Privacy Amendment (Notifiable Data Breaches) Bill 2016


Bills Digest no. 52, 2016–17

PDF version [678KB]

Mary Anne Neilsen
Law and Bills Digest Section
8 December 2016

 

Contents

Purpose of the Bill

Structure of the Bill

Background

Data breach notifications
The Privacy Act and data breaches
Australian Law Reform Commission: report
Parliamentary Joint Committee on Intelligence and Security: reports
The three Bills
Privacy Amendment (Privacy Alerts) Bill 2013
Exposure draft: Privacy Amendment (Notification of Serious Data Breaches) Bill 2015
The current Bill

Committee consideration

Senate Standing Committee for the Scrutiny of Bills

Policy position of non-government parties/independents

Position of major interest groups

Australian Bankers’ Association
Law Council of Australia
Electronic Frontiers Australia
Australian Privacy Foundation

Financial implications

Statement of Compatibility with Human Rights

Parliamentary Joint Committee on Human Rights

Key issues and provisions

What is an eligible data breach
Threshold test for an eligible data breach
What is serious harm?
‘Likely to result in serious harm’
Exception to an eligible data breach—remedial action
Notification of eligible data breaches
Exceptions to notification
Commissioner written directions
Overseas entities
Enforcement and review

Concluding comments

 

Date introduced:  19 October 2016
House:  House of Representatives
Portfolio:  Attorney-General
Commencement: 12 months from the day after the Bill receives the Royal Assent or earlier by proclamation.

Links: The links to the Bill, its Explanatory Memorandum and second reading speech can be found on the Bill’s home page, or through the Australian Parliament website.

When Bills have been passed and have received Royal Assent, they become Acts, which can be found at the Federal Register of Legislation website.

All hyperlinks in this Bills Digest are correct as at December 2016.

 

Purpose of the Bill

The purpose of the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) is to amend the Privacy Act 1988 in order to introduce mandatory data breach notification provisions which will apply to entities currently subject to the Privacy Act, namely most Commonwealth Government agencies, some private sector organisations (‘entities’), credit reporting bodies, credit providers and tax file number recipients.

Structure of the Bill

The Bill contains one Schedule of amendments to the Privacy Act. The main amendment in Schedule 1 is item 3 which inserts a new Part IIIC, titled ‘Notification of eligible data breaches’. This new Part contains the substantive elements of the mandatory data breach notification provisions, which apply to entities that are regulated by the Privacy Act.

The new Part IIIC is divided into three Divisions. Broadly, the first Division sets out preliminary general matters including relevant definitions and application provisions, the second Division sets out when an ‘eligible data breach’ will have occurred and the third Division contains obligations for entities to notify that such a data breach has occurred, subject to certain exceptions.

Background

Data breach notifications

As the Explanatory Memorandum notes, mandatory data breach notification commonly refers to:

... a legal requirement to provide notice to affected individuals and the relevant regulator when certain kinds of security incidents compromise information of a certain kind or kinds. In some jurisdictions, notification is also only required if the data breach meets a specified harm threshold. Examples of when data breach notification may be required could include a malicious breach of the secure storage and handling of information (e.g. in a cyber security incident), an accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise, where the incident satisfies the applicable harm threshold (if any).[1]

Data breach notification has been a topical issue in privacy regulation around the world for some years, with concerns about identity theft and identity fraud driving the development of new laws in this area.[2]

The Privacy Act and data breaches

The Australian Privacy Principles (APPs), which are contained in Schedule 1 of the Privacy Act, outline how most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information.

Currently, the Privacy Act does not impose an obligation on entities to notify the Australian Information Commissioner (the Commissioner) or any individuals whose personal information has been compromised. However, APP 11 requires that agencies and organisations take reasonable steps to maintain the security of the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. Other provisions in the Privacy Act create equivalent obligations in relation to credit reporting information, credit eligibility information and tax file number information.[3]

The Office of the Australian Information Commissioner (OAIC) currently has in place a voluntary guide for entities giving advice on how to handle a data breach.[4] Although not mandatory, entities regulated by the Privacy Act are encouraged to comply with this guide so as to ‘voluntarily put in place reasonable measures to deal with data breaches (including notification of affected individuals and the OAIC), while legislative change is considered by the Australian Government’.[5] The Commissioner has stated that he continues to support the introduction of a mandatory data breach reporting scheme for serious data breaches noting that the OAIC continues to see evidence of a high number of serious data breaches. He quotes the McAfee Labs Threat Report for August 2015, which reviewed changes in cyber threats and cybersecurity from 2010 to 2015 and which states that there has been a ‘monumental increase in the number of major data breaches and in the volume of records stolen’.[6] In the Commissioner’s view a mandatory notification scheme is necessary to:

  • give confidence to all Australians that if they are affected by serious data breach, they will be given a chance to protect their interests, and
  • signal to entities that protection of individuals’ personal information should be a priority in the digital age.[7]

Australian Law Reform Commission: report

The Australian Law Reform Commission (ALRC) in its 2008 report on privacy, For Your Information: Australian Privacy Law and Practice (the ALRC Report), considered the topic of data breach notification and made a recommendation regarding the establishment of a mandatory notification scheme. The ALRC noted that, with advances in technology, entities were increasingly holding larger amounts of identifying information in electronic form, raising the risk that a breach of this information could result in another individual using the information for identity theft and identity fraud. A notification requirement for entities that suffer data breaches would allow individuals whose personal information had been compromised by the breach to take remedial steps to lessen the adverse impact that might arise from the breach.[8] The ALRC recommended that the Privacy Act be amended to impose a mandatory obligation to notify the Privacy Commissioner and affected individuals in the event of a data breach that could give rise to a real risk of serious harm to affected individuals. Notification would be compulsory unless it would impact upon a law enforcement investigation or was determined by the regulator to be contrary to the public interest. Failure to notify would attract a civil penalty.[9]

Parliamentary Joint Committee on Intelligence and Security: reports

Recommendations regarding a mandatory data breach notification scheme were also made as part of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiries into a mandatory data retention regime. Firstly in May 2013, the PJCIS released a Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation. The report recommended that, if a mandatory data retention regime should proceed, its introduction should include the introduction of a robust mandatory data breach notification scheme.[10]

Again, in February 2015 the PJCIS in its Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (the Data Retention Bill 2014) recommended the introduction of a mandatory data breach notification scheme by the end of 2015.[11]

The three Bills

Since 2008 when mandatory data breach notification was first recommended by the ALRC, there have been three different Bills that would establish a mandatory data breach notification scheme:

  • Privacy Amendment (Privacy Alerts) Bill 2013[12]
  • exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015[13]
  • the current Bill.
Privacy Amendment (Privacy Alerts) Bill 2013

On 29 May 2013 the then Labor Government introduced the Privacy Amendment (Privacy Alerts) Bill 2013 (2013 Bill) into Parliament. The Bill was intended to implement ALRC recommendation 51–1 and to strengthen the existing voluntary data breach notification framework in order to counter underreporting of data breaches and to help prevent or reduce the effects of serious crimes like identity theft. The Bill passed the House of Representatives with bipartisan support. It was referred to Committee but lapsed on prorogation of the 43rd Parliament.[14]

Exposure draft: Privacy Amendment (Notification of Serious Data Breaches) Bill 2015

On 3 March 2015 the Coalition Government, as part of its response to the PJCIS report on the Data Retention Bill 2014, agreed to introduce a mandatory data breach notification scheme by the end of 2015 and to consult on draft legislation.[15] In December of that year, the Attorney-General released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the 2015 exposure draft) and a discussion paper for public submission. Forty-seven public submissions were received before submissions closed on 4 March 2016.[16]

The 2015 exposure draft was similar to the 2013 Bill in that it applied the same threshold test for when an entity would be required to notify a ‘serious data breach’ and imposed similar data breach notification requirements. There were a range of views in submissions—a common theme being that the legislation needed further explanation and clarification on how to determine when a serious data breach might occur.

The current Bill

The current Bill, introduced on 19 October 2016, is based on the 2015 exposure draft but includes significant amendments. In particular it introduces a higher threshold test for when data breach notification is mandatory, and provides other changes aimed at reducing and streamlining the need for notification. Many of these changes would appear to be responding to recommendations from the various submissions on the 2015 exposure draft.

Further discussion on the differences between the three Bills is found in the Key issues and provisions section below.

Committee consideration

At the time of writing the Bill had not been referred to a parliamentary committee for inquiry and report.

Senate Standing Committee for the Scrutiny of Bills

The Committee has considered the Bill and noted that it includes a number of exceptions to the mandatory data breach notification provisions:

These exceptions limit the right to privacy as in such circumstances individuals will not be notified of an eligible data breach if one of the exceptions apply.[17]

However, the Committee chose not to make any further comment in relation to this matter given the detailed discussion about any limitation on the right to privacy contained in the explanatory material.[18]

Policy position of non-government parties/independents

From the time of its response to the 2008 ALRC Report on privacy, the Labor Party has consistently supported mandatory data breach notification. While in Government, Labor initiated the first legislation in 2013.

The Shadow Attorney-General Mark Dreyfus has been critical of the current Government’s delay in introducing legislation stating:

It has only taken Attorney-General George Brandis three years, but he has finally caught up with Labor’s proposed legislation for mandatory notification of consumers when their personal data has been breached.[19]

At the time of writing this Bills Digest, the Labor Party had not provided any public comment on the current Bill, however, in August prior to the tabling of the Bill, the shadow Attorney-General called on the Government to negotiate with Labor on the proposed legislation to ensure a speedy passage through Parliament.

Mr Dreyfus also cautioned the Government against bending to the wishes of the banking industry on this matter stating:

Senator Brandis will face the same resistance from special interests as Labor did when it first proposed this legislation three years ago, including the ridiculous assertion that it would be too large an administrative burden for banks to implement data breach alerts ... Mr Turnbull and Senator Brandis must not bend to the banking industry’s will on this very important issue.[20]

The Australian Greens supports mandatory data breach notification and have also been critical of the Government’s delay in introducing legislation. On 2 February 2016 Senator Scott Ludlam called on the Attorney-General to explain to the Senate why such legislation has not been introduced, and to clarify the Government's intentions.[21]

The position of the cross bench Senators is not known at this date.

Position of major interest groups

At the time of writing, there appears to be little public reaction to the Bill from relevant interest groups. However, the Explanatory Memorandum notes that submissions generally supported the 2015 exposure draft, or supported it subject to technical change.[22] The Regulation Impact Statement to the Explanatory Memorandum states that of the 56 submissions received during the 2015–16 consultation, 38 strongly or conditionally supported the mandatory scheme:

These submissions were received from a wide range of sources including businesses from varied industry sectors, industry bodies, civil society groups, individuals, academia, regulators and government agencies. There were 12 submitters who didn’t express a definitive view although most of these did not expressly oppose a mandatory scheme. The majority of these were from industry groups. Six submissions opposed the proposed mandatory reporting scheme. Of these six, three were from digital marketing and games/entertainment businesses, two were from the health industry and one from the insurance industry.[23]

At this point, it is worth noting that small businesses are generally not subject to the Privacy Act and therefore would also be exempt from the mandatory notification scheme proposed in the Bill. The Regulatory Impact Statement attached to the Explanatory Memorandum explains the implications:

The proposed scheme will only apply to around 6% of Australian businesses. The Privacy Act exempts small businesses (entities with an annual turnover of $3 million or less) from the operation of the Privacy Act. This exemption does not apply to some small businesses, including those that provide a health service, are a credit reporting body, or trade in personal information. The Attorney-General’s Department commissioned statistical analysis from the Australian Bureau of Statistics that showed that in 2013 about 94% of entities on the ABS Business Register are below the $3 million threshold and are therefore not likely to be subject to the Privacy Act or the proposed scheme.[24]

The following is a small selection of views expressed in submissions during consultation on the 2015 exposure draft. The selection focuses on general concerns with the exposure draft and would apply equally to the current Bill.

Australian Bankers’ Association

The Australian Bankers’ Association (ABA) appreciated the detailed consultation process initiated by the Government, although it expressed some reservations about mandatory data breach notification. ABA made some preliminary comments which the Association said were aimed at ensuring that the Government’s approach would avoid under resourcing, implementation and ongoing costs for businesses to comply with the law. One of ABA’s concerns was that the scheme does not encompass ‘small business operators’. In ABA’s view:

... small businesses often have the least mature privacy and security capabilities; nevertheless, in the information economy and with modern computing tools, a small business may still have a large customer base, or collect personal information about large numbers of individuals.

...

In addition, the ABA observes new businesses and start-ups may fall under the $3 million threshold; this could create a situation in which new entrants to an industry will be granted an unreasonable commercial advantage by not being required to comply with the notification obligation (to the detriment of their customers).[25]

Amongst other things, the ABA also made substantial comments about an appropriate threshold test for determining when to notify a data breach. These comments are discussed below in the Key issues and provisions section.

Law Council of Australia

In its submission on the 2015 exposure draft, the Law Council stated that it supported the passage of that Bill as a mechanism which would allow individuals whose personal information has been compromised in a serious data breach to take remedial steps to avoid potential adverse consequences.[26] The Law Council made a number of recommendations for amendment which it argues are further aimed at strengthening the Bill’s safeguards, clarity, transparency and oversight mechanism. Some of these recommendations are discussed in the Key issues and provisions section below. In relation to the law enforcement exception the Law Council recommended that that the Commonwealth Ombudsman, who has oversight of the data retention regime for law enforcement bodies, is well placed to also have independent oversight of enforcement agencies’ exercise of powers in the Bill. To enhance oversight and public confidence in the proposed exception, the Law Council recommended that the exception be subject to annual reporting to the Parliament and appropriate oversight by the Commonwealth Ombudsman.[27]

The Law Council also raised the question of the resourcing of the OAIC, stating that it must be appropriately funded and resourced in order to properly oversee the data breach notification scheme.[28]

Electronic Frontiers Australia

Electronic Frontiers Australia (EFA) in its submission on the 2015 exposure draft commented generally that it has long been a supporter of the introduction of legislation requiring notification of data breaches involving personal data. In EFA’s view:

Mandatory data breach notification is an important addition to Australia’s privacy protection regime which EFA believes will provide an additional impetus for privacy and data security to be regarded as a critical organisational risk factor requiring attention at the highest levels of management among Australian organisations. It is particularly critical in the context of the mandatory retention regime for telecommunications data that came into effect in October 2015.

It is suspected that many organisations have avoided disclosure of serious data breaches in the past, demonstrating the inadequacy of the current voluntary notification regime.[29]

EFA had some concerns with the exposure draft which would also be applicable to the current Bill. In particular EFA is concerned that allowing enforcement agencies to self-determine whether a breach should be excepted from the notification requirement is likely to lead to exceptions becoming the default approach.[30] EFA also supports the Australian Privacy Foundation’s policy that the threshold for requiring notification should be based on either of the following conditions being satisfied:

  • a real risk of harm without qualifications such as proposed ‘serious’ risk or
  • a significant breach, whether or not real risk of harm has arisen.[31]

Australian Privacy Foundation

The Australian Privacy Foundation (APF) argued that the 2015 exposure draft went some way to provide a structure for notification of data breaches. However, in its view, the exposure draft had structural defects and weaknesses which made it a significantly less effective framework than it could be and thus diminished its likely effectiveness.[32]

The APF made several recommendations for amendment, some of which would also be relevant to the current Bill including:

  • there is an urgent need for a mandatory data breach notification scheme and a time delay of 12 months in implementing the regime has not been made out[33]
  • a serious data breach should constitute a serious interference with the privacy of an individual[34]
  • there should be a minimum of exceptions to notification and these should specify the precise circumstances in which they are available[35] and
  • all actions arising out of a breach of mandatory data breach notification provisions should be posted on the OAIC web site.[36]

The APF maintains that even with a satisfactory mandatory data breach notification regime, the limited scope and operation of the Privacy Act constitutes a fundamental flaw in regulation:

That small business can be excluded from the operation of the Privacy Act is an ongoing failure of public policy. The other exemptions, such as employment information and personal information held by media and political parties compound this problem ... The lack of broad coverage of the Privacy Act, including in relation to mandatory data breach notification provisions will, with time, cause both a regulatory problem and raise issues of fairness. Small businesses rely on the collection and use of personal information and are as prone to data breaches as businesses falling within the scope of the regime. That a small business operator should not be required to notify a client or customer of the misuse of his or her personal information while a slightly larger organisation must do so is inequitable. It may also lead to avoidable losses being suffered by an individual who is not notified.[37]

Financial implications

The Explanatory Memorandum states that this Bill has no significant impact on Commonwealth expenditure or revenue.[38]

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[39]

Parliamentary Joint Committee on Human Rights

At the time of writing the Committee had not reported on the Bill.

Key issues and provisions

What is an eligible data breach

Both the 2013 Bill and the 2015 exposure draft used the term ‘serious data breach’. Following consultations on the exposure draft, the Bill has been amended to refer to ‘eligible data breach’.[40]

Proposed subsection 26WE sets out the circumstances in which an ‘eligible data breach’ occurs. In short, an eligible data breach occurs when, in respect of personal information, credit reporting information, credit eligibility information or tax file number information held by a relevant entity required to comply with the Privacy Act, the following conditions are satisfied:

  • there is unauthorised access to, or unauthorised disclosure of, the information and
  • a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates (proposed paragraph 26WE(2)(a)).

In the case of loss of information, (assuming that unauthorised access or unauthorised disclosure were to occur) an eligible data breach occurs if:

  • a reasonable person would conclude that it would be likely to result in serious harm to any of the individuals to whom the information relates (proposed paragraph 26WE(2)(b)).

These provisions apply to information subject to existing Privacy Act information security requirements held by:

  • APP entities[41] (proposed paragraph 26WE(1)(a))
  • credit reporting bodies (proposed paragraph 26WE(1)(b)))
  • credit providers (proposed paragraph 26WE(1)(c)) and
  • tax file recipients (proposed paragraph 26WE(1)(d)).

Threshold test for an eligible data breach

What is serious harm?

The Explanatory Memorandum explains that serious harm is broadly construed. It could include serious physical, psychological, emotional, economic and financial harm as well as serious harm to reputation.[42]

In contrast to the 2015 exposure draft, the current Bill does not contain a definition of harm, however, proposed section 26WG sets out a non-exhaustive list of relevant matters to have regard to when determining whether access or disclosure would be likely/not likely to result in serious harm:

  • the kind/s and sensitivity of the information
  • whether the information is protected by security measures and the likelihood any such security measures would be overcome including the use of an encryption key to circumvent the encryption technology or methodology
  • the persons or kinds of persons who have or could obtain the information
  • the likelihood that any persons who have or could obtain the information could obtain information or knowledge or circumvent any security technology or methodology applied to the information with the intent to cause harm
  • the nature of the harm and
  • any other relevant matters.

These factors would be considered according to a ‘reasonable person test’. The Explanatory Memorandum states that the ‘reasonable person’ element of this section makes clear that regard is intended to be had to these matters by considering information that would be available to a reasonable person in their position, including following reasonable inquiries, noting also that not all the matters listed will necessarily be particularly relevant in all circumstances:

While in some cases one matter may be determinative in considering whether a reasonable person would reach the aforementioned conclusion, in other cases, it may be that a reasonable person would only reach that conclusion when regard is had to the relevant matters as a whole.[43]

The 2013 Bill did not include such a list, but it was included in the 2015 exposure draft in response to concerns that additional guidance is needed for entities regulated by the scheme. The OAIC considers that this section will give entities more certainty about when the obligation to notify applies.[44]

The Explanatory Memorandum states most of these matters are based on matters identified in the current OAIC Data Breach Notification: A Guide to Handling Personal Information Security Breaches, or matters identified in the ALRC 2008 Report.[45] The Explanatory Memorandum also provides explanations and examples of how these matters should be interpreted.[46]

‘Likely to result in serious harm’

The 2016 Bill requires data breach reporting where a reasonable person would conclude that the access, disclosure or loss would be likely to result in serious harm to that individual.

In contrast, the 2013 Bill and the 2015 exposure draft required reporting of a data breach where there was a ‘real risk of serious harm’—‘real risk’ meaning a risk that is not a remote risk.

These different threshold tests are significant with the test in the current Bill arguably imposing a higher threshold and therefore resulting in fewer data breach notifications.

The 2008 ALRC report in its discussion on data breach notification noted that in international law the terms ‘likelihood’ and ‘real risk’ are similar and related:

In international law, the term ‘a real risk of serious harm’ has been defined to mean ‘a reasonable degree of likelihood’, ‘real and substantial danger’ and ‘a real and substantial risk’.[47]

The Australian Bankers’ Association submission on the Discussion Paper, Mandatory Data Breach Notification and Materials, argued that the term ‘real risk that is not a remote risk’ does not provide enough guidance to those agencies deciding when they should/should not notify a risk:

The guiding principle is that the threshold test - where notification is required when there has been a serious data breach because it would result in a real risk of serious harm - should strike an appropriate balance between the interests of customers while minimising the impact of notification on businesses by being a test that is clear and can be relied on with certainty.

...

In the course of the consultation process it was suggested that for greater certainty “real risk” might be replaced with “likely risk” or “probable risk” of serious harm.

For banks, there is the possibility that a data breach could involve a very large number of a bank’s customers’ data and could involve multiple parties. It would be practically very difficult for the bank to identify the individuals who may be at risk of serious harm. Yet to notify all affected customers could lead to or contribute to “notification fatigue” and, more concerning, customers developing a form of “immunity” to numerous notifications particularly where there may not be steps a customer could take to mitigate their own risk.

The ABA is concerned that the test is still too vague and specific guidance, including case study examples of where the threshold is and is not met, is explicitly needed in the Bill or must be developed and published by the OAIC well before the scheme commences.[48]

The Regulation Impact Statement in the Explanatory Memorandum to the Bill explains why the threshold in the 2016 Bill is defined differently to that in the 2013 Bill and the 2015 exposure draft:

The vast majority of submitters to the 2012 consultation who commented on the possible design of a mandatory scheme were in favour of the ALRC’s recommended trigger for notification, or a variation of that test, i.e. a test based on a ‘real risk of serious harm’ to an individual. This would not require entities to report less serious privacy breaches to affected individuals or the OAIC.

However, in the 2013 targeted consultation and the 2015-16 consultation support was expressed for more explanation about, or a definition of what constitutes, ‘a real risk of serious harm’. Without this additional assistance, it was argued that some regulated entities may adopt a more risk adverse approach to notification by taking a narrow interpretation that could lead to notification fatigue and create resourcing issues at the OAIC.

To address this concern, the proposed model:

a.        modifies the ALRC’s ‘real risk of serious harm’ threshold by introducing well-known legal concepts that involve an objective ‘reasonable person’ element and a reference to ‘likely risk’ rather than ‘real risk’ — retaining the core elements of the ALRC’s recommended test while improving ease of compliance for regulated entities.

b.        has an exception providing that notification is not required if a reasonable person would conclude that serious harm is not likely as a result of remedial action taken by the entity (see below) and
c.        provides a list of relevant matters, including encryption, when determining whether a reasonable person would conclude that there is a likely risk of serious harm to an individual.[49]

The different threshold test used in the current Bill is aimed at providing more certainty for entities who will have to decide when to notify a data breach. While the two tests are very similar, ‘likely to result in serious harm’ would appear to provide a slightly higher threshold, particularly when combined with the list of relevant matters for consideration in proposed section 26WG. As already noted, the effect is that there would probably be fewer breaches reported under this test. Privacy advocates may be critical of this outcome, although businesses such as banks would appear to support it as a way of reducing the regulatory burden of mandatory data breach notification.

Exception to an eligible data breach—remedial action

A key change to the Bill since the exposure draft is the introduction of a ‘remedial action’ exception.

Proposed subsection 26WF(1) provides that the unauthorised access or disclosure of the information will not be an eligible data breach where, as a result of remedial action taken by the relevant entity in relation to the breach, before it results in serious harm to any individual to whom the information relates, a reasonable person would conclude that the access or disclosure of the information is unlikely to result in serious harm to any of those individuals.

In such cases where remedial action is taken and the unauthorised access or disclosure is determined not to be an eligible data breach, the entity will not be required to notify those individuals of the unauthorised access or unauthorised disclosure (proposed subsection 26WF(2)).

Similar exceptions apply in the case of lost information. Where there is a loss of information covered by proposed paragraph 26WE(2)(b), it will not be an eligible data breach where, as a result of remedial action taken by the relevant entity in relation to the breach, before it results in serious harm to any individual to whom the information relates, a reasonable person would conclude that the loss of the information is unlikely to result in serious harm to any of those individuals (proposed subsections 26WF(3) and (4)). In such cases where remedial action is taken and the loss is determined not to be an eligible data breach, the entity will not be required to notify those individuals of the loss (proposed subsection 26WF(5)).

Notification of eligible data breaches

Division 3 of Part IIIC contains obligations for entities to notify an eligible data breach, subject to certain exceptions.

Proposed section 26WH requires an entity to carry out an assessment of whether there is a suspected eligible data breach of the entity in certain circumstances. An assessment is required if:

  • the entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity and
  • the entity is not aware that there are reasonable grounds to believe that an eligible data breach of the entity has occurred.

This provision covers the circumstance where an entity has reason to suspect a breach but the not enough to be certain. Where it is reasonably certain, an assessment is unnecessary and the entity can simply prepare a statement under proposed section 26WK.

The entity must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible breach of the entity (proposed paragraph 26WH(2)(a)). In addition, the entity must take all reasonable steps to ensure that the assessment is completed within 30 days after becoming aware of the reasonable grounds of the suspicion (proposed paragraph 26WH(2)(b)).

If the eligible data breach applies to more than one entity, only one entity needs to undertake an assessment for all entities to comply with this requirement (proposed section 26WJ).

An equivalent of proposed section 26WH was not included in the 2013 Bill. The introduction of this additional step of allowing entities time to assess whether notification is necessary would appear to be intended to appease submitters concerned about the regulatory burden and the uncertainty of determining when a data breach should be notified.

Proposed sections 26WK and 26WL set out the circumstances in which an entity must prepare a statement about an eligible data breach and provide that statement to the Commissioner.

Where an entity becomes aware (either by assessment, if required according to section 26WH above, or by other means) that there are reasonable grounds to believe that there has been an eligible data breach of the entity, the entity must meet the notification obligations as set out below as soon as practicable.[50] The Explanatory Memorandum states that what constitutes ‘reasonable grounds’ will vary depending on the circumstances.[51]

The statement must set out:

  • the identity and contact details of the entity (proposed paragraph 26WK(3)(a))
  • a description of the eligible data breach that the entity has reasonable grounds to believe has happened (proposed paragraph 26WK(3)(b))
  • the kinds of information concerned (proposed paragraph 26WK(3)(c)) and
  • recommendations about the steps that individuals should take in response to the serious data breach that the entity has reasonable grounds to believe has happened (proposed paragraph 26WK(3)(d)).

The entity must give a copy of this statement to the Information Commissioner (proposed subsection 26WK(2)).

Proposed section 26WL provides that if it is practicable the entity must also take such steps as are reasonable to notify the contents of the statement to:

  • each individual to whom the information relates
  • each individual at risk from the eligible data breach
  • in the method the entity normally communicates with the individual (if any).

If individual notification is not practicable, the entity must:

  • publish a copy of the statement on the entity’s website (if any) and
  • take reasonable steps to publicise the contents of the statement.

Exceptions to notification

There are exceptions to these notification obligations which include:

  • exceptions for law enforcement bodies in cases where the Chief Executive Officer of the particular body believes on reasonable grounds that compliance with a notification requirement would be likely to prejudice law enforcement activities (proposed section 26WN))
  • exceptions where, to the extent of the inconsistency, compliance with the notification requirement would be inconsistent with a law of the Commonwealth that prohibits or regulates the use or disclosure of information laws (proposed section 26WP))
  • exceptions declared by the Information Commissioner (either in response to an application from an entity or on the Commissioner’s own initiative) (proposed section 26WQ)). In making such a declaration the Commissioner must be satisfied that it is reasonable in the circumstances to do so having regard to the public interest, any relevant advice from an enforcement body, the Australian Signals Directorate of the Defence Department and such other relevant matters.

If the eligible data breach applies to more than one entity, only one entity needs to undertake the statement and notification for all entities to comply (proposed section 26WM)) The Explanatory Memorandum indicates that these provisions are designed to address situations involving outsourcing, joint venture or shared services arrangements.[52]

Proposed section 26WD provides an exemption in relation to eHealth information. An unauthorised access, unauthorised disclosure or loss of personal information cannot give rise to an eligible data breach if that access, disclosure or loss has been, or is required to be notified under the mandatory data breach notification requirement in section 75 of the My Health Records Act 2012. Mandatory data breach notification is already required in the event of unauthorised access to eHealth information under the My Health Records Act and the rationale for this exemption is to avoid imposing a double notification requirement.[53]

Commissioner written directions

Proposed section 26WR provides the Commissioner with the power to issue a written direction to an entity to provide notification of an eligible data breach. The information to be provided to the Commissioner and affected individuals will be the same as if the entity had initiated the notification itself and methods of communication will also be the same. For this direction, the entity must be invited to make a submission. In exercising the above powers, the Commissioner must be satisfied that the direction is reasonable in the circumstances, having regard any relevant advice of an enforcement body or the Australian Signals Directorate of the Defence Department, any relevant submissions from the entity concerned and any other matters the Commissioner considers relevant.

Such a direction would be expected to primarily operate in cases where an entity fails to comply with its notification obligations.[54] The Explanatory Memorandum states that section 26WR Commissioner directions could also be enlivened in circumstances ‘such as where an eligible data breach comes to the attention of the Commissioner but has not come to the attention of an entity’.[55]

There are also exceptions where an entity would not be required to comply with Information Commissioner directions. An entity is not required to comply if it would be likely to prejudice enforcement-related activity of an enforcement body or it would be inconsistent with a secrecy provision in another Australian law (proposed sections 26WS and 26WT)).

Overseas entities

APP 8 requires organisations that are disclosing personal information to entities outside Australia to take reasonable steps to ensure that the person does not breach the APPs. Proposed subsection 26WC(1) provides that where APP8 applies to a disclosure, then an APP entity will retain accountability for a ‘serious data breach’ involving personal information even though that APP entity might not be otherwise responsible for the breach.

This would mean that, where an entity has disclosed information to an overseas recipient, it may be liable for serious data breaches of the recipient as though those breaches had happened to the entity itself. The Explanatory Memorandum provides a further description of how this provision would work.[56]

Enforcement and review

Section 13 of the Privacy Act outlines the circumstances that will result in an ‘interference with the privacy of an individual’. It includes for example breaches of the APPs and breaches of a registered APP code.

Item 2 would amend section 13 to add that failure to comply with the obligations relating to notification of a data breach in proposed subsection 26WH(2), 26WK(2), 26WL(3) or 26WR(10), would be deemed to be an interference with the privacy of an individual (proposed subsection 13(4A)). The effect of this amendment would be to engage the Commissioner’s existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. The Explanatory Memorandum states that this includes:

... the capacity to initiate own motion investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.[57]

Existing section 13G of the Privacy Act provides that serious or repeated interferences with the privacy of an individual may attract a civil penalty of up to 2,000 penalty units or $360,000. Section 13G would apply where such failure to notify eligible data breaches would be considered serious or repeated.

The Cyberspace Law and Policy Community at the UNSW Faculty of Law (CLPC) in its comment on the 2015 exposure draft noted that the Australian option differs greatly in relation to penalties from other jurisdictions. CLPC recommends that it would be preferable to have specific penalties for entities contravening the legislation
 — for example, a specific monetary penalty per breach, and an ongoing daily penalty for continued non-compliance. CLPC argues that the use of ‘softer penalties’ (as per the 2015 exposure draft Bill and also in this Bill) implies that prevention of a data breach is not one of the purposes of the amendment.[58]

Section 96 of the Privacy Act deals with the review of Information Commissioner decisions by the Administrative Appeals Tribunal (AAT). Item 4 amends section 96 to provide the following Commissioner decisions to do with notifiable data breaches are also reviewable by the AAT:

  • a decision to refuse an application for a declaration of an exemption (subsection 26WQ(7))
  • a decision to make a declaration of an exemption (paragraph 26WQ(1)(d)) and
  • a decision to give a direction to notify a data breach (subsection 26WR(1)).

Concluding comments

The Bill is the third iteration of a legislative scheme for mandatory notification of data breaches. It has been described as long overdue, implementing a recommendation of the ALRC dating back to 2008 and a Government commitment made in 2015 with the enactment of its mandatory data retention legislation. Mandatory data breach notification has bipartisan support in the Parliament and previous iterations of this Bill have been the subject of consultation with opportunities for interest groups to submit their views to Government and the Parliament. It would appear therefore that there is no reason for the Bill’s operation to be delayed.

It is a significant Bill. In terms of consumer privacy protection, it will help keep Australians personal information more secure in the digital age when there is evidence that data breaches and data security are an ever increasing problem. Perhaps of equal importance, it is likely to have the secondary effect of encouraging agencies and private sector organisations to improve their data security practices.

That said, the Bill does have more limited application than might initially be thought. Due to current exemptions in the Privacy Act, mandatory notification of data breaches will not apply to organisations such as many small business enterprises, political parties, media organisations and national security agencies. Furthermore, the Bill would appear to be more cautious than its predecessors, including amongst other things a higher threshold test for determining what is an ‘eligible data breach’ and a new exception allowing entities to avoid notification where they take remedial action before any serious harm has occurred. Some of these changes will presumably be welcomed by big businesses such as banks who have lobbied that the previous Bills would impose a heavy regulatory burden and result in notification fatigue amongst consumers. Others, such as privacy advocates who saw structural defects in the previous Bills may see the amendments as providing an even less effective framework for a mandatory data breach reporting scheme and further diminishing the Bill’s effectiveness.

 

[1].         Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016, p. 2.

[2].         Australian Law Reform Commission (ALRC), For your information: Australian privacy law and practice, ALRC report, 108, Sydney, 12 August 2008, paragraph 51.1. Mandatory data breach notification laws apply in the European Union including the United Kingdom and some 47 American states. Attorney-General’s Department (AGD), Mandatory data breach notification, Discussion paper, AGD, Canberra, December 2015 p. 12.

[3].         For example, sections 20Q and 21S of the Privacy Act impose equivalent obligations to APP 11 on credit reporting agencies and all credit providers.

[4].         Office of the Australian Information Commissioner (OAIC), Data breach notification: a guide to handling personal information security breaches, OAIC, Sydney, August 2014.

[5].         Ibid.

[6].         OAIC, Submission to AGD, Inquiry into mandatory data breach notification discussion paper, 3 March 2016, p. 2.

[7].         Ibid.

[8].         ALRC, For your information, op. cit., pp. 1668–1669.

[9].         Ibid., recommendation 51–1.

[10].      Parliamentary Joint Committee on Intelligence and Security, Report of the Inquiry into Potential Reforms of Australia's National Security Legislation, May 2013, Recommendation 42.

[11].      Parliamentary Joint Committee on Intelligence and Security, Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, February 2015, Recommendation 38.

[12].      Parliament of Australia, ‘Privacy Amendment (Privacy Alerts) Bill 2013 homepage’, Australian Parliament website. See also: MA Neilsen, Privacy Amendment (Privacy Alerts) Bill 2013, Bills digest, 146, 2012–13, Parliamentary Library, Canberra, 2013.

[13].      Privacy Amendment (Notification of Serious Data Breaches) Bill 2015: exposure draft.

[14].      In the following Parliament the Labor Party, then in opposition, re-introduced this Bill as a private member’s Bill: Parliament of Australia, ‘Privacy Amendment (Privacy Alerts) Bill 2014 homepage’, Australian Parliament website.

[15].      G Brandis (Attorney-General) and M Turnbull (Minister for Communications), Government response to Committee report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, joint media release, 3 March 2015.

[16].      Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016, op. cit., p. 2.

[17].      Senate Standing Committee for the Scrutiny of Bills, Alert digest, 8, 2016, The Senate, 9 November 2016, p. 31.

[18].      Ibid.

[19].      M Dreyfus (Shadow Attorney-General), Brandis finally catches up with privacy alert commitment, media release, 22 August 2016.

[20].      Ibid.

[21].      Australia, Senate, Journals, 135, 2015–16, 2 February 2016.

[22].      Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016, op. cit., p. 2.

[23].      Ibid., p. 53.

[24].      Ibid., pp. 40–41.

[25].      Australian Bankers’ Association, Submission to AGD, Inquiry into mandatory data breach notification discussion paper, 4 March 2016, pp. 2–3.

[26].      Law Council of Australia, Submission to AGD, Inquiry into mandatory data breach notification discussion paper, 4 March 2016, p. 3.

[27].      Ibid., p. 15.

[28].      Ibid., p. 16.

[29].      Electronic Frontiers Australia, Submission to AGD, Inquiry into mandatory data breach notification discussion paper, 7 March 2016, p. 3.

[30].      Ibid.

[31].      Ibid.

[32].      Australian Privacy Foundation, Submission to AGD, Inquiry into mandatory data breach notification discussion paper, 4 March 2016, p. 1.

[33].      Ibid., p.2.

[34].      Ibid., p. 5.

[35].      Ibid., p. 6.

[36].      Ibid.

[37].      Ibid., p. 2.

[38].      Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016, op. cit., p. 3.

[39].      The Statement of Compatibility with Human Rights can be found at pages 58–63 of the Explanatory Memorandum to the Bill.

[40].      For example the Law Council of Australia submitted that the phrase ‘serious data breach’ of itself has a heavy emotional weight and that more qualified language should be used. Law Council of Australia, Submission to AGD, op. cit., p. 6.

[41].      APP entities consist of most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.

[42].      By way of comparison, the 2015 exposure draft contained a definition of ‘harm’ as including: physical harm; psychological harm; emotional harm; harm to reputation; economic harm; and financial harm. The Law Council amongst others recommended that this definition be removed. Law Council of Australia, Submission to AGD, op. cit., p. 12.

[43].      Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016, op. cit., p. 75.

[44].      OAIC, Submission to AGD, op. cit.

[45].      Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016, op. cit., p. 75.

[46].      Ibid., pp. 74–79.

[47].      ALRC, For your information, op. cit., p. 1690.

[48].      ABA, Submission to AGD, op. cit., p. 4.

[49].      Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016, op. cit., p. 28.

[50].      What constitutes a ‘practicable’ timeframe for the purposes of paragraph 26WK(2)(b) to prepare a subparagraph 26WK(2)(a)(i) statement and give a copy of the statement to the Commissioner will vary depending on the time, effort or cost required to comply with paragraph 26WK(2)(b), when considered in all the circumstances of the entity and the data breach. Ibid., p. 84.

[51].      For example, a pattern of complaints may provide the entity reasonable grounds to believe that an eligible data breach of the entity has occurred. On the other hand, if the complaints merely provide the entity with reason to suspect that there has been an eligible data breach of the entity, the assessment requirement under section 26WH will apply. Ibid., p. 84.

[52].      Ibid., p. 89.

[53].      Ibid., p. 68.

[54].      AGD, Mandatory data breach notification, discussion paper, op cit., p. 6.

[55].      Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016, op. cit., p. 98.

[56].      Ibid., p. 43.

[57].      Ibid., p. 6.

[58].      Cyberspace Law and Policy Community (CLPC), Submission to AGD, Inquiry into mandatory data breach notification discussion paper, 7 March 2016, p. 7.

 

For copyright reasons some linked items are only available to members of Parliament.

© Commonwealth of Australia

Creative commons logo

Creative Commons

With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.

In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.

To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.

Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.

Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.

Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Enquiry Point for referral.