CHAPTER 2

KEY ISSUES

2.1 Some submissions strongly supported the introduction of mandatory data breach notification provisions for Commonwealth government agencies and certain private sector organisations, including the Australian Law Reform Commission (ALRC) and the Office of the Australian Information Commissioner (OAIC).[1] Submissions also highlighted key concerns, including:

meaning of the phrase 'real risk of serious harm' within the definition of 'serious data breach';
application of the steps set out in the mandatory notification provisions; and
inclusion and breadth of exceptions to the mandatory notification provisions.

'Real risk of serious harm'

2.2 Proposed new sections 26X-ZA of the Privacy Act 1988 (Cth) (Privacy Act) establish the circumstances in which APP entities, credit reporting bodies, credit providers and file number recipients will have committed a 'serious data breach'. One of the conditions is that the breach will result in a real risk of serious harm to any of the individuals to whom the information relates.[2]

2.3 Some submissions questioned the meaning of the phrase 'real risk of serious harm' or its various elements (such as 'serious harm' and 'real risk'),[3] with submitters suggesting ways in which this ambiguity could be ameliorated or rectified.

2.4 The Australian Bankers' Association (ABA) submitted that the meaning of the criterion will be unclear in an entity's operational environment: 'the issue for entities is going to be determining what to report and what not to report'.[4] The ABA suggested that, if the Bill is enacted 'it is critical for the [Australian Information Commissioner (Commissioner)] to be required to develop guidelines for industry on this matter'.[5]

2.5 The Office of the Victorian Privacy Commissioner (Victorian Privacy Commissioner) acknowledged that the Commissioner could be granted legal authority to provide guidance on issues of definition but 'any OAIC guidance will be merely persuasive'. The Victorian Privacy Commissioner suggested:

Ultimately, the best way to determine the trigger for notification is not through abstract legislative definitions (irrespective of whether such definitions are exclusive or inclusive) but by the [Commissioner] developing binding guidelines to flesh out these terms and providing the Commissioner with an ability to amend those guidelines as circumstances, harms and risks evolve.[6]

2.6 The Communications Alliance submitted that there should be a 'threshold test that industry can use to determine whether 'serious harm' could or would be caused'. Its submission warned that, in the absence of a definition of 'serious harm', there is a possibility of entities inadvertently undermining the objectives of the Bill:

[I]in the absence of a definition of 'serious harm', it is possible that the legislation will cause an organisation to take a risk-averse position in order to avoid breaching such an obligation. This could, potentially, result in over-reporting of relatively minor data-related errors.[7]

2.7 Alternatively, the Australian Privacy Foundation (APF) did not support the 'real risk of serious harm' threshold, whether or not it was clarified by the Commissioner or in the Bill. In the APF's view, the threshold should not be set at too high a risk of harm, and risk of harm should not be the only trigger for notification (at least to the Commissioner):

Aggregation of terms limiting the nature of the harm that triggers notification increases the risk that organizations will argue that one or other aggregated term do not apply to them. For example, a phrase such as "real risk of serious harm" is a very high threshold, because of the combination of 'real' (i.e. 'not remote') risk, 'serious' harm' (with no clear notion of seriousness) and 'harm' which may be given a limited definition...

In addition, a second trigger is necessary. Any significant breach should be subject to notification in any case. If that were not the case, then a significant insecurity would not become apparent, and would not be addressed, and it would be very likely that it would later give rise to a serious breach that was eminently avoidable. A single threshold test would result in a scheme which was a failure. [8]

Government response

2.8 The Explanatory Memorandum (EM) explicitly states that the definition of 'serious data breach', including the element of a 'real risk of serious harm', is intended to capture only those breaches which are significant enough to warrant notification:

This will ensure the Government does not create or impose an unreasonable compliance burden on entities regulated by the scheme, and [will] avoid the risk of 'notification fatigue' among individuals receiving a large number of notifications in relation to non-serious breaches.[9]

2.9 In particular, the EM notes that a 'real risk of serious harm to the individual to whom the information relates...is the standard recommended by the ALRC' (Recommendation 51-1(a)), and is incorporated into the Commissioner's voluntary data breach guidelines, Data Breach Notification: A guide to handling personal information security breaches (OAIC guide).[10] The Attorney‑General's Department (Department) submitted:

[The proposed standard] is therefore a commonly understood concept amongst agencies and organisations that have sought to comply with the OAIC guide.[11]

2.10 The Department explained further that the proposed concept of 'serious harm' is also based on the OAIC guide. In addition to that term being well understood, the Department emphasised the flexibility of the OAIC guide to adapt to specific contexts and to evolve over time:

Accordingly, rather than seek to prescribe a definition in legislation, it is preferable that the OAIC develop guidance about the particular circumstances and factors that might be relevant to the question of harm. This is a common approach taken in privacy regulation, which is more principles-based in nature. It is intended that a revised OAIC guide will continue to provide guidance on the factors that entities should consider when assessing whether the harm is 'serious'.[12]

2.11 In this context, the OAIC advised that, if the Bill proceeds, 'the OAIC will prioritise the amendment of the [OAIC guide] to address and provide clarity on the operation of the new mandatory notification requirements'.[13]

Mandatory notification provisions

2.12 Proposed new section 26ZB of the Privacy Act requires an entity to undertake three specific actions, as soon as practicable, after forming a reasonable belief that a 'serious data breach' has occurred:

preparation of a detailed statement concerning the breach;[14]
provision of a copy statement to the Commissioner;[15] and
notification:
- by taking such steps as are reasonable in the circumstances to notify the contents of the statement to each 'significantly affected' individual;[16] and
- by publishing a copy of the statement on the entity's website (if any) and in at least one newspaper circulating generally in each state/territory, if prescribed 'general publication conditions' are satisfied (collectively, the notification requirement).[17]

2.13 Liberty Victoria welcomed the proposed mandatory notification provisions, submitting that the proposed process reflects similar processes in environmental protection legislation, as well as providing 'a beneficial remedy [and] deterrent to lax procedures for organisations and entities upon whom the requirement is imposed'.[18]

2.14 The Communications Alliance argued however that the specific actions outlined in proposed new section 26ZB are contrary to good business practice, as reflected in the OAIC guide:

[G]ood business practice would be to (a) contain the breach and do an assessment; (b) evaluate the risks; and then, if necessary, notify those affected by the breach. It is concerning that the Bill places more emphasis on notifying – and potentially confusing or alarming customers – than containing the breach, rectifying the issue and preventing its reoccurrence.[19]

2.15 The ABA referred to proposed new subsection 26ZB(12), which provides for regulations to declare that one or more specified conditions are 'general publication conditions' for the purposes of the section. The ABA expressed concern regarding the uncertain scope of the 'general publication conditions' notification model:

There is a critical element of the notification model in the Bill that is missing because it is unclear what "general publication conditions" will mean if these conditions are satisfied. Without this definition, the real impact of the Bill cannot be assessed because the meaning of this expression will be covered by a regulation-making power in the Bill. Regulations dealing with this aspect have not been provided with the Bill.[20]

Government response

2.16 The Department submitted that there are a range of factors which might be relevant to 'general publication conditions', such as the type of entity involved or the location of the affected individuals:

The making of regulations would enable more flexibility in allowing these matters of detail to be changed as notification processes develop into the future.

For example, the regulations could provide that the 'general publication conditions' are met:

where particular individuals do not have readily available contact details, or

where online and newspaper publication methods may reach a larger number of affected individuals in a more timely manner. [21]

2.17 The Department assured the committee that the development of privacy regulations would be conducted in close consultation with relevant stakeholders, including interest groups. The Department noted also that any regulations made would be subject to disallowance by the parliament as disallowable instruments.[22]

2.18 In response to concerns regarding the order of the actions set out in proposed new section 26ZB, the Department contended that the Bill will not depart from the approach adopted in the OAIC guide:

The OAIC guide contains numbered steps to take in response to a data breach, but notes that particular steps may be taken simultaneously or in quick succession. Further, the OAIC guide states that immediate notification should be the first step if appropriate.

Therefore, the Bill does not have the effect of prioritising notification over other remedial action. The new notification requirement is completely consistent with the existing OAIC guide, and will complement existing legislative requirements that must be complied with in responding to a data breach.[23]

Exceptions to the mandatory notification provisions

2.19 Proposed new section 26ZB of the Privacy Act wholly or partially exempts some entities from the measures proposed in the Bill.[24] For example, the Commissioner will be empowered to issue a written notice of exemption on public interest grounds, on the application of an entity or on the Commissioner's own initiative. This exemption would apply to the totality of the notification requirements set out in proposed new section 26ZB.[25]

Opposition to the proposed measure

2.20 Some submissions expressed concern with the proposed exceptions to the mandatory notification provisions, arguing that the provisions should be narrower, if they are to be legislated at all, and be subject to a greater degree of accountability and transparency.

2.21 Liberty Victoria, for example, submitted that a 'large part of the Bill is dedicated to exceptions', the breadth of which Liberty Victoria opposed. In relation to the proposed public interest exemption, Liberty Victoria argued:

[T]his exemption should be limited to subsections (1)(g) & (h) [the notification requirement] and not provision of the statement to the Commissioner...[I]t might be preferable to allow certain classes of matter to be referred to the Commissioner by enforcement bodies seeking a recommendation as to disclosure or non-disclosure or exemption under the new part, rather than the enforcement body clothing itself with total immunity and exercising their own broad exemption for all classes of data breach for all time.[26]

2.22 The APF argued that the mandatory notification provisions should apply to all organisations and all personal information that are 'reasonably within reach of Commonwealth jurisdiction'.[27] Its views in regard to exemptions were consistent with those of the Cyberspace Law and Policy Centre, which submitted:

Exceptions, if they are permitted, should be limited to named entities not classes, require full justification and verification, be limited in duration to the minimum time necessary, not allow failure to inform the regulator, and otherwise be as limited as possible...Similarly, the OAIC's operation of the scheme should not be subject to discretionary variation or exceptions; where discretions exist they should be defined, and transparently reported. This Bill should not set up a scheme where there is an endless queue to the Commissioner's door for secret exemptions, which would undermine the purpose of the Bill, and the basis of public trust and confidence that they will be able to find out if there is a breach; this would be both a waste of the Commissioner's time, which is better spent pursuing breaches and complaints, and undermines the expectation of compliance.[28]

2.23 Mr Bruce Arnold, a lecturer in privacy, secrecy and data protection law at the University of Canberra, also did not support endowing the Commissioner with discretionary power to grant exemptions to the mandatory notification requirement:

Supervision by the [Commissioner] of mandatory breach reporting should not be fundamentally weakened through scope for discretionary exceptions. For the purposes of public administration we should reduce the subjectivity that results in 'closed door' deal-making – and requests for deals. Consistency and transparency will reinforce the credibility of the [OAIC], which has been eroded by perceptions that the organisation is either very permissive or naïve[.][29]

Government response

2.24 In determining whether an exemption notice will be issued on the grounds of public interest, the EM indicates that guidance on the relevant factors will be developed by the Commissioner and be made available to stakeholders:

In that respect, the ALRC commented that [provisions such as those establishing the discretionary exemption power on public interest grounds] could cover situations, for example, where there is a law enforcement investigation being undertaken into a data breach...and notification would impede that investigation, or where the information concerned matters of national security. This provision is intended to cover cases of that nature (where these activities, or the information concerned, are not already exempt from the scheme), particularly where a private sector organisation suffers the data breach and is responsible for reporting. In those situations, a Commonwealth agency or private sector organisation would have grounds to seek this exemption on advice from an enforcement body or intelligence agency.[30]

Committee view

2.25 The committee supports enhanced privacy protection for individuals whose personal information has been accessed by, or disclosed to, a third party as the result of a 'serious data breach'. The committee notes the Commissioner's evidence that data breaches are under-reported and on the increase within Australia.[31]

2.26 The measures proposed in the Bill are supported by the ALRC, which specifically recommended such a reform to help resolve the situation of individuals being adversely affected by the compromise of their personal information. The Commissioner has also expressed unconditional support for the Bill, as did consumer advocates who participated in the inquiry. The committee agrees that the proposed reform is 'long overdue' and would benefit Australian consumers, as well as industry stakeholders, who would be simultaneously encouraged to effect and maintain high‑quality data security practices.

2.27 A public consultation paper was released by the Department in October 2012, seeking the community's view on whether a mandatory data breach notification law should be introduced in Australia and, if so, how the law should be framed.[32] This was followed by a confidential targeted consultation in respect of a more detailed legislative model in April 2013.[33] The committee considers that stakeholders have been afforded ample opportunity to comment on the proposals in the Bill, noting that the matters under consideration were first raised in 2008 by the ALRC.

2.28 The trigger for mandatory notification concerned several submitters. While the committee acknowledges these concerns, the Department pointed out that this threshold has been implemented in the voluntary data breach guidelines since 2008, when the ALRC recommended the standard. The committee therefore accepts the Department's view that the threshold is familiar to stakeholders, and agrees that it is preferable for the Commissioner to continue to issue guidance on the meaning of a 'real risk of serious harm', as circumstances require. In this context, the committee notes that the Commissioner is already considering amendments to the OAIC guide, to account for the changes to be introduced by the Bill.

2.29 Accordingly, the committee concludes that the Bill should be passed.

Recommendation 1

2.30 The committee recommends that the Senate pass the Bill.

Senator Trish Crossin
Chair

Navigation: Previous Page | Contents | Next Page