Data Breach Notification Obligations

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Act), which took effect on 22 February 2018, has amended the Privacy Act 1988 (Cth) (Privacy Act) by establishing a new regime of mandatory data breach notifications.

Under the new regime, Australian Government agencies and certain organisations with obligations under the Privacy Act (APP entity) are now required to notify both the Office of Australian Information Commissioner (OAIC) and the individuals to whom the data stored by the APP entity relates of certain data breaches.

Apart from the obligations related to personal information protection and responding to a data breach which are provided under the Privacy Act, entities may have obligations under state-based or international data protection laws.

For example, businesses would need to comply with the European Union General Data Protection Regulation if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

In addition to that, depending on the categories of the information, which was subject to unauthorized breach or disclosure and specific industry sectors in which entities holding that information operate, they may as well need to comply with other mandatory of voluntary reporting schemes. For example, entities may need to report to:

• The Australian Securities and Investments Commission (ASIC);
• The Australian Prudential Regulatory Authority (APRA);
• The Australian Cyber Security Centre (ACSC);
• The Department of Health;
• State or Territory Privacy and Information Commissioners; and
• Other.

Since 22 February 2018, OAIC has already received 31 breach notifications under the new regime.

This article therefore gives general overview of the newly introduced data breach notification regime and provides general guidance with respect to data breach notification obligations which may be applicable to your company.

To Whom do the Reporting Obligations Apply to?

Data breach reporting obligations apply to:

1. a broad range of organisations and entities which hold personal information relating to an individual and are liable to keep that information avoiding breach of the Privacy Act (in particular, Australian Privacy Principle (APP) 11.1);
2. credit reporting bodies holding credit reporting information relating to individuals;
3. credit providers holding credit eligibility information relating to individuals; and
4. file number recipients holding tax file number information relating to individuals.

What is an Eligible Data Breach?

Under s 26WE of the Privacy Act, a notifiable data breach (so-called ‘eligible data breach’) occurs if:

1. there is unauthorized access to, or unauthorized disclosure of the personal information and a reasonable person would conclude that the access or disclosure would likely result in a serious harm to any of the individuals to whom the information relates; or
2. the information is lost in the circumstances where unauthorized access to, or unauthorized disclosure of, the information is likely to occur and a reasonable person would conclude that the access or disclosure would likely result in serious harm to any of the individuals to whom the information relates.

As an example, a data breach may occur when:

• a device containing personal information about customers is lost or stolen;
• a database containing personal information is hacked; or
• personal information is mistakenly disclosed to an unauthorised third party.

The seriousness of harm is assessed based on s 26WG of the Privacy Act, considering a wide range of matters, including: the kind of information disclosed or accessed; sensitivity of that information; the likelihood that the persons who have obtained or could have obtained that information had the intention of causing harm to any of the individuals to whom the information relates; the nature of the harm; and any other relevant matter.

Notification Obligation

If an APP entity has reasonable grounds to suspect that there may have been an eligible data breach, it must carry out reasonable and expeditious assessment of whether there are grounds to believe that the eligible data breach has occurred.

The assessment must be completed within 30 days after becoming aware of the grounds to suspect the data breach.

If there are reasonable grounds to believe that the eligible data breach has occurred, the APP entity is required to prepare a statement of the breach under s 26WK of the Privacy Act (Notifiable Data Breach Form) and give a copy of that statement to the Commissioner.

The Notifiable Data Breach Form can be accessed on the website of the OAIC.

Furthermore, under s 26WL of the Privacy Act, the APP entity must take reasonable steps to notify the contents of the statement to each of the individuals to whom the relevant information relates.

In many cases, publishing a copy of the statement on the entity’s website and taking reasonable steps to publicise the contents of the statement would be more practicable than notifying every individual who has been affected.

What are the Penalties for Failure to Notify?

Failure to comply with the Privacy Act with respect to mandatory data breach notifications may result in a penalty of up to $360,000 for individuals and up to $1,8 million for corporations.

In addition to that, the failure may result in serious damage to reputation and business of the parties involved in the breach.

Can You be Responsible for Someone else’s Breach?

The answer is yes.

Based on s 26WC of the Privacy Act, an APP entity may be responsible for a breach if the breach has been committed by other parties in the chain your supply of personal information.

For example, your company may be liable for a breach if personal information has been stored by a third party on your behalf and the data breach was committed by that third party.

For example, if your company stores its data and records with a Cloud service provider, both your company and the Cloud service provider will be deemed to hold that data or records and will be responsible for data breach.

Therefore, it is essential for the entities to establish clear procedures for complying with the Privacy Act when entering into service agreements or other relevant contractual arrangements with third parties.

This may include obligations to communicate suspected breaches to the other party, establishing and ensuring compliance with the processes for conducting assessments, and responsibility for containment, remediation, and notification of the breaches.

The Privacy Act provides for mechanisms avoiding duplicate notifications by a number of parties who jointly hold personal information.

If a number of entities jointly held information which was disclosed or accesses as a result of a data breach, compliance by one of those entities will be taken as a compliance of the other entities that hold the information.

The Commissioner suggests that, in general, the entity with the most direct relationship with the individuals at risk of serious harm may be best placed to notify. This generally allows individuals to better understand the notification, and how the eligible data breach might affect them.

Our Services

We will be pleased to assist you in understanding your data breach reporting obligations under the Privacy Act, develop mechanisms for protection of personal information stored by you and third parties on your behalf and assist you in responding to a suspected data breach within your organization.

Many other essential hot topics for business owners is all found in the book Nobody Else’s Business. Nobody Else’s Business is about helping business owners live the life they want to live, now and in the future. It is the ultimate guidebook for succession planning of modern Australian businesses.

To purchase your own copy of Nobody Else’s Business please follow the link http://www.nobodyelsesbusiness.com.au/

For the full range of Legal Services that Pavuk Legal offers please go to: www.pavuklegal.com/services/