Late last week, the Attorney-General’s Department released an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (2015 Bill), which will, if passed, require entities subject to the Privacy Act 1988 (Cth) to notify the OAIC and any affected individual following a “serious data breach” such as unauthorised access to the entity’s computer systems. This consultation process implements (albeit more slowly than anticipated) a commitment given by the Attorney-General and then Minister for Communication (now Prime Minister Turnbull) in March 2015 to consult on the form of mandatory data breach notification legislation with a view to implementing such laws by December 2015. This commitment was made in connection with the implementation of telecommunications data retention legislation, which we have discussed previously.
The 2015 Bill is similar in most respects to the Privacy Amendment (Privacy Alerts) Bill 2013 (2013 Bill), on which we have previously commented. The 2013 Bill lapsed as the then Federal Government entered into the caretaker period prior to the September 2013 election.
Comments on the exposure draft are due 4 March 2016. The exposure draft and associated documentation can be found on the Attorney-General’s Department website.
Who has to comply?
The 2015 Bill applies to:
- APP entities that hold personal information relating to one or more individuals that the entity must take reasonable steps to keep secure under APP 11.1; or
- credit reporting bodies that hold credit reporting information relating to one or more individuals that the body must take reasonable steps to keep secure under section 20Q(1) of the Act; or
- credit providers that hold credit eligibility information relating to one or more individuals that the provider must take reasonable steps to keep secure under section 21S(1) of the Act; or
- file number recipients that hold tax file number information relating to one or more individuals that the recipient must keep secure pursuant to rules made under section 17 of the Act.
What notification must be given, and when?
The key obligation of the 2015 Bill is that where an entity is aware, or ought reasonably to be aware, that there are reasonable grounds to believe there has been a “serious data breach”, then as soon as practicable after becoming aware (or after it ought reasonably to have become aware), it must prepare a statement setting out various matters. The entity must provide a copy of that statement to the Privacy Commissioner, and either take reasonable steps to notify the content of the statement to each individual to whom the affected information relates or, if that is impracticable, publish the statement on its website and take reasonable steps to publicise the contents (which may include taking out an advertisement in a newspaper or publishing an announcement through social media channels such as Facebook or Twitter). The 2013 Bill simply required that notifications be made “as soon as practicable”, but in the 2015 Bill “as soon as practicable” is stated to “include” the time taken to carry out a reasonable assessment of whether there are reasonable grounds to believe there has been a "serious data breach", provided such assessment is carried out within 30 days.
However, there is a carve-out to the obligation to notify if, after the entity becomes aware (or ought reasonably to have been aware) of the reasonable grounds to believe a serious data breach has occurred, the entity carries out a reasonable assessment within 30 days and determines that the incident (if any) does not amount to a serious data breach. In other words, there is no obligation to notify if an assessment of an incident which was initially believed to be serious reveals that the breach should be downgraded from “serious”.
The matters to be included in the statement include the identity and contact details of the entity, a description of the serious data breach that the entity has reasonable grounds to believe has happened, and recommendations about the steps that individuals should take in response to the serious data breach.
What is a “serious data breach”?
The 2015 Bill defines a “serious data breach” as where:
- there is unauthorised access to or unauthorised disclosure of the relevant information:
- which will result in a real risk of serious harm to an individual to which that information relates; or
- where that information is of a kind specified in the regulations; or
- the relevant information is lost in circumstances where:
- unauthorised access or unauthorised disclosure of that information is likely to occur and will result in a real risk of serious harm to an individual to which that information relates; or
- unauthorised access or unauthorised disclosure of that information may occur, and that information is of a kind specified in the regulations.
The 2015 Bill provides a list (in new section 26WB(3)) of the relevant matters that must be considered when making the assessment of whether there is a real risk of serious harm, including the nature and sensitivity of the information, whether it is or could be easily converted to a form intelligible to an ordinary person, the nature of the harm that might result and the steps the entity is taking to mitigate the harm. The 2015 Bill also defines “harm” to explicitly include physical harm, psychological harm and emotional harm, in addition to harm to reputation, economic harm and financial harm (the latter three each being previously included in the 2013 Bill).
One relevant factor that must be considered is whether the information is in a form that is intelligible to an ordinary person (including if it is subject to some form of encryption) and, if so, the likelihood that it could be converted into an intelligible form. The explanatory memorandum (EM) accompanying the exposure draft suggests that in considering these matters, an ordinary person is to be assumed to have access to software and other technology that is publicly available and commonly used (e.g. if the information is in a file format that can be read using some common software, such as Adobe Acrobat Reader or a Microsoft Office application). On first blush, it would seem from this that the risk of a serious data breach will be low if information that is subject to some relatively sophisticated encryption accidentally falls into the hands of an ordinary person, through the loss of a work device or other mishap. However, the EM goes on to state that this will not necessarily be the case if the encryption could be broken by a sophisticated attacker. Given even the best encryption may be circumvented by a determined and skilled hacker, if the courts or the Privacy Commissioner were to accept the position as described in the EM, there may be few scenarios in which encryption alone would be sufficient to avoid the risk of serious harm so as to render a breach notification unnecessary. In our view, this would not be a sensible result, and this is an aspect on which we expect some submissions will be made.
In some cases, where the entity has disclosed information to an overseas recipient, it may be liable for serious data breaches of the recipient as though those breaches had happened to the entity itself (consistent with the accountability principle of section 16C of the Act).
Failure to prepare and provide the statement is considered an “interference with the privacy of an individual”. Under the existing section 13G of the Act (which will not be changed by the 2015 Bill, if passed), serious or repeated interferences with the privacy of an individual may attract a civil penalty of 2,000 penalty units.
As we discussed in our previous writings, however, the more significant consequence of a mandatory breach notification regime is that such notices can appear to be admissions of liability, and may lead to class action litigation filed against the notifying party, even though the Privacy Act does not require entities to be incident-free, only to take reasonable steps to prevent unauthorised access and not to use or disclose personal information for an improper purpose, neither of which occur merely because a hacker gained access to personal information held by the entity.
Key differences to the 2013 Bill
The bulk of the 2015 Bill is the same (or substantially similar in effect) as the content of the 2013 Bill – although there are some key differences.
The test under the 2015 Bill is similar to the “real risk of serious harm” test in the 2013 Bill, but a critical difference is that the obligation to notify also arises “when the entity ought reasonably to be aware” of the serious data breach, not just when it is actually aware. This may be a significant practical difficulty for affected entities, as often serious data breaches are only discovered months after they actually occurred – under the 2015 Bill whenever a breach becomes known, the entity in question (and the Commissioner) must perform an assessment to determine the date on which the entity ought reasonably have been aware that reasonable grounds existed. This is because the 30 day period in which to notify affected individuals and the Commissioner starts to run from the earlier of the date on which the entity actually became aware of the relevant serious data breach and the date on which the entity ought reasonably have been aware.
Our initial view is that this proposed objective test of awareness will only add complexity to the process and not achieve any practical protection of individuals’ data. This is because the Act already protects individuals against entities who may choose to be wilfully blind to security breaches by failing to implement monitoring systems to alert those entities to such breaches. In our view, such conduct would, in the vast majority of instances, contravene the security principle (APP 11), so individuals already have a legal right against the entity in such a scenario. It is difficult to see what additional protection is afforded by potentially adding a second kind of “interference with privacy” to the list of contraventions arising from the same conduct.
The obligation under the 2013 Bill required entities that suffered a serious data breach to notify individuals that were “significantly affected” by the data breach. The concept of “significantly affected” has been removed from the 2015 Bill – the obligation is now to notify any individual to whom the relevant information relates, which may include individuals whose particular information has not been lost or subject to unauthorised access. Even if this may mean that more individuals are notified than would have been the case under the 2013 Bill, it has the advantage of practical simplicity – affected entities are not obliged to make an assessment of how significantly each individual would have been affected by a data breach, a very difficult task.