Several high profile data breach incidents affecting organisations (think Sony Playstation and Telstra), have highlighted both the ramifications of data security breaches and the concerns about the failure of organisations to notify affected individuals and regulators of data breaches. Despite these concerns and contrary to prevailing international practice, mandatory notification obligations have not formed part of Australia’s privacy landscape (except in relation to Personally Controlled Electronic Health Records).
On 29 May 2013, the Government ended months of speculation and introduced the Privacy Amendment (Privacy Alerts) Bill 2013 (the Bill) to Parliament. The Bill addresses one of the recommendations of the Australian Law Reform Commission’s seminal 2008 Report – For Your Information.
If passed, the Bill will commence on 14 March 2014 in line with the commencement of the major Privacy Reforms (see our previous article regarding these reforms). The new provisions will apply to public sector agencies and private sector organisations currently regulated by the Privacy Act. The Attorney-General, Mark Dreyfus, has indicated that the Bill could pass through Parliament in June before the September 2013 election.
The Bill requires organisations to notify affected individuals if the organisation believes, on reasonable grounds, that there has been a “serious data breach” of the organisation in relation to personal information. A “serious data breach” is defined in the Bill as unauthorised access or disclosure of personal information (including as a result of lost personal information) which will result in a “real risk of serious harm” to the affected individual. The term “harm” is defined to include harm to reputation, economic harm and financial harm, and “real risk” as a risk that is not a remote risk.
The Australian Information Commissioner (Privacy Commissioner) may exempt an organisation from providing this notification to affected individuals if it considers it is in the public interest to do so.
The Bill also provides that organisations remain accountable for a serious data breach which has occurred overseas following disclosure of personal information to an overseas recipient. This is consistent with new Australian Privacy Principle 8 which makes organisations accountable for the privacy breaches of an overseas recipient of personal information, subject certain exemptions.
Similar notification requirements will apply to credit reporting bodies, credit providers and recipients of tax file numbers.
If an organisation considers a “serious data breach” has occurred it must, as soon as practicable, provide notification to the affected individual(s) and the Privacy Commissioner. This notice must specify:
The notification must be communicated to individuals using the normal method of communication the organisation uses to communicate with the individual. Regulations may also be made to specify general publication conditions for circumstances where it is not practicable to notify each individual, and in these circumstances notification may take place by publishing the statement on the organisation’s website and in a newspaper.
If the Privacy Commissioner believes that there has been a serious data breach and the organisation has not notified affected individuals, the Privacy Commissioner may also direct the organisation to notify.
If an organisation fails to notify affected individuals or does not comply with a direction of the Privacy Commissioner to do so, this will amount to an “interference with the privacy of the individual” under the Privacy Act. This means that the Privacy Commissioner will have the power to investigate the incident, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.
Practically, the Bill will require organisations to implement robust protocols for identifying data breach incidents, assessing the incident to determine whether it is a “serious data breach” and notifying the Privacy Commissioner and affected individuals of the incident.
Consistent with the Privacy Act generally, the Bill does not make any distinction between a data processor (e.g. a service provider handling and/or storing personal information of a customer organisation) and a data controller (e.g. an organisation who collects personal information from individuals and provides that data to a service provider). Rather, the obligation to notify is simply that of the entity which is subject to the serious data breach.
In the context of services arrangements (such as cloud, outsourcing and data hosting services), the service provider holding the personal information (and who suffers a data breach) will be obliged to comply with the notification requirements as they are currently drafted. However, a service provider such as a cloud provider will typically find it difficult to do so as they will not have control or visibility over the personal information within the customer data they hold, or knowledge of which individuals the data relates to. The notification obligation is arguably more appropriately discharged by the data controller (i.e. the service provider’s customer). Equally, it is likely in most circumstances that the service provider’s customer, who has a direct contractual or other relationship with the individual, will want to handle any notification process with the individuals.
These mandatory notification obligations are another good example of the regulatory uncertainty that continues to arise under Australian privacy laws due to the absence of a data processor – data controller distinction. This distinction is made in many foreign privacy regimes, including in Europe and Asia.
In these circumstances, it will be prudent for organisations to carefully review their services arrangements to ensure that they require service providers to notify the organisation if a data breach occurs, and set out how the parties will comply with the notification obligations.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.