.jpg)
25 October, 2016
PRIVACY AMENDMENT (NOTIFIABLE DATA BREACHES) BILL 2016
WHAT YOU NEED TO KNOW
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was introduced to Parliament on 19 October 2016
If passed, the Bill will require entities regulated under the Privacy Act 1998 (Cth) to notify affected individuals and the OAIC of data breaches that are likely to result in serious harm.
Organisations should ensure they have appropriate response plans that can be readily applied to comply with these new obligations in the event of an eligible data breach.
WHAT YOU NEED TO DO
Organisations which carry on business in Australia, or which are otherwise bound by the Privacy Act, should take steps promptly to ensure that they are in a position to comply with the Bill when it commences.
Organisations which operate globally or which house data in other jurisdictions such as the UK should also make sure that they understand their obligations under the laws applicable in those jurisdictions.
This is important in order to minimise the risk of data breach liability more generally. Such liability can arise under the laws of negligence, contract, confidentiality and under existing Privacy laws.
What counts as an eligible data breach?
An eligible data breach will occur where (s 26WE*):
- there is unauthorised access to or disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom that information relates; or
- information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any of the individuals to whom that information relates.
This reasonable person test replaces the real risk of serious harm requirement included in the draft Bill. Whether a reasonable person would conclude that a person was likely to suffer serious harm as a result of the breach depends upon a broad range of factors including the nature, sensitivity and protection-level of the information (s 26WG*).
*These are the proposed new section numbers of the Act if amended
What are affected entities required to do?
The Bill places various obligations on entities in response to an eligible breach. These include
- Assessing whether there are reasonable grounds to believe an eligible data breach has occurred within 30 days of developing a suspicion of such a breach (s 26WH*);
- Once an entity has reasonable grounds to believe there has been an eligible data breach, preparing a statement setting out the contact details of the entity, the nature of the breach and steps it recommends affected individuals take in response (s 26WK*). A copy must also be provided to the OAIC; and
- Taking such steps as are reasonable in the circumstances to notify affected and at risk individuals of the contents of the statement as soon as is practicable. If direct notification is not practicable, the entity must publish the statement on its website and take reasonable steps to publicise its contents (s 26WL*).
OAIC may also direct an entity to notify affected individuals if it becomes aware that there are reasonable grounds to believe that the entity has suffered an eligible data breach (s 26WR*).
Changes in the EU law in 2018
Similar changes are due to take effect in EU law in May 2018.
As EU law currently stands, there is no legal obligation in the UK to notify a data protection supervisory authority (such as the Information Commissioner's Office in the UK (ICO)) of a data security breach unless the organisation which has suffered the breach is providing electronic communication services to the public (eg a telecoms or an internet service provider). If it is, then the service provider must notify the supervisory authority within 24 hours of becoming aware of the breach and if the breach is likely to adversely affect individuals, the service provider must also notify those individuals without delay.
If the organisation is not an electronic communications services provider, although there is no legislative requirement to inform the relevant supervisory authority, most regulators (including the ICO) advise notifying them if the breach affects a large number of people or there are very serious consequences. Self- notification is often a better way of dealing with the risks of regulatory action than failing to notify and having the breach brought to the attention of the regulator by an often disgruntled victim.
This requirement is going to change though when the new General Data Protection Regulation (GDPR) comes into force in the EU in May 2018. In the event of a data security breach, the GDPR requires the organisation whose security has been compromised to notify its relevant supervisory authority without undue delay (and where feasible no later than 72 hours after becoming aware of breach) unless the breach is unlikely to result in risk to rights and freedoms of individuals.
In addition, when a personal data breach is likely to result in high risk to rights and freedoms of individuals, the organisation is required to communicate details of the breach to the individuals whose data has been compromised without undue delay. The exact meaning of "without undue delay" or "high risk to rights and freedoms of individuals" is yet to be clarified either by guidance notes from the various regulatory authorities involved or from court decisions but it is likely that both will take a restrictive view of these tests, meaning that most data breaches will need to be notified.
It is unclear how the regulatory authorities will deal with the increased workloads that are likely to result from increased levels of notification given the offices already struggle from lack of resource. The fear of businesses is that those authorities which are required to fund their activities from the fines they impose will find it necessary to increase the numbers and levels of fines imposed.
For further information, please contact:
Sophie Dawson, Partner, Ashurst
sophie.dawson@ashurst.com
