwise, and the right of government and business to achieve their objectives in an efficient way. 

From March 2014, the Privacy Act will contain new objectives.  These will be to promote the protection of privacy of individuals, while recognising that this protection should be balanced with the interests of entities carrying out their legitimate functions or activities.

In its submission to the Discussion Paper, the Australian Finance Conference (AFC) noted that there are complementary objectives at play in establishing a balanced privacy regulatory framework, including a data breach requirement that impacts on business.  It noted that an appropriate combination of the Government’s consumer protection and digital economy objectives will enable a robust and adaptable privacy framework, in an environment where AFC members and others are able to boost their productivity and global competitiveness by realising the potentials offered by technological advances. 

A key outcome of a well-balanced privacy framework is the provision of a safer and more transparent environment for Australians to entrust their personal information to agencies and organisations.  Greater assurance about the safety of personal information will encourage consumers to more fully engage in e-commerce, thereby boosting Australia’s digital economy. 

Another goal of privacy policy is to enable an enhanced information and assessment process to better inform policy makers, regulators, law enforcement and researchers about trends in the handling of personal information. 

Option one - Retain the status quo

Option 1 is to maintain the status quo.  This means that entities subject to the Privacy Act will have no legal obligation to report a breach of personal information.  They will continue to be encouraged to comply with the existing OAIC guide on data breach notification.  

The OAIC guide provides general guidance on key steps and factors for agencies and organisations to consider when responding to a data breach involving the personal information that they hold.  That guide notes that, agencies and organisations have obligations under the Privacy Act to put in place reasonable security safeguards and to take reasonable steps to protect the personal information that they hold from loss and from unauthorised access, use, modification or disclosure, or other misuse.  Depending on the circumstances, those reasonable steps may include the preparation and implementation of a data breach policy and response plan (that includes consideration of whether to notify affected individuals and the OAIC).

In response to the discussion paper, a number of private sector stakeholders argued that the voluntary scheme was sufficient in encouraging the reporting of significant breaches and in giving guidance to entities about how to effectively respond to these breaches.  Many argue that private sector organisations have developed good privacy practices since the application of the Privacy Act to the private sector in 2001, and understand the importance of seeking the assistance of the Privacy Commissioner where appropriate and in dealing with the privacy concerns of their customers.  They also argue that, contrary to anecdotal reports, there is no real evidence in Australia of underreporting of significant data breaches to the OAIC.  Additionally, some argue that mandatory data breach notification laws effectively penalise regulated entities, which are often the targets of cybercrime attacks. 

Maintaining the status quo would also allow the market participants to continue to develop good privacy practices consistent with the expectations of their customers.  It is arguable that there is a sufficient commercial incentive for organisations to implement good privacy practice and notify their customers in the event that their information may become compromised.  The reputational costs that come with failing to respond properly to significant data breaches are a strong incentive to notify the OAIC and consumers about breaches.  In the current digital economy, consumers are more likely to consider the privacy track record and policies of a business when deciding whether to entrust it with their personal information [24] .

There are also new privacy reforms that will commence in March 2014.  These will give the Privacy Commissioner the power to audit private sector organisations and potentially discover data breaches.  That will potentially make it more difficult for an entity to hide the data breach.  For reputational risk reasons, that is also likely to provide an incentive to report data breaches to the Commissioner and affected individuals. 

Option two - Introduce a mandatory data breach notification scheme

Option 2 is to introduce a legal requirement for entities to report data breaches to the OAIC and to affected individuals where the breach gives rise to a real risk of serious harm to an affected individual.  There would be a number of objectives underpinning such an approach.

The proposed model would apply the data breach notification law to all entities currently regulated by the Privacy Act.  There was general support for this approach from respondents to the discussion paper.  This would not include entities, or some of their activities, that fall within exemptions in the Privacy Act, such as most small businesses, political parties and media organisations. 

The proposed model would implement the ALRC’s recommended trigger for notification, which was a test based on a ‘real risk of serious harm’ to an affected individual.  This would not be a remote risk and would therefore not require entities to report less serious privacy breaches to affected individuals or the OAIC.  This was consistent with the views of the clear majority of submitters who commented on this issue. 

The requirement to notify would apply to personal information held by APP entities, credit reporting information held by a credit reporting body, credit eligibility information held by credit providers, and tax file number information held by file number recipients.  Where these types of information have been disclosed to foreign recipients, the requirement to notify will remain with the disclosing Australian entity in certain circumstances. 

In the targeted consultation process, there was support expressed for more explanation about, or a definition of what constituted ‘serious harm’.  Without this additional assistance, it was argued that some regulated entities may adopt a more risk adverse approach to notification by taking a narrow interpretation.   The consequence may be that the standard of notification would not be high enough to avoid notification fatigue and create resourcing issues at the OAIC.  As a consequence of these comments, further material will be included in the Explanatory Memorandum to the Bill.

The ALRC recommended that the entity involved in the breach should have the responsibility of notification.  Most respondents to the Discussion Paper generally favoured this approach noting that the entity was best placed to assess the breach, the adverse risks that might arise, and what mitigating action could be taken.  The proposed model incorporates this approach. 

The proposed model would also give the OAIC the power to compel notification to affected individuals.  This measure will enable affected individuals to be notified if an APP entity does not notify but where the OAIC considers that there is a ‘real risk of serious harm to any affected individual’.

On the content of the notification, there were a range of views with private sector submitters preferring less detailed information having to be provided, while privacy commissioners and privacy advocates believed more information should be included. 

The ALRC recommended that, as a minimum, the notification should contain: a description of the breach; a list of the types of personal information that were disclosed; and contact information for affected individuals to obtain more information and assistance.  The approach in the proposed model incorporates these suggestions and also requires information about the practical implications of the breach to be included.  These are based on the existing OAIC voluntary standards.  Given that there are matters of detail that could evolve over time, the proposed model includes the power to prescribe additional notification matters in regulations.

There was general support from stakeholders that the means of notification should be directly by phone, letter, e-mail, in person, or by normal means of communication between the entity and the individual.  If direct communication is not practicable, a requirement to publish in a newspaper (similar to a recall notice) will be applicable.  In the target consultation process, industry groups expressed the wish for flexibility so that regulated entities could notify individuals in a variety of ways.  This would enable a more timely notification to an individual (e.g. by phone) than their usual form of communication with that entity (e.g. by mail).  It would also be a measure that could reduce the costs burden on entities.  This suggestion has been incorporated into the proposed Bill.

The proposal legislation also provides that entity should be required to notify as soon as practicable after it believes on reasonable grounds that there has been a breach.  Most discussion paper submitters believed that flexibility, rather than a set time frame, was needed given the variable factors unique to each data breach. 

The proposed legislation enables the Privacy Commissioner to exempt an entity from the requirement to notify a data breach where the Commissioner is satisfied that it is in the public interest to do so. 

The proposed legislation would link into the elevated penalty structure in the existing Privacy Act where less severe sanctions could be used before elevating to a civil penalty.  These less severe penalties could follow a Privacy Commissioner investigation and include public or personal apologies, compensation payments or enforceable undertakings.  A civil penalty would only be applicable where there has been a serious or repeated non-compliance with mandatory notification requirements. 

Option three - Encourage industry to develop industry codes

Option 3 is to encourage entities regulated under the Privacy Act to develop industry codes that provide a self-regulatory framework tailored to particular industry needs, taking into account existing reporting requirements and compliance issues.  This could be complemented with increased efforts on the part of the OAIC to promote more awareness about the OAIC guide.

Some industry groups have developed self-regulatory codes as a tool to promote standard practices and compliance.  For example, the Association for data-driven marketing and advertising (ADMA) has developed a Code of Practice to set standards of conduct for direct marketers, minimise the risk of breaching legislation (including the NPPs in the Privacy Act), promote a culture of best practice, serve as a benchmark in settling disputes and increase business and consumer confidence in doing business with ADMA members who are bound to the provisions of the Code.

Studies from the US indicate that the per capita cost of data breach incidents is different for particular industries with the telecommunications, pharmaceutical, financial and healthcare industries incurring higher costs.  This may support the argument that particular industries are in a better position to identify what is reasonable in terms of developing their own data breach responses having regard to their own compliance cost issues. 

On the other hand, there were mixed views provided by key Australian industry groups in the targeted consultation process.  Some believed that there would be no disproportionate adverse impact on different industry groups, while others believed that small businesses (i.e. those subject to the Privacy Act because they trade in personal information) would be affected in that way. 

While the Privacy Act allows the development of codes which, in theory, would allow particular industries to develop a more tailored approach to personal information-handling, these are not intended to derogate from minimum standards set out on the IPPs and NPPs (and APPs).  Under the new reforms, they will be required to be registered by the OAIC and this is unlikely to occur if the code purports to implement inadequate standards (e.g. if they contained standards less than the OAIC guide).

This option could be complemented with increased efforts on the part of the OAIC to promote more awareness about the OAIC guide, and the importance of complying with it as good privacy practice.  For example, the OAIC has recently finalised an updated Guide to Information Security , which was released by the Attorney-General at the beginning of Privacy Awareness Week 2013 in April 2013 [25] .  In any self-regulatory framework, the regulator’s suggested standardised rules would be a useful starting point.



Impact analysis

Option 1

Agencies and private sector organisations under the Privacy Act will continue to operate in accordance with the IPPs and NPPs (and new APPs from March 2014), and be encouraged to continue to report significant data breaches to the OAIC and affected individuals.  Some of these bodies will become subject to more enhanced privacy requirements in March 2014, including new auditing powers for the OAIC in relation to private sector organisations.   These measures are expected to increase transparency thereby making it more difficult for entities to prevent discovery of significant data breaches.  Public perceptions about responses to data breaches are likely to remain in favour of prompt reporting, which may drive the development of stronger security measures and increased compliance with the voluntary OAIC guide. 

Impact on OAIC

Under this option, there is likely to be little impact on the OAIC itself, except that it will have enhanced powers to discover breaches from March 2014.  More information about breaches is also coming to light with hackers now publicly reporting on their efforts.  The OAIC will be able to seek stronger sanctions in responding to them (e.g. enforceable undertakings and civil penalties), which could act as a deterrent against lax security standards.  The OAIC guide may require minor amendments but mainly to reflect the OAIC’s new powers in relation to breaches of the Privacy Act.  Should legislation not proceed, there may be re-doubled efforts to publicise and encourage compliance with the OAIC guide, which will impact on the public education/awareness resources of the OAIC. 

Impact on individuals

There will be little change for individual Australians noting that they face existing risks without a mandatory scheme.  There remains a possibility that they may continue to not be informed in the event that their personal information becomes compromised, thereby raising the risk they could suffer serious harm.  Their expectations may be raised that, with the commencement of an enhanced privacy protection regime, and with more focus on information security issues, entities will increasingly comply with the OAIC guide.  As noted above, more undisclosed breaches may begin to come to light because of the Commissioner’s new powers, and the trend in hackers revealing their work.  Studies show that the public are in favour of being notified in the event of a data breach affecting their personal information, and this may encourage more entities to err on the side of reporting where there has been a breach.

There will be no impact on small businesses as they are generally not subject to the Privacy Act.  Larger not-for-profit organisations who are subject to the Privacy Act (because they have a turnover of greater than $3 million) will be in the same position as organisations who are subject.

 

Option 2

Agencies and private sector organisations under the Privacy Act will be required to update their internal privacy practices to incorporate a requirement to notify the OAIC and affected individuals in the event of a data breach.  While many entities have updated internal systems to factor in a notification cost component to enable compliance with the OAIC guide, not all would have done so given that it is a voluntary scheme only.  In response to the targeted consultation process, industry group respondents commented that it would be hard to judge whether there would be any incremental increase in cost to entities that already have systems in place to comply with the OAIC guide.

Impact on individuals

Dealing with adverse effects - identity theft

Mandatory data breach notification laws are intended to provide notification to a person who has had their privacy infringed by the breach about the incident, and information about steps that can be taken to mitigate the harm that might be caused by the breach.  That person will have an opportunity to take corrective action to change or otherwise ‘resecure’ the information.  The ALRC considered that this could be referred to as the ‘mitigation objective’. [26]   For example, this might allow an individual to change passwords where those passwords have been hacked, to cancel credit cards if details have been stolen, or to change telephone numbers where silent numbers have been revealed.

However, such a rationale shifts the onus away from the organisation that has suffered the breach and onto a person who may be ill-equipped or unable to correct the consequences of the breach.  For example, in cases where an individual’s health information has been accidentally uploaded to the internet, it may not be possible to rectify the breach even if it has been subsequently taken down.  Once that information has been disclosed, knowledge about it may become widespread.

Provided there is improved compliance as expected, individual Australians will be informed in the event that their personal information becomes compromised, allowing them to take appropriate action to mitigate harm.  That is expected to raise confidence amongst consumers about the entities that they are dealing with, and the increased transparency will provide them with more information to make informed choices about which entities they want to transact with.  There is the possibility that some entities that need to make internal changes to meet compliance could pass those costs on to consumers thereby making transactions more costly.

In terms of the impact on the Australian community as a whole, there may be benefits in developing measures to combat cybercrime and through greater transparency in personal information handling.  Notifications can also enable law enforcement, researchers, and policy makers to better understand which firms and business sectors are better (or worse) at protecting consumer and employee data [27] .

Impact on businesses

Requiring notification may act as an incentive to the holders of personal information to adequately secure or dispose of that information.  In other words, the adverse publicity occasioned by a notification may deter poor handling of such information, and increase the likelihood that adequate and reasonable measures are taken to secure it.  This could thus be called the ‘deterrent objective’.  The ALRC viewed this as more of a secondary objective, although it has been part of the rationale for data breach notification laws in many other jurisdictions.

A mandatory notification scheme may result in improved compliance with rules relating to the collection and retention of personal information. First, an entity is likely to more carefully consider what personal information is it necessary to collect.  As noted in the OAIC guide, personal information that is never collected, cannot be mishandled.  The new APPs will require that private organisations only collect personal information that is reasonably necessary for one or more of their functions or activities.

A mandatory notification scheme will also make entities focus on how long personal information needs to be retained.  New APP 11 requires organisations to securely destroy or permanently de-identify information that is no longer needed for the permitted purposes for which it may be used or disclosed.  The destruction or de-identification of information that this no longer required will usually be a reasonable step to prevent the loss or misuse of that information.

The creation of mandatory laws would also create a more level playing field for organisations.  The Victorian Privacy Commissioner noted that only those ethical and compliance conscious organisations are likely to voluntarily report.  Mandatory notification would assist in reducing (and possibly eliminating) incentives for organisations to suppress or deliberately conceal data breaches. 

There will be no impact on small businesses which are not subject to the Privacy Act.  Under the Privacy Act, a business with an annual turnover of less than $3million is considered a small business, and is generally not required to comply with the Act.  However, there are a number of small businesses in that category which are subject to the Privacy Act because of exceptions to the Act contained in provisions such as paragraphs 6D(4)(c) - (d), e.g. they trade in personal information.  In the targeted consultation process, it was argued that there would be a disproportionate cost on these entities, particularly in the direct marketing industry, as they may not be in a position (unlike larger organisations) to absorb some of the costs internally. 

Larger not-for-profit organisations who are subject to the Privacy Act (because they have a turnover of greater than $3 million) will be in the same position as organisations who are subject.  A possible negative impact for small business is that individuals may be more tempted to use larger private sector organisations safer in the knowledge that they are subject to mandatory requirements in the event of a data breach. 

Specific costs on business

The introduction of a mandatory scheme for entities regulated by the Privacy Act raises the question of what new compliance costs will be necessary.   There are no figures outlining the actual numbers of private sector organisations that are subject to the Privacy Act.  Around 94% of all private sector organisations are small business operators and therefore generally exempt from the Privacy Act.  Certain obligations will apply to small businesses that, for example, trade in personal information, are health service providers, are tax file number recipients, operate residential tenancy databases, or simply voluntarily opt in. 

Administrative costs

In the targeted consultation process, respondents from a number of industry groups commented that there would be ‘paper burden’ or administrative costs in complying with the mandatory scheme outlined above under Option 2.  In summary, these were described as:

·       costs linked to notification methods (e.g. mail, telephone, resourcing) so that the actual costs would be incurred by specific business units within an organisation.  It was noted that greater flexibility in the notification requirements would assist in containing costs associated with communicating to customers;

·       other costs could be in the time and effort in formalising the process (e.g. internal communications, directives, and process mapping);

·       increased insurance costs, which would be a consequence of an increased perceived business risk; and

·       costs associated with the need to engage additional legal counsel. 

The targeted consultation process did not receive specific costs estimates.  There was no common view among respondents about the likely amount of costs, with respondents providing a broad range of general cost estimates on this issue. 

For example, one industry group respondent commented that ‘larger organisations have stated clearly that the requirements of mandatory notification would involve capital expenditure running into millions of dollars, and the costs would vary depending on the amount of data held by the entity.  Another industry group respondent believed there would be ‘significant capital costs’. 

On the other hand, privacy and consumer advocates argued that the costs would be minimal.  These respondents argued that the costs of preventing breaches are in any case generally lower than the costs of handling them once they have occurred; and that it is widely recognised that it is good business practice to proactively manage risks rather than to merely react when something goes wrong.  Further, these groups argued that the costs are likely to be mostly one-off and should be considered a normal business overhead for any organisation handling personal information.

For entities that already comply with the OAIC guide, industry group respondents to the targeted consultation process noted that it would be hard to say whether there would be any incremental increase in cost.  Privacy and consumer advocate groups argued that costs for these entities are not likely to be significant because they already have systems in place to comply with the existing OAIC guide, and regard responding to security breaches, including through notifying customers, as a necessary part of business.     

Effect on particular industry groups

Respondents to the targeted consultation process had mixed views about whether particular industry sectors would incur costs disproportionately through a mandatory data breach notification scheme.  Most believed there would be no industry sector impacted disproportionately, although others believed that there would be in the case of:

·          small businesses (e.g. traders in personal information who are subject to the Privacy Act) and start-ups; and

·          some members of the financial services sector, given that the coverage includes APP regulated entities, credit providers and tax file number recipients. 

Costs of a data breach - US studies

A recent US Ponemon report indicated that the cost of a data breach, both in terms of the organisational cost of data breach and the cost per lost or stolen record have declined, although the notification component of the cost has increased [28] .  The methodology used in this report calculated costs using both the direct and indirect expenses paid by the organisation.  Direct expenses included engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services.  Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished acquisition rates.  Using this methodology, an average per capita cost of a data breach in 2011 was $194, which was a drop from $214 in 2010. 

The costs associated with notification increased from $0.51 in 2010 to $0.56 in 2011, although still less than $0.66 in 2006 when a large number of data breach laws were introduced in some US states.  According to the Ponemon study, these costs typically include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, secondary contacts to mail or email bounce-backs and inbound communication set-up. 

There is also a question of the capacity of businesses to implement the reforms at this time.  As noted above, AISA advised that 78% of members who commented on the issues in the paper reported that general information and communications technology staff do not have the necessary skills to securely design or operate information systems that store or process information assets.  The AISA further advised that 62% of their respondent members thought that their organisations did not fully appreciate the security threats they faced.  Instead of regulatory reform there may be value in having a period where education, training and awareness-raising is promoted, so that organisations are better equipped to deal with data breaches, and therefore more likely to comply with a future mandatory scheme.  

Mandatory notification laws exist in nearly every state in the United States, and almost 30 of these are based on an original Californian model.  That model requires a state agency, or a person or business that conducts business in California, that owns or licenses computerised data that includes personal information, as defined, to disclose in specified ways, any breach of the security of data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorised person.  The model used in other US states is based on a trigger for notification only if it is reasonable to believe the information will cause harm to consumers. 

This Californian model has a lower threshold than the proposed model in the draft legislation. The proposed amendments would require more serious data breaches to be reported where there is a real risk of serious harm, rather than any breach involving unencrypted personal information.  The different approach in the proposed amendments is justified on the basis that the notification burden on agencies and organisations should only be necessary having regard to the interests of the individuals concerned, and it is based on the key threshold already commonly understood by many of these entities in the OAIC guide.

It is therefore possible to conclude that specific costs for entities under the new Australian scheme will be less than under the more stringent Californian model, mainly because reporting is required more often under that model.  As noted above, while these costs will be additional for those entities that have not established systems to meet the existing voluntary scheme, for the most part they are not expected to be significant for other entities. 

There is some evidence of positive impacts on entities subject to data breach notification schemes in terms of minimising legal liability and negative publicity.  In the US, the United States Government Accountability Office , reported that representatives of federal banking regulators, other government agencies, industry associations, and other affected parties stated that breach notification requirements have encouraged companies and other entities to improve their data security practices to minimise legal liability or avoid public relations risks that may result from a publicised breach of customer data [29] .

Impact on competition

In some discussions with stakeholders it has been suggested that, in the US, bigger companies support data breach laws because smaller competitors cannot meet the compliance requirements and some cease doing business.  The proposed amendments are unlikely to raise these issues they do change the small businesses exemption in the Privacy Act.

Industry group respondents to the targeted consultation process noted there could be some positive and negative impacts on competition as a result of a mandatory scheme.  For example, customers may choose to ‘vote with their feet’ given the likely increased publicity around data breaches or lack of breaches, potentially impacting positively on competition. 

Another industry group noted that both general and specific competition issues would arise in the marketing and advertising industry.  That group commented that, in general, data-driven marketing and advertising will be less competitive than alternate channels and platforms (such as mass marketing and advertising in traditional broadcast mediums and in print), if the costs of mandatory data breach notification results in a considerable increase in the price of data-driven marketing campaigns.  As a result, a mandatory data breach notification scheme would affect the most innovative companies working in Australia’s digital economy. 

Industry groups also commented that there was the potential for serious and costly reputational damage if the Commissioner directed an entity to notify a general form of notification (e.g. publication in a newspaper) rather than a targeted notification.   A general form would bring exposure to a wider range of the public, including those that are not affected by the data breach.   To safeguard against such an outcome, it is expected that the Commissioner’s discretion to require notification will be subject to detailed guidance, which would be developed in consultation with relevant stakeholders, including private sector organisations.  The Commissioner’s discretion will also be subject to merits review by the Administrative Appeals Tribunal. 

Finally, an additional competition issue identified was the creation of a higher cost of entry to market.  These businesses would be in a similar state to start-up entities, and would need to factor in the costs associated with the creation of a mandatory data breach notification scheme.  Although, it is arguable that these are likely to be minor compared with other privacy obligations that will need to be adhered to once a new business starts and becomes subject to the Privacy Act.

Costs impact for business if commencement delayed

Some industry group respondents to the targeted consultation process noted that there would be some alleviation of the costs burden if commencement of the proposed mandatory scheme was delayed beyond March 2014.  This was on the basis that industry should be given the time to embed changes into systems and practices for the legislated March 2014 reforms, before considering the need for additional changes to any new regulation. 

Other industry group respondents advised that no cost benefit would accrue by delaying the proposals.  One group noted that it would be more efficient from a cost perspective to align with the March 2014 compliance date, as particular entities can more easily incorporate these requirements into their implementation processes underway relating to the new APPs and credit reporting provisions. 

Similarly, a privacy advocate group commented that the costs for the private sector associated with the implementation of the proposed scheme may be higher if the commencement is delayed beyond March 2014, as there are potential efficiencies to be gained for organisations in dealing with both sets of regulations concurrently. 

On the basis of responses to the targeted consultation process, the weight of opinion favoured concurrent commencement of the proposed scheme with the privacy reforms in March 2014. 

Impact on the OAIC

The impact on the OAIC is likely to be more significant.  As the regulator, it will be expected to receive a larger number of notifications, and will have additional powers to utilise in the event that a failure to comply with a data breach obligation requires investigation.  It will be expected to issue new guidance on the new provisions and have increased requests from entities that are keen to ensure they comply with the new legislative requirements.

However, as more entities improve privacy practices, and more information about preventing data breaches is available, there may be a longer term decline in the number of notifications reported to the OAIC and affected individuals.  Similarly, while entities may be more cautious in the shorter term and report more instances to the OAIC, that may decline over time as they more fully understand their obligations. 

The OAIC will have a significant workload in both the lead up and commencement of the new privacy reforms in March 2014.  That may impact on its ability to produce guidance material pre-commencement, and investigation and enforcement work post-commencement. 

Option 3

Agencies and private sector organisations under the Privacy Act could be encouraged to consider developing industry codes that provide a self-regulatory framework tailored to particular industry needs.  Such codes could be developed under the new Part IIIB of the Privacy Act (to commence in March 2014) which allows for the Privacy Commissioner to approve and register enforceable codes which are developed by entities, on their own initiative or on request from the Commissioner, or by the Commissioner directly.

Impact on business

There could be a number of benefits to a particular industry sector in developing an industry code.  First, they could give entities a sense of active ownership of their privacy obligations.  Secondly, it may send a positive statement to the community that a particular entity or group of entities are mindful of the privacy concerns of individuals and are pro-active in protecting their privacy rights.  A code may also change the culture of an entity or industry by raising awareness of privacy and introducing a compliance regime.  It may serve as a guide to privacy regulation by providing entities with a single document that incorporates all its related legislative requirements and written in a way that is applicable to a particular industry.  Finally, it may provide clarity, certainty and satisfaction to consumers seeking redress by incorporating privacy complaint handling procedures in a code.

A code-based approach would allow government and industry sectors to examine more carefully how data breach incidents impact directly on their own particular sectors, and tailor a framework that takes into account existing reporting requirements and compliance issues. This would recognise the need for a flexible approach over a one-size-fits-all legislative approach that may be more a burden for particular industries. 

Entities subject to the Privacy Act may support the opportunity to create their own code although this would require those entities to set aside resources to meet with industry counterparts to develop a relevant code.  For codes developed under the new Part IIIB of the Privacy Act, the OAIC’s recent consultation draft on Guidelines for developing codes [30] noted that significant resources may need to be allocated to the development and maintenance of a code, including the following matters:

  • investigating the need for a code,
  • establishing an administrative mechanism responsible for developing the code, such as a code development committee ,
  • drafting the code,
  • seeking legal or professional advice,
  • involving all stakeholders (including consumers) in an effective public consultation,
  • establishing a code administrator to oversee the operation of the code,
  • maintaining a register of entities bound by the code and information about the code on a website,
  • hiring and training support staff for the code administration, and
  • financing the development and ongoing administration of the code, including in relation to regularly reporting on, and independent reviews of, the code

It is possible that the costs associated with the development of a code may outweigh the costs of complying with a mandatory data breach notification scheme, particularly if the new model is largely based on the existing voluntary model. 

In addition, most respondents to the targeted consultation process believed that there would be no industry sector impacted disproportionately by the mandatory data breach notification scheme.  This suggests that there is no significant view that a particular industry sector will need special treatment (i.e. a specialised code) to ensure that it does not suffer adversely under the proposed scheme. 

If a Part IIIB of the Privacy Act code was developed, it would have to meet equivalent standards that are currently contained in the OAIC guide, otherwise it is unlikely receive the Privacy Commissioner’s approval.  Given that the mandatory data breach notification scheme is largely based on the existing voluntary model, it is likely that many of the same costs issues identified under Option 2 will be raised. 

There is a risk is that there may not be a consensus among industry participants on a final draft code, which would leave personal information without important privacy protections.  The small amount of codes developed under the existing Privacy Act to date indicates that the code regulation framework is not a solution for all industry sectors. 

Further, given the different range of industries regulated by the Privacy Act, and the different types of personal information being collected, this approach gives rise to the possibility of an inconsistent and fragmented approach being adopted.  This raises the risk that a standardised approach to the handling of personal-information will not be achieved, which would be generally inconsistent with the approach to privacy regulation.  That may raise confusion amongst consumers, who might be notified about a data breach that has occurred with a particular entity in one industry sector, but not another.  Some entities may also be subject to more than one industry code (e.g. telecommunications providers) and may be required to implement different responses to data breaches that occur depending on which code is applicable.  

On the other hand, provided the standards developed under a code did not result in diminished privacy protection rights relative to similar rights in the APPs, and that the OAIC retained a regulatory oversight or advisory role (so that there was community confidence in this approach), this approach could be beneficial to industry sectors. 

Impact on OAIC

The impact on the OAIC is likely to be moderate, depending on its level of involvement in developing and approving the code.  As the regulator, it will be expected to promote greater awareness of the OAIC guide and receive increased requests from industry bodies seeking assistance in developing a code.  If industry codes are successful in encouraging entities to improve privacy practices, there may be a longer term decline in the number of notifications reported to the OAIC and affected individuals.

Impact on individuals

Similar to option one, there is likely to be little change for individual Australians noting that they face existing risks without a mandatory scheme.  Unless a code-based approach is more uniformly adopted across a range of industry sectors, there remains a significant risk that they may continue to be kept unaware in the event that their personal information becomes compromised. 

Their expectations may be raised that, with the development of codes, entities will increasingly improve their privacy practices, and that complaint mechanisms will be available. 

However, if non-Part IIIB codes are developed, individuals will have no guarantee that industries will develop codes that require notification in the event of a data breach, or at least require data breaches to be notified at the standard (‘real risk of serious harm’) currently reflected in the OAIC guide and recommended by the ALRC.  The different requirements that will apply across industry sectors are also likely to raise confusion amongst the general public. 

A non-standardised and inconsistent approach is also less likely to provide the necessary information to meet the ‘informational objective’, which is intended to provide better information to combat data breaches in the future.



 

Consultation

Discussion paper

On 19 October 2012, a discussion paper was released seeking public comments on whether Australia’s privacy laws should include a mandatory data breach notification requirement and, if so, the possible elements of such a requirement.  The deadline for comments on the discussion paper was 23 November 2012, although many submissions were received after that date. 

The objective of the consultation was to obtain views of relevant stakeholders to the proposition that a mandatory scheme be introduced.  In the ALRC’s inquiry, there was strong support in favour of introducing a mandatory scheme, although some large private sector organisations were opposed.  The consultation sought to confirm whether those views were still current, but also to seek views on the elements of a model even if a stakeholder had expressed initial opposition. 

Using the ALRC recommendation as its basis, the discussion paper sought views on whether the existing voluntary reporting system was operating effectively. 

The Government received 62 submissions in response to the issues paper.  There were 24 submissions either strongly, or conditionally, in support of the introduction of a mandatory reporting scheme.  There were 12 submitters who didn’t express a definitive view although most of these did not expressly oppose a mandatory scheme.  The group supporting a mandatory scheme included Commonwealth and State privacy/information commissioners, privacy and consumer advocates, academics, IT software and security companies, and some individuals. 

There were 27 submitters that opposed a mandatory scheme on the grounds that the existing voluntary scheme is operating effectively, and that a mandatory scheme could bring additional compliance obligations.  This group comprised private sector industry groups and individual companies in the banking, telecommunications, retail and online industries, and two key government agencies. 

Many of these submitters questioned whether a real problem had been demonstrated both in the numbers of data breaches, and in the effectiveness of the existing voluntary OAIC guidelines.  Some queried whether overseas examples used in the discussion paper provided ample evidence for a mandatory scheme.  Some believed the Government should first consider the regulatory impact of the measures in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (due to commence on 12 March 2014) before any new significant privacy reforms are to be introduced.  An example of this type of commentary was included in the submission from the Law Council of Australia:

The introduction of amendments to the Privacy Act contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 is likely to bring about a different privacy landscape and we suggest that the effectiveness and consequences (both intended and unintended) of those amendments should be experienced and properly considered before further amendments are made.

In terms of some specific industry sectors, telecommunications companies opposed further regulation in this area, noting that there were existing measures for the telecommunications industry that encouraged the maintenance of adequate security measures and communication with customers in the event of a breach.  Advertising organisations also believed the existing system was operating effectively, noting that there were risks for a business’s reputation where it did not adhere to high standards of privacy protection or where it had inadequate responses to breaches.  The Australian Bankers’ Association stated that there was no apparent evidence of a clear and substantial market failure warranting legislative intervention.

Elements of possible model

The discussion paper also sought responses on possible elements of a legislative model.  These included: which entities should be subject to the requirement; the types of breaches that should be reported; who should decide on whether to notify; the content of a notification; the time frame for reporting; the penalty for failing to notify; and whether any exceptions should apply.

The vast majority of submitters who commented on the possible design of a mandatory scheme were in favour of the ALRC’s recommended trigger for notification, or a variation of that test, i.e. a test based on a ‘real risk of serious harm’ to an individual.  This would not require entities to report less serious privacy breaches to affected individuals or the OAIC.  To lessen the regulatory burden, some private sector submitters recommended a higher threshold involving more serious breaches and/or a minimum number of individuals who are personally affected (e.g. 100-1,000 people).  Some privacy advocates and the Victorian Privacy Commissioner suggested a lower bar, including, in some circumstances, requiring mandatory notification to the OAIC even where it did not appear to pose harm to individuals.

On the issue of the content of the notification, there were a range of views with private sector submitters preferring less detailed information having to be provided, while privacy commissioners/advocates believed more should be included.  For example, Telstra believed it should be limited to the fact of the data breach, the information accessed/disclosed and what affected persons could do to minimise the impacts.  On the other hand, the NSW Privacy Commissioner believed it should also include more details about the incident, the action that has been taken as a result of the breach and contacts at the agency or organisation.

The draft legislation has addressed concerns of private sector submitters by requiring less detailed information. 

Most submitters agreed that there should be no set time frame for notification given the variable factors unique to each data breach, and that some will be more complex and difficult to assess initially.  Submitters favoured a number of tests, including requiring notification ‘as soon as practicable’, ‘as soon as is reasonable in the circumstances’, or ‘without unreasonable delay’.  Most submitters also favoured the form of notification to be whatever is appropriate in the circumstances, or in the form the entity usually communicates with the affected person.  This has been reflected in the draft legislation.

In terms of whether to include a penalty, most private sector submitters opposed the inclusion of a penalty, or were only agreeable if it included specified exculpatory factors (e.g. liability wouldn’t arise for unintentional failures to notify).  Commonwealth and State Information/Privacy Commissioners and privacy/consumer advocacy groups favoured civil penalties with significant penalties to create a deterrent.  For example, the OAIC recommended a civil penalty level similar to the equivalent provision in the Personally Controlled Electronic Health Records Act 2012 (i.e. 100 penalty units - $17,000).

The draft legislation has addressed concerns of private sector submitters by ensuring that a civil penalty only applies for serious or repeated breaches of mandatory data breach notification requirements.

There was broad consensus on which entities should be subject to the scheme, with most submitters who commented agreeing with the ALRC’s view that it should apply to current entities regulated by the Privacy Act.  A small number of submitters argued that all businesses that hold personal information should be subject to the scheme, or that, if the Government removed or amended exemptions in the future (e.g. small businesses, political parties), those entities should also automatically be subject to the scheme.

The draft legislation has reflected these comments by not applying the scheme to small businesses. 

Confidential targeted consultation

In April 2013, an Exposure Draft Bill was provided on a confidential basis to a targeted group of stakeholders.  The purpose of the consultation was to obtain more information to assist the Government in making a decision about whether to introduce a mandatory data breach notification scheme. 

The key features of the Exposure Draft Bill that was provided for comments were:

  • the proposed model would create a requirement to notify the OAIC and affected individuals where there has been a data breach which has given rise to a ‘real risk of serious harm’ to an affected individual.  That was the ALRC’s recommended approach.  A real risk is defined as a risk that is not a remote risk.  This would mean entities would not be required to report less serious privacy breaches to affected individuals or the OAIC.
  • the requirement to notify would apply to data breaches involving personal information, credit reporting information, credit eligibility information and tax file number information.
  • the content requirements of the notification are, at a minimum: a description of the breach; a list of the kinds of personal information concerned; contact information for affected individuals to obtain more information and assistance; and recommendations about the steps that individuals should take in response to the breach. 
  • the OAIC will have the power to compel notification to affected individuals where it becomes aware of a serious data breach that has not been notified (as a result of an individual’s complaint or otherwise) and it is in the public interest to do so; and
  • the OAIC would have its normal investigative and enforcement powers in relation to non-compliance with an obligation to notify.  Consistent the measures in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 , a civil penalty would only be applicable where there has been a serious or repeated non-compliance with mandatory notification requirements.

The targeted group was invited to make any comments on the legislative model.  It was also asked to make comments on how the legislative model would impact on the costs that regulated entities might incur as a result of a new legislative requirement.  Specifically, the targeted group was invited to comment on the following questions:

(1)    What is likely to be the ‘paper burden’ or administrative costs (quantified if possible) to private sector organisations under the mandatory scheme in the Exposure Draft Bill?  In particular, what will be the burden for entities that:

a.        Have existing systems in place to comply to make notifications (where necessary) consistent with the existing voluntary Data Breach Notification Guide of the Office of the Australian Information Commissioner?, and

b.       Have no systems in place and may have ‘start up’ costs?

(2) In your view, will particular industry sectors incur costs disproportionately under the scheme in the Exposure Draft Bill than other regulated entities under the Privacy Act 1988 ?

(3) Will the scheme in the Exposure Draft Bill result in any restrictions on competition?



 

(4) Will the costs impact on private sector organisations be different if the commencement of the mandatory scheme in the Exposure Draft Bill was delayed beyond 12 March 2014 (i.e. beyond the date that the key measures in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 commence)?

The Government received nine submissions in response to the issues paper.  These came from a range of industry groups representing banks, telecommunications providers, financial service providers, internet companies and direct marketers.  Submissions were also received from privacy and consumer advocates.  Detailed discussion and analysis of the responses to this consultation process have been included in the ‘Impact Analysis’ section above.

Conclusion

In this RIS, three options have been considered:

  • Option One: Maintaining the status quo; or
  • Option Two: Introduce a mandatory data breach notification scheme.
  • Option Three: Encourage industry to develop industry codes.

The preferred option is Option Two. 

Option Two would require the introduction of a legislative requirement which would have impacts on individuals, businesses, and the OAIC.

Option Two would provide individuals with the information that a breach of their personal information has occurred.  Concerns about the safety and security of personal information in the online environment have been identified as key issues for individuals.  Individuals could be in a position to take steps to mitigate against the possibility of identity theft or fraud, which might cause them financial loss.  This will be an important measure to assist in combatting cybercrime, which is consistent with US studies which indicate mandatory data breach notification laws have an effect in lowering identity theft rates.  On the other hand, a mandatory notification scheme may provide little or no relief for some individuals whose health information has been published online and made widely known before being removed. 

As noted in the analysis, there will be cost impacts on businesses.  The Privacy Act applies to private sector organisations that have a turnover of more than $3 million, and to some small businesses which are subject to the Privacy Act (e.g. those that trade in personal information).  A number of administrative costs have been identified by industry groups such as creating notification methods, formalising internal processes and increased insurance and legal costs.  To address concerns of those who identified particular administrative costs to the business, the Bill has been amended to make the means of notification more flexible.    

However, specific costs estimates varied from a small group of stakeholders who believed there would be large costs amounts to most who believed there would be modest cost implications.  Privacy and consumer advocates believed costs would be minimal, and should be considered necessary where an entity handled personal information.  More detailed US studies indicate that the notification cost component of addressing a data breach was on the increase.

There are a range of views about whether particular industry sectors would incur costs disproportionately under a mandatory scheme.  While most believe there would no disproportionate impact, some identified small businesses (e.g. those that trade in personal information) and financial services sector businesses as entities that may incur adverse impacts more than other businesses. 

Option Two would create positive and negative impacts on competition.  Consumers could be more likely to move to competitor companies with better security, or response measures, to data breaches.  There may be particular adverse competition implications within the data-driven marketing and advertising industry for smaller operators within that industry, and data-drive marketing campaigns launched on behalf of other businesses.  The power for the Commissioner to direct that a mandatory data breach notification occur could also expose a business and its data breach to a wider audience, thereby causing more reputational damage than a normal notification from a business to its affected customers.

A possible delay in the commencement of the introduction of a mandatory data breach notification scheme could alleviate the costs burden for businesses, although it could also be more efficient if it is aligned with major privacy reforms that will commence in March 2014.  On the basis of the analysis in the RIS, Option Two would be the most effective option to safeguard the personal information of individuals and encourage improvements in privacy practices, although it will raise cost impacts for businesses which will be subject to the scheme, and resource implications for the OAIC, which will have regulator functions relating to the scheme. 

Implementation and review

Any reforms would be implemented through amendments to the Privacy Act 1988 .  It is anticipated that the amendments will form part of a Bill to be introduced in the 2013 Winter Sittings.  It is proposed that the amendments commence at the same time as key amendments in the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which is 12 March 2014.  The amendments will apply prospectively to data breaches that occur after 12 March 2014. 

To review the effectiveness of the changes it is proposed that these measures be included in a review to be undertaken 12 months after commencement of the major privacy reforms in March 2014, which were contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 .  A 12 month post commencement review was a recommendation of the House of Representatives Standing Committee on Social Policy and Legal Affairs, which was accepted by the Government.  The review would include an assessment of the impact of the proposal and its effectiveness in meeting its objectives and the actual costs to stakeholders of the implementation of the reforms.

In the lead up to commencement of the amendments, it would be expected that the OAIC will develop and publish guidance about the operation of the new scheme.  This may be in the form of a modified OAIC guide on data breach notification, and provide guidance about the practical aspects of the scheme.  It would be expected that the OAIC will undertake consultation as necessary with stakeholders, including private sector organisations, in the development of that guidance. 



 

Attachment A

Australian Law Reform Commission recommendation 51-1

Recommendation 51-1 The Privacy Act should be amended to include a new Part on data breach notification, to provide as follows:

(a)     An agency or organisation is required to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.

 

(b)    The definition of ‘specified personal information’ should include both personal information and sensitive personal information, such as information that combines a person’s name and address with a unique identifier, such as a Medicare or account number.

 

(c)     In determining whether the acquisition may give rise to a real risk of serious harm to any affected individual, the following factors should be taken into account:

 

                             (i)             whether the personal information was encrypted adequately; and

 

                           (ii)             whether the personal information was acquired in good faith by an employee or agent of the agency or organisation where the agency or organisation was otherwise acting for a purpose permitted by the Privacy Act (provided that the personal information is not used or subject to further unauthorised disclosure).

 

(d)    An agency or organisation is not required to notify an affected individual where the Privacy Commissioner considers that notification would not be in the public interest or in the interests of the affected individual.

 

(e)     Failure to notify the Privacy Commissioner of a data breach as required by the Act may attract a civil penalty.

 

 



STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS

 

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Privacy Amendment (Data Breach Notification) Bill 2013

 

This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 .

 

Overview of the Bill

 

The Bill amends the Privacy Act 1988 by inserting provisions imposing a data breach notification requirement on entities regulated by Privacy Act ( entity ) in relation to serious data breaches.  The amendments will commence on 12 March 2014.

 

‘Serious data breach’ is defined in the Bill.  Broadly speaking, a data breach occurs where personal information held by an entity is subject to unauthorised access or disclosure.  A hacking attack involving the publication online of individuals’ names and credit card numbers would be example of a ‘serious data breach’.  Another example would be the accidental publication of patient records by a medical practice.

 

The Bill provides that, where an entity has suffered a serious data breach, it must notify the individual(s) whose personal information is the subject of the breach ( affected individuals ) as well as the Australian Information Commissioner.

 

In addition, the Commissioner may direct an entity to notify affected individuals of a serious data breach.  The Bill provides that an entity which fails to notify affected individuals engages in an interference with the privacy of an individual.  The Commissioner may pursue a civil penalty on such an entity under the new reforms to the Privacy Act, which commence on 12 March 2014.

 

The Bill’s notification requirements are expected to result in more timely opportunities for individuals to promptly respond to a data breach by changing passwords, cancelling credit cards etc.  It is also anticipated that the notification requirements will provide entities with an incentive to improve security standards relating to personal information.

 

Human rights implications

 

The Bill engages the following rights:



  • the right to privacy—Article 17 of the International Covenant on Civil and Political Rights (ICCPR), and
  • the right to a fair trial—Article 14 of the ICCPR

 

 

 

 

The right to privacy



Article 17 of the ICCPR provides that:



  1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
  2. Everyone has the right to the protection of the law against such interference or attacks.

 

The Bill promotes the right to privacy in that it provides the protection of the law against unlawful interferences with privacy.  Individuals who are notified of a data breach will be able to take prompt measures to protect their privacy.  Furthermore, the Bill creates an incentive for entities to improve security standards relating to personal information.

 

Law enforcement exemption

 

The notification requirement will be limited where: (a) the entity is an enforcement body; and (b) the enforcement body believes on reasonable grounds that compliance with that subsection would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, the enforcement body.  Where that is the case, the enforcement body must only notify the Commissioner.  A key objective of the Privacy Act is to balance the protection of privacy with the interests of entities in carrying out their lawful and legitimate functions and activities.  Because of their role in providing security to the community, it would not be appropriate for the Bill to contain measures that could prejudice law enforcement activities.  It is important to note that law enforcement bodies are not exempt from the notification requirement as such.  They will still have to comply with the notification requirement in circumstances where compliance would not prejudice an enforcement related activity.

 

The right to a fair trial

 

The Bill engages Article 14 of the ICCPR, which guarantees a person be afforded, in the determination of any criminal charge against them, the right to a fair trial.  The United Nations Human Rights Committee has stated that the notion of criminal charges may ‘also extend to acts that are criminal in nature with sanctions that, regardless of their qualification in domestic law, must be regarded as penal because of their purpose, character or severity’ (see General Comment No. 32, para 15; Communication No. 1015/2001, Perterer v Austria , at para 9.2.).  It is therefore necessary to consider the substance as well as the form of the penalties provided for by the Bill.

 

As noted above, the Bill provides that an entity which fails to notify affected individuals of a serious data breach engages in an interference with the privacy of an individual.  This is a reasonable and proportionate provision because failure to notify can have similarly adverse consequences for individuals to other interferences with privacy.  Other interferences as defined in the amended Privacy Act include breaching an Australian Privacy Principle.  A range of acts and omissions may constitute a breach of an Australian Privacy Principle, from disclosing personal information for the purposes of direct marketing to not properly notifying individuals that their personal information has been collected.

 

Interferences with the privacy of an individual may attract a civil penalty where there has been a serious or repeated interference with the privacy of an individual.  A civil penalty can only be issued by the Federal Court or Federal Magistrates Court/Federal Circuit Court of Australia following an application by the Commissioner.  No minimum penalty is prescribed.  Serious or repeated interferences with the privacy of an individual attract a maximum penalty of 2,000 penalty units for individuals and 10,000 penalty units for bodies corporate.

 

The penalties that may be imposed under the Privacy Act upon entities which have committed interferences with the privacy of an individual are compatible with Article 14 of the ICCPR.  The penalties are further explained in the Statement of Compatibility with Human Rights for the Privacy Amendment (Enhancing Privacy Protection) Act 2012 at pages 44-49 of the Explanatory Memorandum for that Act.

 

Conclusion

 

The Bill is compatible with human rights because it promotes the right to privacy in Article 17, and does not interfere with the rights protected by Article 14, of the ICCPR.

 

 

 

 

 



NOTES ON CLAUSES

Preliminary

Clause 1—Short title

This clause provides that when the Bill is enacted, it may be cited as the Privacy Amendment (Privacy Alerts) Act 2013 .

Clause 2—Commencement

This clause provides for the commencement of each provision in the Bill, as set out in the table.  Item 1 in the table provides that sections 1 to 3, which concern the formal aspects of the Bill, as well as anything in the Bill not elsewhere covered by the table, will commence on the day on which the Bill receives the Royal Assent. 

Item 2 in the table provides that Schedule 1 of the Bill, which contains the substantive amendments to the Privacy Act 1988 ( the Privacy Act ) will commence immediately after the commencement of Schedules 1 to 4 to the Privacy Amendment (Enhancing Privacy Protection) Act 2012 ( the Privacy Amendment Act ).  This has the effect that Schedule 1 of the Bill will commence on 12 March 2014.

Subclause 2(2) provides that the information in column 3 of the table, which provides dates and further details, does not form part of the Bill.  The subclause also provides that information in column 3 may be edited or inserted in any published version of the Bill once enacted.

Clause 3—Schedules

Clause 3 provides that each Act specified in the Schedule is amended or repealed as set out in the Schedule.  Clause 3 also provides that any other item in a Schedule of the Bill will have effect according to its terms.

Schedule 1—Amendments

Privacy Act 1988

Item 1                         Subsection 6(1)

Item 1 of Schedule 1 inserts a definition of ‘serious data breach’ into existing subsection 6(1) of the Privacy Act.  This Item provides that the term ‘serious data breach’ has the meaning given by section 26X, 26Y, 26Z or 26ZA, which are inserted into the Privacy Act by this Bill (see Item 4, below).

This definition is intended to capture data breaches that are significant enough to warrant notification.  This will ensure the Government does not create or impose an unreasonable compliance burden on entities regulated by the scheme, and avoid the risk of ‘notification fatigue’ among individuals receiving a large number of notifications in relation to non-serious breaches. 

Item 2            

Item 2 of Schedule 1 inserts a definition of ‘significantly affected’ into existing subsection 6(1) of the Privacy Act.  This Item provides that the term ‘significantly affected’, in relation to an individual and in relation to a serious data breach, has the meaning given by section 26X, 26Y, 26Z or 26ZA, which are inserted into the Privacy Act by this Bill (see Item 4, below).

This definition is intended to capture the individuals who are required to be notified in the event of a serious data breach.  First, that will be individuals who are at real risk of serious harm in the event of a serious data breach.  Secondly, it will also cover those individuals who are affected by serious data breaches involving particular categories of personal information, credit reporting information, credit eligibility information, or tax file number information that has been prescribed under the regulations (e.g. using the regulation-making power contained in subparagraph 26X(1)(d)(ii)).

Item 3             After subsection 13(4)

Item 3 of Schedule 1 inserts a new subsection 13(4A) into the Privacy Act after new subsection 13(4), as included by the Privacy Amendment Act.  New subsection 13(4A) is titled ‘Data breach notification’, and provides that if an entity (within the meaning of Part IIIC) contravenes either new section 26ZB or 26ZC of the Privacy Act (which are inserted by this Bill), the contravention is taken to be an act that is an ‘interference with the privacy of an individual’.  Subsection 6(1) of the Privacy Act, as amended by the Privacy Amendment Act, provides that the term ‘interference with the privacy of an individual’ has the meaning given by section 13 to 13F of the Privacy Act. 

The effect of new subsection 13(4A) of the Privacy Act will be to enable the Australian Information Commissioner ( the Commissioner ) to use the powers and access the remedies available to the Commissioner under the Privacy Act to investigate and address contraventions of section 26ZB or 26ZC.  These will include new powers that commence on 12 March 2014.  These include the capacity for the Commissioner to initiate own motion investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.

A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the Commissioner.  Serious or repeated interferences with the privacy of an individual attract a maximum penalty of 2,000 penalty units for individuals and 10,000 penalty units for bodies corporate.

Item 4             After Part IIIB

Item 4 of Schedule 1 inserts a new Part IIIC, titled ‘Data breach notification’, into the Privacy Act following existing Part IIIB.   This new Part contains the substantive elements of the mandatory data breach notification provisions, which apply to entities that are regulated by the Privacy Act.

The Part is divided into two Divisions.  Broadly, the first Division sets out when a ‘serious data breach’ will have occurred, and the second Division contains obligations for entities to notify of that serious data breach, subject to limited exceptions.

Division 1—Serious data breach

Section 26X                Serious data breach—APP entities

This section sets out the circumstances in which access to, or disclosure of, personal information will be a serious data breach where the personal information is held by an APP entity.  ‘APP entity’ is defined in subsection 6(1) of the Privacy Act and includes Commonwealth government agencies and private sector organisations regulated by the Privacy Act.  The provision refers to Australian Privacy Principle 11, which requires APP entities to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Unauthorised access or disclosure of personal information

New subsection 26X(1), which is titled ‘Unauthorised access or disclosure of personal information’, establishes the circumstances that will constitute a ‘serious data breach’ when personal information is subject to unauthorised access or unauthorised disclosure.

New subsection 26X(1) provides that unauthorised access to, or unauthorised disclosure of, personal information will be a serious data breach if an APP entity holds personal information relating to one or more individuals, is required under section 15 of the Privacy Act to comply with Australian Privacy Principle 11.1, and either:

·          the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the personal information relates (subparagraph 26X(1)(d)(i)), or

 

·          any of the personal information is of a kind specified in the regulations (subparagraph 26X(1)(d)(ii)).

In this context, ‘serious harm’ includes harm to reputation and economic or financial harm (section 26ZE).  The risk of harm must be real (that is, not remote) for it to give rise to a serious data breach (section 26ZF).  In order not to impose an unreasonable compliance burden on APP entities and to avoid the risk of ‘notification fatigue’ among individuals receiving a large number of notifications in relation to non-serious breaches, it is not intended that every data breach be subject to a notification requirement. 

The ability to make regulations to specify particular situations that may also be serious data breaches is intended to provide the flexibility to deal with data breaches that may not reach the threshold of a real risk of serious harm but should nevertheless be subject to notification.  These could include the release of particularly sensitive information such as health records which may not cause serious harm in every circumstance but should be subject to the highest level of privacy protection.

Paragraph 26X(1)(f) provides that, if subparagraph 26X(1)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is at real risk of serious harm from the access or disclosure of their personal information.  Paragraph 26X(1)(g) provides that, if subparagraph 26X(1)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the personal information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach. 

This Item also inserts two Notes following new subsection 26X(1) and before new subsection 26X(2).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF. 

The effect of this section is to establish the circumstances that will constitute a ‘serious data breach’ when personal information is subject to unauthorised access or unauthorised disclosure.

Loss of personal information

New subsection 26X(2), which is titled ‘Loss of personal information’, establishes the circumstances that will constitute a ‘serious data breach’ when personal information is lost in a situation that may result in that personal information being subject to unauthorised access or unauthorised disclosure.

New subsection 26X(2) provides that the loss of personal information in circumstances where unauthorised access to, or unauthorised disclosure of, the personal information may occur will be a serious data breach if an APP entity holds personal information relating to one or more individuals, is required under section 15 of the Privacy Act to comply with Australian Privacy Principle 11.1, and either:

·          assuming that unauthorised access to, or unauthorised disclosure of, the personal information were to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the personal information relates (subparagraph 26X(2)(d)(i)), or

 

·          any of the personal information is of a kind specified in the regulations (subparagraph 26X(2)(d)(ii)).

Paragraph 26X(2)(f) provides that, if subparagraph 26X(2)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual would be at real risk of serious harm if the unauthorised access or unauthorised disclosure of their personal information were to occur.  Paragraph 26X(2)(g) provides that, if subparagraph 26X(2)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the personal information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach. 

This Item also inserts two Notes following new subsection 26X(2) and before new subsection 26X(3).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF. 

Overseas recipients

New subsection 26X(3), which is titled ‘Overseas recipients’, establishes the circumstances under which an APP entity will retain accountability for a ‘serious data breach’ involving personal information even though that APP entity might not be otherwise responsible for the breach due to the fact that the information has been disclosed to an overseas recipient.

New subsection 26X(3) provides that where:

·         an APP entity has disclosed personal information to an overseas recipient

·         APP 8.1 applied to that disclosure, and

·         the overseas recipient holds the personal information

then new section 26X of the Privacy Act applies to that cross-border transfer of personal information as if the personal information was held by the APP entity which was required under section 15 of the Privacy Act not to do an act, or engage in a practice, that breaches APP 11.1 in relation to the personal information. This means that the requirements of new subsections 26X(1) and 26X(2) apply, and the disclosing APP entity retains accountability under section 16C of the Privacy Act for that personal information, even if the data breach occurred offshore.

Section 26Y                Serious data breach—credit reporting bodies

This section sets out the circumstances in which unauthorised access to, or unauthorised disclosure of, credit reporting information will be a serious data breach where the credit reporting information is held by a credit reporting body.  ‘Credit reporting information’ is defined in subsection 6(1) of the Privacy Act and includes the credit-related information about individuals collected by credit providers and disclosed to credit reporting bodies.  ‘Credit reporting body’ is defined in subsection 6(1) of the Privacy Act as an organisation that carries on a credit reporting business.  The provision refers to section 20Q of the Privacy Act.  Section 20Q is based on APP 11 and requires credit reporting bodies to, among other things, protect credit reporting information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Unauthorised access or disclosure of credit reporting information

New subsection 26Y(1), which is titled ‘Unauthorised access or disclosure of credit reporting information’, establishes the circumstances that will constitute a ‘serious data breach’ when credit reporting information is subject to unauthorised access or unauthorised disclosure.

New subsection 26Y(1) provides that unauthorised access to, or unauthorised disclosure of, credit reporting information will be a serious data breach if a credit reporting body holds credit reporting information, is required to comply with section 20Q of the Privacy Act, and either:

·          the unauthorised access or unauthorised disclosure will result in a real risk of serious harm to any of the individuals to whom the credit reporting information relates (subparagraph 26Y(1)(d)(i)), or

 

·          any of the credit reporting information is of a kind specified in the regulations (subparagraph 26Y(1)(d)(ii).

Paragraph 26Y(1)(f) provides that, if subparagraph 26Y(1)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is at real risk of serious harm from the access or disclosure of their credit reporting information.  Paragraph 26Y(1)(g) provides that, if subparagraph 26Y(1)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the credit reporting information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach. 

This Item also inserts two Notes following new subsection 26Y(1) and before new subsection 26Y(2).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF. 

Loss of credit reporting information

New subsection 26Y(2), which is titled ‘Loss of credit reporting information’, establishes the circumstances that will constitute a ‘serious data breach’ when credit reporting information is lost in a situation that may result in that personal information being subject to unauthorised access or unauthorised disclosure.

New subsection 26Y(2)provides that the loss of credit reporting information in circumstances where unauthorised access to, or unauthorised disclosure of, the credit reporting information may occur will be a serious data breach if the credit reporting body holds credit reporting information relating to one or more individuals, is required to comply with section 20Q of the Privacy Act, and either:

·          assuming that unauthorised access to, or unauthorised disclosure of, credit reporting information were to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the credit reporting information relates (subparagraph 26Y(2)(d)(i)), or

 

·          any of the credit reporting information is of a kind specified in the regulations(subparagraph 26Y(2)(d)(ii)).

Paragraph 26Y(2)(f) provides that, if subparagraph 26Y(2)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual would be at real risk of serious harm if the unauthorised access to, or unauthorised disclosure of, the credit reporting information were to occur.  Paragraph 26Y(2)(g) provides that, if subparagraph 26Y(2)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the credit reporting information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach. 

This Item also inserts two Notes following new subsection 26Y(2) and before new subsection 26Y(3).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF. 

Section 26Z                Serious data breach—credit providers

This section sets out the circumstances in which access to or disclosure of credit eligibility information will be a serious data breach where the credit eligibility information is held by a credit provider.  ‘Credit eligibility information’ is defined in subsection 6(1) of the Privacy Act as including credit reporting information disclosed to a credit provider by a credit reporting body and information derived from the credit reporting information.  ‘Credit provider’ is defined in section 6G of the Privacy Act as including a bank or other organisation that provides credit as a substantial part of its business or undertaking.  The provision refers to section 21S of the Privacy Act.  Section 21S is based on APP 11 and requires credit providers, among other things, to protect credit eligibility information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Unauthorised access or disclosure of credit eligibility information

New subsection 26Z(1), which is titled ‘Unauthorised access or disclosure of credit eligibility information’, establishes the circumstances that will constitute a ‘serious data breach’ when credit eligibility information is subject to unauthorised access or unauthorised disclosure.

New subsection 26Z(1) provides that unauthorised access to, or unauthorised disclosure of, credit eligibility information will be a serious data breach if a credit provider holds credit eligibility information, is required to comply with subsection 21S(1) of the Privacy Act, and either:

·          the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the credit eligibility information relates (subparagraph 26Z(1)(d)(i)), or

 

·          any of the credit eligibility information is of a kind specified in the regulations (subparagraph 26Z(1)(d)(ii)).

Paragraph 26Z(1)(f) provides that, if subparagraph 26Z(1)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is at real risk of serious harm from the access or disclosure of their credit eligibility information. Paragraph 26Z(1)(g) provides that, if subparagraph 26Z(1)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the credit eligibility information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach. 

This Item also inserts two Notes following new subsection 26Z(1) and before new subsection 26Z(2).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF. 

Loss of credit eligibility information

New subsection 26Z(2), which is titled ‘Loss of credit eligibility information’, establishes the circumstances that will constitute a ‘serious data breach’ when personal information is lost in a situation that may result in that credit eligibility information being subject to unauthorised access or unauthorised disclosure.

New subsection 26Z(2) provides that the loss of credit eligibility information in circumstances where unauthorised access to, or unauthorised disclosure of, the credit eligibility information may occur will be a serious data breach if the credit provider holds credit eligibility information relating to one or more individuals, is required to comply with section 21S(1) of the Privacy Act, and either:

·          assuming that unauthorised access to, or unauthorised disclosure of, credit eligibility information were to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the credit eligibility information relates (subparagraph 26Z(2)(d)(i)), or

 

·          any of the credit eligibility information is of a kind specified in the regulations (subparagraph 26Z(2)(d)(ii)).

Paragraph 26Z(2)(f) provides that, if subparagraph 26Z(2)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual would be at real risk of serious harm if the unauthorised access to, or unauthorised disclosure of, the credit eligibility information were to occur.  Paragraph 26Z(2)(g) provides that, if subparagraph 26Z(2)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the credit eligibility information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach. 

This Item also inserts two Notes following new subsection 26Z(2) and before new subsection 26Z(3).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF. 

Bodies or persons with no Australian link

New subsection 26Z(3), which is titled ‘Bodies or persons with no Australian link’, establishes the circumstances under which a credit provider will retain accountability for a ‘serious data breach’ involving credit eligibility information that was disclosed to a body or person with no Australian link.

New subsection 26Z(3) provides that where:

·          either:

 

o    a credit provider has disclosed, under paragraph 21G(3)(b) or (c) of the Privacy Act, credit eligibility information about one or more individuals to a related body corporate, or person, that does not have an Australian link, or

 

o    a credit provider has disclosed, under subsection 21M(1) of the Privacy Act, credit eligibility information about one or more individuals to a body or person that does not have an Australian link, and

 

·          the related body corporate, body or person holds the credit eligibility information

then new section 26Z of the Privacy Act applies to that transfer of credit eligibility information as if the credit eligibility information were held by the credit provider, and the credit provider were required to comply with subsection 21S(1) of the Privacy Act in relation to the credit eligibility information.  This means that the requirements of new subsections 26Z(1) and 26Z(2) apply, and the credit provider retains accountability for that credit eligibility information, even where a credit provider discloses credit eligibility information to a recipient that does not have an Australian link.  The term ‘Australian link’ is used to define the entities that are subject to the operation of the Privacy Act, and is used, for example, in new section 5B, APP 8 and throughout the credit reporting provisions.  This subsection will apply where credit eligibility information has been disclosed by the credit provider to the entities listed in the specified circumstances, and where these entities hold that information.

This Item also inserts a Note following new subsection 26Z(3) and before new section 26ZA.  The Note provides a cross-reference to section 21NA of the Privacy Act.  That section provides that credit providers may, where they satisfy the requirements of clause 21NA, disclose credit eligibility information to an entity that does not have an Australian link.  Types of overseas entities to which a credit provider may choose to disclose credit eligibility information may include a credit provider’s agents or related body corporates, as well as a credit provider’s credit managers or debt collectors.

Section 26ZA             Serious data breach—file number recipients

This section sets out the circumstances in which unauthorised access to, or unauthorised disclosure of, tax file number information will be a serious data breach where the tax file number information is held by a file number recipient.  ‘Tax file number’ and ‘tax file number information’ are defined in section 6(1) of the Privacy Act.  The provision refers to sections 17 and 18 of the Privacy Act.  Section 17 provides that the Commissioner must issue guidelines concerning the collection, storage, use and security of tax file number information.  Section 18 provides that a file number recipient shall not do an act, or engage in a practice, that breaches a guideline issued under section 17.

Unauthorised access or disclosure of tax file number information

New subsection 26ZA(1), which is titled ‘Unauthorised access or disclosure of tax file number information’, establishes the circumstances that will constitute a ‘serious data breach’ when tax file number information is subject to unauthorised access or unauthorised disclosure.

New subsection 26ZA(1) provides that unauthorised access to, or unauthorised disclosure of, tax file number information will be a serious data breach if a file number recipient holds tax file number information, is required to comply with sections 17 and 18 of the Privacy Act, and either:

·          the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the tax file number information relates (subparagraph 26ZA(1)(d)(i)), or

 

·          any of the credit eligibility information is of a kind specified in the regulations (subparagraph 26ZA(1)(d)(ii)).

New paragraph 26ZA(1)(f) provides that, if subparagraph 26ZA(1)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is at real risk of serious harm because of the unauthorised access to, or unauthorised disclosure of, their tax file number information. Paragraph 26ZA(1)(g) provides that, if subparagraph 26ZA(1)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the tax file number information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach. 

This Item also inserts two Notes following new subsection 26ZA(1) and before new subsection 26ZA(2).  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF. 

Loss of tax file number information

New subsection 26ZA(2), which is titled ‘Loss of tax file number information’, establishes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                the circumstances that will constitute a ‘serious data breach’ when tax file number information is lost in a situation that may result in that personal information being subject to unauthorised access or unauthorised disclosure.

New subsection 26ZA(2) provides that the loss of tax file number information in circumstances where unauthorised access to, or unauthorised disclosure of, the tax file number information may occur will be a serious data breach if the file number recipient holds tax file number information relating to one or more individuals; is required to comply with sections 17 and 18 of the Privacy Act, and either:

·          assuming that unauthorised access to, or unauthorised disclosure of, tax file number information were to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the credit eligibility information relates (subparagraph 26ZA(2)(d)(i)), or

 

·          any of the tax file number information is of a kind specified in the regulations (subparagraph 26ZA(2)(d)(ii)).

Paragraph 26ZA(2)(f) provides that, if subparagraph 26ZA(2)(d)(i) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual would be at real risk of serious harm if the unauthorised access to, or unauthorised disclosure of, the tax file number information were to occur.  Paragraph 26ZA(2)(g) provides that, if subparagraph 26ZA(2)(d)(ii) applies, an individual is ‘significantly affected’ by the serious data breach if, and only if, the individual is both an individual to whom the tax file number information relates; and an individual who, under the regulations, is taken to be significantly affected by the serious data breach. 

This Item also inserts two Notes following new subsection 26ZA(2) and before the heading for new Division 2--Notifying serious data breaches.  Note 1 provides a cross-reference to the definition of the term ‘harm’ in new section 26ZE.  Note 2 provides a cross-reference to the definition of the term ‘real risk’ in new section 26ZF. 

Division 2—Notifying serious data breaches

Section 26ZB  Entity must notify serious data breach

This section sets out the circumstances in which an entity must provide notification of a serious data breach and to whom notification must be given.  The section also sets out the circumstances in which an entity may be exempt from an obligation to notify a serious data breach.

New subsection 26ZB(1) provides that if an entity believes on reasonable grounds that there has been a serious data breach of the entity in relation to either personal information, credit reporting information, credit eligibility information or tax file number information, the entity must, as soon as practicable after forming that belief:

·          prepare a statement that complies with new subsection 26ZB(2) (paragraph 26ZB(1)(e)) ( a paragraph 26ZB(1)(e) statement )

 

·          give a copy of the paragraph 26ZB(1)(e) statement to the Commissioner (paragraph 26ZB(1)(f))

 

·          if the general publication conditions are not satisfied, take such steps as are reasonable in the circumstances to notify the contents of the paragraph 26ZB(1)(e) statement to each of the individuals significantly affected by the serious data breach that the entity believes has happened (paragraph 26ZB(1)(g)), and

 

·          if the general publication conditions are satisfied:

 

o    publish a copy of the paragraph 26ZB(1)(e) statement on the entity’s website (if any) (subparagraph 26ZB(1)(h)(i)), and

 

o    cause a copy of the statement to be published in each State by being published in at least one newspaper circulating generally in that State (subparagraph 26ZB(1)(h)(ii)).

This Item also inserts a Note following new subsection 26ZB(1) and before new subsection 26ZB(2).  The Note provides a cross-reference to subsection 26ZB(12), which contains the general publication conditions.

The concept in paragraph 26ZB(1)(g) of ‘taking such steps as are reasonable in the circumstances’ is used elsewhere in the Privacy Act.  As noted in the Explanatory Memorandum to the Privacy Amend ment (Enhancing Privacy Protection) Act 2012 , the phrase ‘reasonable in the circumstances’ is an objective test that ensures that the specific circumstances of each case have to be considered when determining the reasonableness of the steps in question.

This flexibility is necessary given the different types of entities that are to be regulated under the new scheme.  For example, for entities with particular functions or engaged in certain activities, it may not be ‘reasonable in the circumstances’ to notify about a data breach.  For example, it may not be reasonable in the circumstances for a Commonwealth agency or private sector organisation to notify particular individuals about a data breach, where that organisation has been advised by a law enforcement agency or intelligence agency that notification might prejudice or adversely affect a law enforcement investigation or intelligence related activity.  However, the entity would still be required to comply with paragraph 26ZB(1)(f) and provide a copy to the Commissioner. 

New subsection 26ZB(2) sets out the contents of the paragraph 26ZB(1)(e) statement that an entity must prepare to give notice of a serious data breach.  These are based on the matters in the current OAIC Data Breach Notification: A guide to handling personal information security breaches .  The statement must include:

·         the identity and contact details of the entity (paragraph 26ZB(2)(a))

 

·          a description of the serious data breach that the entity believes has happened (paragraph 26ZB(2)(b))

 

·          the kinds of information concerned (paragraph 26ZB(2)(c))

 

·          recommendations about the steps that individuals should take in response to the data breach that the entity believes has happened (paragraph 26ZB(2)(d)), and

 

·          any other information (if any) as specified in the regulations (paragraph 26ZB(2)(e)).

 

This means that, if the conditions in any regulations are met, instead of taking steps to notify each individual about the contents of the paragraph 26ZB(1(e) statement, the entity may make a general publication in relation to the serious data breach.  New subsection 26ZB(12) provides that the regulations may declare one or more specified conditions to be general publication conditions.  It is envisaged that the regulations will deal with situations where it is impossible for the entity to contact each affected individual or where an attempt to contact each individual would be ineffective.  Paragraph 26ZB(1)(h) provides that where an entity makes a general publication it must publish a copy of the notification on its website (if it has one) and cause a copy of the notification to be published in each State in at least one newspaper circulating generally in that State.

Method of providing the statement to an individual

Without limiting paragraph 26ZB(1)(g), new subsection 26ZB(3), which is titled ‘Method of providing the statement to an individual’, provides that where an entity normally communicates with an individual using a particular method, any notifications provided to the individual under paragraph 26ZB(1)(g) may use that method.  This is intended to reduce the cost of compliance for entities but also to ensure that individuals receive notifications through communication channels that they expect relevant entities to use.  Where there is no normal mode of communication with the particular individual the entity must take reasonable steps to communicate with him or her.  Reasonable steps could include contact by email, telephone or post. 

Exception—enforcement related activities

New subsection 26ZB(4), which is titled ‘Exception—enforcement related activities’, provides that new paragraphs 26ZB(1)(g) and 26ZB(1)(h) of the Privacy Act do not apply if the relevant entity is a law enforcement body that believes on reasonable grounds that compliance with those paragraphs would be likely to prejudice one or more enforcement-related activities conducted by, or on behalf of, the enforcement body.

‘Enforcement body’ and ‘enforcement related activities’ are defined in subsection 6(1) of the Privacy Act.  The effect of this provision is that a law enforcement body is not required to notify affected individuals of the contents of the paragraph 26ZB(1)(e) statement, either individually or in compliance with the general publication conditions specified in subsection 26ZB(12).  However, the entity must still comply with paragraphs 26ZB(1)(e) (i.e., the entity must prepare a statement that complies with new subsection 26ZB(2)) and 26ZB(1)(f) (i.e. the entity must give a copy of that statement to the Commissioner).

This exception is intended to ensure that the legitimate activities of enforcement bodies are not disrupted or affected by the notification requirement.  However, it does not extend to serious data breaches that are not related to enforcement activities such as the inadvertent disclosure of personal information unrelated to investigations or intelligence gathering.  It also ensures that notification to the Commissioner is still required, so that the Commissioner can advise and assist enforcement bodies in responding to data breaches, and can continue to collect important information about data breaches to assist in combating or addressing them into the future.

Exception—Commissioner’s notice

New subsection 26ZB(5), which is titled ‘Exception—Commissioner’s notice’, provides that the Commissioner may, by written notice given to an entity, exempt that entity from the requirement to notify contained in new subsection 26ZB(1), in such circumstances that are contained in that written notice ( a subsection 26ZB(5) notice ).

New subsection 26ZB(6) provides that a subsection 26ZB(5) notice can only be given when the Commissioner is satisfied that it is in the public interest to do so. It is expected that the Commissioner will develop guidance in consultation with agencies and organisations on what factors will need to be taken into account in determining whether issuing a notice will be in the public interest. 

In that respect, the ALRC commented that such a provision could cover situations, for example, where there is a law enforcement investigation being undertaken into a data breach breach and notification would impede that investigation, or where the information concerned matters of national security.   This provision is intended to cover cases of that nature (where these activities, or the information concerned, are not already exempt from the scheme), particularly where a private sector organisation suffers the data breach and is responsible for reporting.  In those situations, a Commonwealth agency or private sector organisation would have grounds to seek this exemption on advice from an enforcement body or intelligence agency.  

New subsection 26ZB(7) provides that the Commissioner may issue a subsection 26ZB(5) notice either on the Commissioner’s own initiative or on application made by the entity.  A decision by the Commissioner to refuse to issue a subsection 26ZB(5) notice will be reviewable by the Administrative Appeals Tribunal (see Item 5 below).

New subsection 26ZB(8) provides that, where the Commissioner refuses an application made by an entity under paragraph 26ZB(7)(b) for a subsection 26ZB(5) notice, the Commissioner must give written notice of the refusal.

New subsection 26ZB(9) provides that, if an entity forms a belief that a serious data breach has occurred (paragraph 26ZB(9)(a)), and, as soon as practicable after forming that belief, the entity applies to the Commissioner for a subsection 26ZB(5) notice (paragraph 26ZB(9)(b)); the requirement to notify contained in new subsection 26ZB(1) will not apply during the period beginning when the entity formed the belief that a serious data breach has occurred, and ending when the Commissioner makes a decision about the application (paragraph 26ZB(9)(c)).  This provision is intended to make it clear that the entity will not be in breach of notification obligations while its application for a subsection 26ZB(5) notice is being considered by the Commissioner. 

New paragraph 26ZB(9)(d) provides that if the Commissioner decides to refuse to give a subsection 26ZB(5) notice, subsection 26ZB(1) applies from the date of the Commissioner’s decision.  That is, where the Commissioner refuses an application for a subsection 26ZB(5) notice, the entity must comply with its obligations under paragraphs 26ZB(1)(e) - (h) as soon as practicable following that decision.

Exception—inconsistency with secrecy provisions

New subsection 26ZB(10), which is titled ‘Exception—inconsistency with secrecy provisions’, provides that, if compliance by an entity with paragraph 26ZB(1)(f), (g) or (h) of the Privacy Act would, to any extent, be inconsistent with a provision of a law of the Commonwealth (other than a provision of the Privacy Act) that prohibits or regulates the use or disclosure of information, the requirement to notify contained in subsection 26ZB(1) does not apply to the entity to the extent of the inconsistency. 

The effect of this provision is to make it clear that the secrecy provisions contained in other Commonwealth legislation prevails over the requirement to notify in subsection 26ZB(1) of the Privacy Act.  For example, subsection 26ZB(10) will ensure that there is no conflict between the Privacy Act and the provisions of other acts which prohibit disclosure of official information or secrets by Commonwealth officers (such as sections 70 and 79 of the Crimes Act 1914 (Cth)).

Exception—data breach notified under Personally Controlled Electronic Health Records Act 2012

New subsection 26ZB(11), which is titled ‘Exception— data breach notified under Personally Controlled Electronic Health Records Act 2012’, provides that subsection 26ZB(1) does not apply to a serious data breach if the breach has been notified under section 75 of the Personally Controlled Electronic Health Records Act 2012 ( PCEHR Act ) .   This provision has the effect of preventing the imposition of a double notification requirement on entities that have complied with section 75 of the PCEHR Act in relation to the same data breach.  

General publication conditions

New subsection 26ZB(12), which is titled ‘General publication conditions’, provides that the regulations may declare that one or more specified conditions are general publication conditions for the purposes of new section 26ZB of the Privacy Act.  It is envisaged that the regulations will deal with situations where it is impossible for the entity to contact each affected individual or where an attempt to contact each individual would be ineffective.

Section 26ZC Commissioner may direct entity to notify serious data breach

This section provides the Commissioner with the power to direct an entity to provide notification of a serious data breach.  It is envisaged that this provision may be enlivened in circumstances such as where a serious data breach comes to the attention of the Commissioner but has not come to the attention of an entity.

New subsection 26ZC(1) provides that if the Commissioner believes on reasonable grounds that there has been a serious data breach of the entity in relation to either personal information, credit reporting information, credit eligibility information or tax file number information, the Commissioner may, by written notice given to the entity, direct the entity to:

·          prepare a statement that complies with new subsection 26ZC(2) (paragraph 26ZC(1)(e)) ( a paragraph 26ZC(1)(e) statement )

 

·          give a copy of the paragraph 26ZC(1)(e) statement to the Commissioner (paragraph 26ZC(1)(f))

 

·          if the general publication conditions are not satisfied, take such steps as are reasonable in the circumstances to notify the contents of the paragraph 26ZC(1)(e) statement to each of the individuals significantly affected by the serious data breach that the Commissioner believes has happened (paragraph 26ZC(1)(g)), and

 

·          if the general publication conditions are satisfied:

 

o    publish a copy of the paragraph 26ZC(1)(e) statement on the entity’s website (if any), (subparagraph 26ZC(1)(h)(i)), and

 

o    cause a copy of the paragraph 26ZC(1)(e) statement to be published in each State by being published in at least one newspaper circulating generally in that State (subparagraph 26ZC(1)(h)(ii))

This Item also inserts a Note following new subsection 26ZC(1) and before new subsection 26ZC(2).  The Note provides a cross-reference subsection 26ZC(8), which provides general publication conditions.

New subsection 26ZC(2) sets out the contents of the paragraph 26ZC(1)(e) statement that an entity must prepare to give notice of a serious data breach.  These are based on the matters in the current OAIC Data Breach Notification: A guide to handling personal information security breaches .  The paragraph 26ZC(1)(e) statement must include:

·         the identity and contact details of the entity (paragraph 26ZC(2)(a))

 

·          a description of the serious data breach that the Commissioner believes has happened (paragraph 26ZC(2)(b))

 

·          the kinds of information concerned (paragraph 26ZC(2)(c))

 

·          recommendations about the steps that individuals should take in response to the data breach that the Commissioner believes has happened (paragraph 26ZC(2)(d)), and

 

·          any other information (if any) as specified in the regulations (paragraph 26ZC(2)(e)).

 

This means that, if the conditions in any regulations are met, instead of taking steps to notify each individual, the entity may make a general publication in relation to the serious data breach.  New subsection 26ZC(8) provides that the regulations may declare one or more specified conditions to be general publication conditions.  It is envisaged that the regulations will deal with situations where it is impossible for the entity to contact each affected individual or where an attempt to contact each individual would be ineffective.  Paragraph 26ZC(1)(h) provides that where an entity makes a general publication it must publish a copy of the notification on its website (if it has one) and cause a copy of the notification to be published in each State in at least one newspaper circulating generally in that State.

Method of providing the statement to an individual

Without limiting paragraph 26ZC(1)(g), new subsection 26ZC(3), which is titled ‘Method of providing the statement to an individual’, provides that where an entity normally communicates with an individual using a particular method, any notifications provided to the individual under paragraph 26ZC(1)(g) may use that method.  This is intended to reduce the cost of compliance for entities but also to ensure that individuals receive notifications through communication channels that they expect relevant entities to use.  Where there is no normal mode of communication with the particular individual the entity must take reasonable steps to communication with him or her.  Reasonable steps could include contacting by email, telephone or post. 

Compliance with direction

New subsection 26ZC(4), which is titled ‘Compliance with direction’, provides that an entity must comply with a direction given by the Commissioner under subsection 26ZC(1) ( a subsection 26ZC(1) direction ) as soon as practicable after the direction is given.

Exception—enforcement related activities

New subsection 26ZC(5), which is titled ‘Exception—enforcement related activities’, provides that the Commissioner must not give a subsection 26ZC(1) direction to an entity that is a law enforcement body if the chief executive officer of that law enforcement body has given the Commissioner a certificate stating that the enforcement body believes on reasonable grounds that compliance with the direction would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, the enforcement body.

‘Enforcement body’ and ‘enforcement related activities’ are defined in subsection 6(1) of the Privacy Act.  This exception is intended to ensure that the legitimate activities of enforcement bodies are not disrupted or affected by the notification requirement.  However, it does not extend to serious data breaches that are not related to enforcement activities such as the inadvertent disclosure of personal information unrelated to investigations or intelligence gathering.  The requirement that the chief executive of the enforcement body provide the Commissioner with a certificate will ensure that the Commissioner can be assured that the enforcement body has formed the relevant belief on reasonable grounds.

This exception will apply in relation to notification to individuals.  As noted above, the effect of subclause 26ZB(4) is that an enforcement body will still be required to notify all serious data breaches to the Commissioner.  The exception in subclause 26ZC(5) does not exempt an enforcement body from that requirement.   

Exception—inconsistency with secrecy provisions

New subsection 26ZC(6), which is titled ‘Exception—inconsistency with secrecy provisions’, provides that, if compliance by an entity with a subsection 26ZC(1) direction as is covered by paragraph 26ZC(1)(f), (g) or (h) would, to any extent, be inconsistent with a provision of a law of the Commonwealth (other than a provision of this Act) that prohibits or regulates the use or disclosure of information, paragraph 26ZC(1)(f), (g) or (h), as the case may be, does not apply to the entity to the extent of the inconsistency. 

The effect of this provision is to make it clear that the secrecy provisions contained in other Commonwealth legislation prevails over the requirement to comply with a subsection 26ZC(1) direction.  For example, subsection 26ZC(6) will ensure that there is no conflict between the Privacy Act and the provisions of other acts which prohibit disclosure of official information or secrets by Commonwealth officers (such as sections 70 and 79 of the Crimes Act 1914 (Cth)).

Exception— data breach notified under Personally Controlled Electronic Health Records Act 2012

New subsection 26ZC(7), which is titled ‘Exception— data breach notified under Personally Controlled Electronic Health Records Act 2012’, provides that the Commissioner must not give a subsection 26ZC(1) direction in relation to a serious data breach if the breach has been notified under section 75 of the PCEHR Act .   This provision has the effect of preventing the imposition of a double notification requirement on entities that have complied with section 75 of the PCEHR Act in relation to the same data breach. 

General publication conditions

New subsection 26ZC(8), which is titled ‘General publication conditions’, provides that the regulations may declare that one or more specified conditions are general publication conditions for the purposes of new section 26ZC of the Privacy Act.  It is envisaged that the regulations will deal with situations where it is impossible for the entity to contact each affected individual or where an attempt to contact each individual would be ineffective.

Division 3—General

Section 26ZD             Entity

Section 26ZD provides that, for the purposes of the new Part IIIC—Data breach notification, ‘entity’ includes a person who is a file number recipient. 

Section 26ZE              Harm

Section 26ZE provides that, for the purposes of the new Part IIIC—Data breach notification, the word ‘harm’ includes harm to reputation, economic harm, and financial harm.  This is a non-exhaustive list and is in addition to the ordinary meaning of the word ‘harm’.  The section is included to provide clarity. 

Section 26ZF              Real risk

Section 26ZF provides that, for the purposes of the new Part IIIC—Data breach notification, the term ‘real risk’ means a risk that is not a remote risk.

This is an important threshold that is intended to exclude risks that are minor in nature.  It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of notification fatigue on the part of individuals, and the lack of utility where notification does not facilitate mitigation.  As is currently the case in the OAIC Data Breach Notification: A guide to handling personal information security breaches , it is expected that further practical guidance around the concept of a ‘real risk of serious harm’ will be included in revised OAIC guidance that complements these new reforms.

Item 5             After paragraph 96(1)(b)

Item 5 of Schedule 1 inserts new paragraphs 96(1)(ba) and 96(1)(bb) into subsection 96(1) of the Privacy Act, after existing paragraph 96(1)(b).  The effect of this insertion is that new paragraphs 96(1)(ba) and 96(1)(bb) respectively provide that a decision by the Commissioner:

·          under section 26ZB to refuse to give a subsection 26ZB(5) notice that an entity is exempt from an obligation to notify a serious data breach, and

 

·          under section 26ZC to give a subsection 26ZC(1) direction to an entity to notify a serious data breach

will be subject to review by the Administrative Appeals Tribunal.

Item 6             Application of amendments—serious data breaches

Item 6 of Schedule 1 provides that the new Part IIIC of the Privacy Act to be inserted by this Bill applies to the access, disclosure, or loss of personal information, as well as credit reporting information, credit eligibility information and tax file number information that occurs after the commencement of Item 6.  That is, none of the provisions in the Bill will operate retrospectively.  Serious data breaches that occur after 12 March 2014 will be subject to the requirements of the new Part IIIC.

 




[2] See ALRC Report (paras 51.52 - 51.56)

[15] See recent study commissioned for European Commission at: http://ict-endorse.eu/?p=539

[16] Privacy Act 1988 - NPP 4 and IPP 4

[20] See recent study commissioned for European Commission at: http://ict-endorse.eu/?p=539

[23] http://www.canberra.edu.au/cis/storage/Australian%20Attitutdes%20Towards%20Privacy%20Online.pdf

[26] See further ALRC report (2008), para 51.77-51.78.