By Geoff Bloom, Andrew Galvin and the regulatory advice team at HWL Ebsworth in Sydney, consultants to the Australian Privacy Reporter.
The Notifiable Data Breach (NDB) Scheme has been legislated in an amendment to the Privacy Act 1988 (Cth) (the Act), commencing on 22 February 2018. It introduces mandatory reporting for Australian Privacy Principle (APP) entities where they have reasonable grounds to believe that an eligible data breach has occurred. Eligible data breaches are breaches that could result in serious harm to the affected individuals.
Under the Scheme, if an APP entity experiences an eligible data breach then, unless an exception applies, it must report the breach, in the prescribed form, to the Office of the Australian Information Commissioner, and the individuals affected by the breach.
The NDB Scheme aims to protect consumers whose information has been compromised by giving them an adequate opportunity to take steps to mitigate the consequences of the breach. It balances the burden imposed on APP entities by only requiring notification in circumstances where the data breach could result in serious harm.
- Steps for identifying a notification obligation
- When a potential breach is identified
After a possible breach has been brought to the APP entity’s attention, the first step is to take preliminary steps to contain the breach.
If immediate steps can be taken to mitigate the risk of harm, these steps should be taken.
Effective steps to mitigate the risk of harm may overcome the need to notify the data breach on the basis that the breach would not be an ‘eligible data breach’.
- Establishing whether an eligible data breach has occurred
Whether an entity has reasonable grounds to believe that there has been an eligible data breach will vary depending on the circumstances.
Generally, there will be ‘reasonable grounds to believe’ where the facts are sufficient to persuade a reasonable person to support a course of action based on the known facts, circumstances and considerations: George v Rockett (1990) 170 CLR 104.
If the situation merely provides the entity with reasonable grounds to suspect that there has been an eligible data breach, the Act requires the entity to undertake a reasonable and expeditious assessment (Situation Assessment) of whether there are reasonable grounds to believe that an eligible data breach has taken. If practicable, this process must be completed within 30 days.
The nature of the Situation Assessment will vary depending on the circumstances. However if during the course of the Situation Assessment the suspicion becomes a belief, this may raise a requirement to give notice to the Commissioner prior to the conclusion of the 30-day period.
3.1 An eligible data breach occurs where:
- there is unauthorised access, disclosure or loss of personal information; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates; and
- no exemptions apply.
3.2 Unauthorised access, disclosure or loss of personal information
This category will be satisfied in two circumstances under the Act:
- where the APP entity is satisfied that there is unauthorised access to, or unauthorised disclosure of, personal information; or
- where the information is lost in circumstances where Unauthorised Access or Unauthorised Disclosure of the information is likely to occur. Information is ‘lost’ in circumstances where there has been accidental or inadvertent loss of personal information held by an APP entity. This includes when an APP entity physically loses personal information, for example, by leaving it in a public place, or electronically loses personal information, such a failing to adequately back up data. Loss also refers to unauthorised access where there has been a natural disaster, such as a power outage.
3.3 Serious harm to an individual
An eligible data breach occurs where there is a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the breach.
Serious harm could include “serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entities position would identify as a possible outcome of the data breach”.
The OAIC has expressed the view on their website that that serious harm could include identity theft, financial loss, threat to physical safety, threat to emotional wellbeing, loss of business or employment opportunities, humiliation, damage to reputation or relationships, or workplace or social bullying or marginalisation.
The risk of serious harm is likely to be higher where the information compromised is sensitive. The OAIC recognises that “inappropriate handling of sensitive information can easily have adverse consequences for an individual … such as discrimination or mistreatment”.
3.4 Likely to result
The likelihood of the harm being serious in nature must be more probable than not. In determining likelihood of harm, the APP entity should consider:
- the type and sensitivity of the information, and whether the information is protected by one or more security measures;
- the persons, or the kinds of persons, who have obtained, or who could obtain, the information; and
- whether security technology was used and whether it can be used to prevent the likelihood of a breach and the nature of the harm.
If, on this assessment, the APP entity reasonably believes that the unauthorised loss, disclosure or access of personal information is likely to result in serious harm, then the notification obligations are triggered under the Act.
The APP entity should be aware that the phrase ‘reasonable grounds’ implies that “notification is required both in cases where an entity is aware that an eligible data breach has occurred and where the evidence is not definitive but would nonetheless suggest that there are reasonable grounds to believe that an eligible data breach has occurred”.
- Do any exemptions apply?
If a breach is likely to result in a serious harm, the notification obligations under the Act are triggered. The next step is to consider whether any exemptions apply to the breach.
4.1 Remedial action
This is the exemption that is most likely to apply.
It provides relief from notification requirements for entities that take action to prevent the breach from being ‘likely to result in serious harm’.
An entity will be exempt where a reasonable person could conclude that, as a result of the remedial action taken, the eligible data breach is not likely to result in serious harm to the affected individuals.
In this circumstance, the breach would no longer be considered an eligible data breach.
Additionally, there is no requirement to notify a particular class of individuals where there is no longer a likelihood of serious harm to that class. However, any class of affected individuals may need to be notified in the manner required by the Act. The exception also applies where remedial action prevents lost information from causing serious harm.
It is important to take remedial action as soon as there is a potential for an eligible data breach. This could overcome the need for stringent notification requirements when the extent of the breach has been ascertained. Time, money and effort can all be saved by taking simple steps to prevent the risk of serious harm.
The following exemptions should be noted but are less likely to apply. Remedial action should still be taken even where there is the potential for another exemption to apply. The exemptions are:
- Eligible data breaches of other entities: Where an eligible data breach occurs and several entities hold the same record of information that has been breached (by virtue of a joint venture, an outsourcing arrangement or shared services arrangements), only one entity (being the one that suffered the breach) must comply with the notification requirements.
- Enforcement related activities: An enforcement body is not required to notify affected individuals of an eligible data breach where such notification could prejudice enforcement related activities (but a statement in the required from must still be given to the Commissioner). This is to ensure that legitimate activities of enforcement bodies are not disrupted or affected by the notification requirement.
- Inconsistency with secrecy provisions: There is no need to provide notice to either the Commissioner or affected individuals if the entity who has suffered the eligible data breach considers that to do so would be inconsistent with a secrecy provision. However, relief from the notification obligations applies only to the extent that it would be inconsistent with a secrecy provisions.
- Declaration by Commissioner: The Commissioner may declare on application to it by the entity that the notification requirements do not apply to the eligible data breach. Before making such a declaration, the commissioner must consider that the decision is reasonable having regard to the public interest, any advice received from enforcement bodies or the department of defence and any other matters that the commissioner considers relevant. This exception is intended, for example, where there is a law enforcement investigation being undertaken into a data breach and notification would impede that investigation, or where the information concerned matters of national security.
- Notification under the My Health Records Act 2012 (Cth): If the breach is of health information included in a healthcare recipient’s My Health Record, then the data breach notification obligations under the My Health Records Act will be triggered and the entity will not have to report the breach under the Act.
4.2 If no exemptions apply, the entity is required to notify of the breach
The first step of notification is to prepare a statement in the form required by the Act.
There are three ways in which a breached entity can inform affected individuals:
(a) if it is practicable, to each individual to whom the breached information relates;
(b) if it is practicable, to each individual who is at risk from the eligible data breach; or
(c) if neither of the above two options apply, publish a copy of the statement on the entities website.
The entity must then provide the statement to both the Commissioner and affected individuals. The method of communication should be the usual method through which the entity communicates with its client.
- Notification of the breach
An entity must promptly notify the Commissioner of the breach by preparing and forwarding a statement in accordance with section 26WK of the Act. The entity must also notify individuals affected by the breach as soon as practicable after completing the statement prepared for notifying the Commissioner.
5.1 Information to include in the statement
The statement notifying the Commissioner and affected individuals must include the following information:
(a) the identity and contact details of the entity;
(b) a description of the breach;
(c) the types of information concerned; and
(d) recommendations about the steps which individuals should take in response to the breach.
The OAIC provides an online form to assist entities in preparing this statement.
5.2 Timeframe for reporting the breach
The entity must promptly notify the Commissioner of the breach as soon as practicable. What is considered to be a ‘practicable’ timeframe will vary depending on the entity’s circumstances, and may include considerations of the time, effort, or cost required to prepare the statement.
The OAIC expects that once an entity becomes aware of an eligible data breach, it will provide a statement to the Commissioner in a prompt manner, unless there are circumstances which reasonably hinder the entity’s ability to do so.
- Penalties for non-compliance
Failure to comply with an obligation included in the Act will be deemed to be an interference with the privacy of an individual for the purposes of the Act.
This will engage the Commissioner’s ability to undertake investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.
This approach will permit the use of less severe sanctions before elevating to a civil penalty.
Civil penalties would be imposed by the Federal Court or Federal Circuit Court on application by the Commissioner. The maximum civil penalty currently stands at $360,000 for individuals or $1.8 million for organisations.
The Commissioner can also demand that an entity comply with notification requirements under the Act.
Penalties and other sanctions
Penalties and sanctions for non-compliance imposed by the Commissioner could include:
- public or personal apologies;
- compensation payments;
- enforceable undertakings; or
- in severe cases, a civil penalty. The maximum civil penalty currently stands at $1.8 million for organisations.
- Preparing for the NDB scheme
APP entities can develop a data breach response plan in preparation for the operation of the NDB scheme.
- Further information
Further information on the NDB scheme and preparing for its operation as well as a guide to developing a data breach response plan can be found in CCH’s Australian Information and Privacy Handbook or on the OAIC website at https://www.oaic.gov.au/.
“To learn more, register for our New Notifiable Data Breach Obligations webinar with Geoff Bloom.”