Mandatory Data Breach Reporting – what you need to start doing right now
An entity that is required to comply with the Privacy Act 1988 must take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This extends to situations where an entity engages a third party to store, maintain or process personal information on its behalf.
In February of this year the Commonwealth government passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which will amend the Privacy Act, making it mandatory for companies and organisations to report "eligible data breaches" to the Office of the Australian Information Commissioner (OAIC) and any affected, at-risk individuals.
Does the Privacy Act apply to my organisation?
Australian Government agencies and all businesses and not-for-profit organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions.
Some small business operators (organisations with a turnover of $3 million or less) are covered by the Privacy Act including:
- private sector health service providers. Organisations providing a health service include:
- traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professional
- complementary therapists, such as naturopaths and chiropractor
- gyms and weight loss clinics
- child care centres, private schools and private tertiary educational institutions.
- businesses that sell or purchase personal information
- credit reporting bodies
What are reasonable steps?
The reasonable steps entities should take to ensure the security of personal information will depend on the circumstances, including the following:
- the nature of the entity holding the personal information
- the amount and sensitivity of the personal information held
- the possible adverse consequences for an individual
- the information handling practices of the entity holding the information
- the practicability of implementing the security measure, including the time and cost involved
- whether a security measure is itself privacy invasive.
Reasonable steps would include:
- Performing or conducting Privacy Impact Assessments (PIA)
- Implementing Privacy by design principles
- Performing information security risk assessments
- Creating and maintaining a Privacy Policy
- Having a comprehensive and up to date set of information security policies
- Restricting physical and logical access to personal information on a "need-to-know" basis
- Keeping your software up to date and current
- Employing multi factor authentication
- Configuring your systems for security
- Employing end point security software
- Security monitoring tools to detect breaches
- Using network security tools
- Penetration testing exercises
- Vulnerability assessments
- Having a data breach response process
What is mandatory data breach notification?
Mandatory data breach notification is a legal requirement designed to protect the individuals affected by a data breach so that they may take the necessary steps and measures to protect themselves from any harm or damage. Notifying affected individuals is good privacy practice, as it gives each person the opportunity to take proactive steps to protect their personal information and also helps to protect an organisation's reputation by displaying transparency and openness.
The mandatory data breach notification scheme being introduced will require entities to promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an "eligible data breach".
When has an eligible data breach occurred?
An eligible data breach occurs when:
- there has been unauthorised access to, or disclosure of, personal information and a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the access or disclosure; or
- personal information is lost in circumstances that are likely to give rise to unauthorised access to, or disclosure of, the information and a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals.
Examples of a data breach would include and not be limited to:
- Loss of a computer or data storage device containing personal information
- Unauthorised access to personal information as a result of a hacking attack or data breach
- Employees or contractors accessing or disclosing personal information outside the bounds of their employment
- Emailing, sending or simply providing personal information to the incorrect people
What constitutes serious harm?
Serious harm, in this context, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity's position would identify as a possible outcome of the data breach.
In making an assessment of the level of harm, an organisation needs to consider the nature and sensitivity of the personal information, whether the information is protected by some type of security measures (e.g. encryption), who has obtained or accessed, or could obtain or access, the information, and the nature of the harm to affected individuals.
What does notification entail?
In the event of an eligible data breach, an entity is required to notify the Commissioner and affected individuals as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (unless an exception applies). The notification statement must include:
- the identity and contact details of the entity
- a description of the serious data breach
- the kinds of information concerned, and
- recommendations about the steps that individuals should take in response to the serious data breach
Notification must occur as soon as practicable after the preparation of the statement and may be made using the method normally used by the entity in communicating with the individuals. Depending on the situation, other methods of notification are permissible, for example, if an entity is unable to notify each affected individual, notification via the entity's website if one exists, would be satisfactory.
What if I'm not sure if an eligible breach has occurred?
If an entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity then the entity must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity and take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes aware.
In essence, if you believe a data breach has occurred then you must undertake an investigation to determine if the breach must be reported or not. Your investigation must be completed within 30 days after you become aware.
Are there any exceptions to the requirement to notify?
Yes. Following a data breach, where an entity has taken remedial actions and steps to address any potential harm to individuals that may arise due to the data breach, before any serious harm is caused to individuals to whom the information relates, the mandatory notification obligations will not apply. The key test is whether or not a reasonable person would conclude, as a result of the actions taken, that the access or disclosure or loss of information would not be likely to result in serious harm to any of the individuals to whom the personal information relates.
This exemption demonstrates the value of early detection of data breaches and well thought out actions. The ability of an organisation to detect a data breach and take action in respect of reducing any potential damage to individuals whose personal information has been disclosed or lost, will play an important part in mitigating the potential damage that such an incident can cause.
Other exemptions are also listed in the Act.
Are there any penalties if I don't comply?
Yes. Failure to comply with the new regulations will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act. This will engage the Commissioner's existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. This includes the capacity to undertake Commissioner initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interference with privacy. Serious or repeated interference with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.
What should I do?
Organisations and businesses subject to the Privacy Act should now take steps to ensure that their processes and procedures will enable them to meet the new obligations when they come into effect in February 2018.
We recommend you ensure that your data breach incident response process is updated to include steps to:
- Identify if an eligible data breach has occurred
- Investigate any suspected security incidents to determine if an eligible data breach has occurred so that it can be reported
- Assess the risk of serious harm to affected individuals if personal information is disclosed or lost
- Notify affected individuals and the OAIC
- Review any contracts with third parties who hold personal information on behalf of your organisation and ensure that adequate contractual provisions are in place to manage compliance with the notification regime
Your plan should be updated and then tested to make sure that it is effective, works as intended and everybody that is part of the plan is aware of their roles and responsibilities.
The introduction of the new legislation is a good opportunity to assess and measure your compliance with the Privacy Act provisions.