| Published by Andrew Chalet , Craig Subocz
In this article, we examine what this means for you.
The Government can designate a start date. If it does not, then the obligation commences 12 months from the date of royal assent. Accordingly, it is almost certain this obligation will apply in early 2018, and most likely earlier.
It applies to entities already regulated by the Act. These include businesses with annual turnover exceeding $3 million, health service providers, Commonwealth Government agencies, credit providers and credit reporting bodies.
Essentially, any regulated entity must report to the Privacy Commissioner and to affected individuals "as soon as practicable" after becoming aware that an "eligible data breach" has occurred.
Additionally, where the entity suspects that an "eligible data breach" may have occurred, it has 30 days to investigate its suspicions and determine whether the breach occurred. If the organization confirms the breach, then it must notify the Commissioner and affected individuals.
An "eligible data breach" occurs when either of the two alternatives occurs:
Serious harm includes serious financial, economic or physical harm. It also includes serious emotional or psychological harm, or serious harm to an individual's public reputation.
In determining whether access or disclosure would be likely or not likely to result in serious harm, there are several statutory factors to be considered, including:
As examples, malicious breaches of secure storage and information handling would almost certainly be an eligible data breach. Similarly, the inadvertent loss of a computer or storage device (such as a USB stick) containing personal information where the device can be recovered by a third party would almost certainly be an eligible data breach.
There are several exceptions, namely:
We look at the exceptions that are most likely to apply - remedial action and multiple entities affected by the one eligible data breach.
If an entity takes action in relation to the data breach and, as a result of the action, a reasonable person would conclude that the breach is not likely to result in serious harm to any affected individual, the data breach is not an "eligible data breach". Consequently, there is no obligation to report the breach to the Commissioner or to the affected individuals.
The legislation is vague on the nature and extent of the remedial action. It will depend on a number of factors, including the nature and extent of the breach being remedied.
The exception applies only if the remedial action was taken before the individual(s) were harmed. If the action prevents some (but not all) of the individuals being harmed, then the obligation to notify is reduced to exclude an obligation to notify those individuals protected by the remedial action.
Where an eligible data breach affects multiple entities, the Act will require only one of the affected entities to report the breach. Once the report is made, then all the affected entities are taken to have complied with their statutory reporting obligation.
This scenario will commonly occur when one entity has outsourced the management of personal information (in some fashion) to a third party. For example, in October 2016, records of blood donors were unwittingly exposed to the public when a contractor to the Australian Red Blood Cross Service made those records available via an unsecured website.
In this scenario, the entities must determine (between themselves) which entity will assume responsibility for complying with the notification obligation (assuming that remedial action cannot be taken to avert the serious harm to affected individuals).
The Act will dictate the substance of the notification. It must contain the entity's name and contact details, a description of the breach, the kind(s) of information involved and steps the entity recommends individuals take to protect themselves from the potential for serious harm.
The entity must take reasonable steps to notify affected individuals of the breach, such as through email, by phone or by post. However, if the entity determines that it is not practicable for it to notify affected individuals directly, then it must publish the statement on its website and otherwise take reasonable steps to publicise the statement.
The Act will deem a failure to comply with the notification obligations as an interference with the privacy of an individual. This triggers the Commissioner's existing powers to investigate, make determinations and order remedies for the non-compliance.
Ultimately, an entity that fails to comply with its statutory obligations may face civil penalties of up to $1.8 million (if the entity is a corporation).
While the amendments have been passed, they are not yet operational. This gives regulated entities some time to brush up on their risk management policies and procedures concerning data breaches.
Clearly, the best way of avoiding the potential embarrassment of notifying a data breach is to prevent the breach from occurring in the first place.
Regulated entities are already under a statutory obligation to destroy or de-identify personal information when that information is no longer needed. Therefore, auditing and sanitizing personal information held by a regulated entity that it no longer needs removes the risk of that personal information being exposed in a data breach.
It is also advisable for entities to review and update their data security and privacy policies and procedures. This will almost certainly require attention at the boardroom and senior executive level, in order to embed the need for strong data security into the entity's culture.
Critically reviewing existing supplier arrangements to understand whether and (if so) to what extent suppliers are currently bound to report and handle potential data breaches.
Although it is impossible to come up with a "one size fits all" approach to data breach notification, laying the groundwork for an action plan to implement if and when a data breach is suspected or detected will assist regulated entities comply with their forthcoming statutory obligations.