Notifiable data breaches: Your new obligations
The Privacy Amendment (Notifiable Data Breaches) Act 2017
(Cth) will take effect on 22 February 2018. The Act places new obligations on “APP entities” to manage an actual or suspected data breach in accordance with new rules which give greater assurance to individuals as to the confidential status of their personal data.
What is an APP entity?
An APP entity is one that is covered by the Privacy Act 1988
(Cth), and is therefore required to comply with the Australian Privacy Principles (the APPs)
An APP entity is defined in the Privacy Act 1988
(Cth) as “an agency or organisation
”. Broadly speaking, an “agency” is a reference to a Government agency, while an “organisation” may be any of:
- an individual;
- a body corporate;
- a partnership;
- any other unincorporated association; or
- a trust.
However, if the entity that would otherwise be an organisation is a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory, then they are not included within the definition of an “organisation”.
A “small business operator
” is an individual, body corporate, partnership, unincorporated association or trust that carries on one or more small businesses, and does not carry on a business that is not a small business. A business is a “small business” at any given time if its annual turnover in the previous financial year was $3 million or less.
However, if the entity that would otherwise be a “small business operator”:
- provides a health service to another individual and holds any health information except in an employee record;
- discloses or collects personal information in exchange for a benefit, service or advantage;
- is a contracted service provider for a Commonwealth contract; or
- is a credit reporting body,
then the entity is not a “small business operator”.
In summary, broadly speaking, an APP entity is usually a business that has an annual turnover greater than $3 million.
What are the new obligations on APP entities?
As of 22 February 2018, APP entities may be required to notify individuals who may be affected by a data breach or the potential exposure of their data (for example, where data is lost). Additionally, APP entities who experience a data breach may be required to notify the Office of the Australian Information Commissioner.
Not all data breaches are “eligible data breaches” that require notification, however. An “eligible data breach
” occurs when there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity, and the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
An entity must give a notification if it has reasonable grounds to believe that en “eligible data breach” has happened, or if it is directed to do so by the Commissioner.
What is “serious harm”?
In determining whether access to, or disclosure of, information would be likely to result in “serious harm
” to any of the individuals to whom the information relates, any relevant matters can be considered. However, the following matters should be considered specifically:
- the kind or kinds of information;
- the sensitivity of the information;
- whether the information is protected by one or more security measures;
- how any security measures could be overcome (including by whom); and
- the nature of the harm.
In this context, “serious harm” is more likely to occur where, for example, a database has been hacked, or an employee has leaked sensitive data to an unauthorised party. It would probably not ordinarily include one employee of a business accidentally emailing a customer contact list to another employee.
What if you’re not sure whether there has been an “eligible data breach”?
If an APP entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach, and the APP entity is not aware that there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach, then the APP entity must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the APP entity within 30 days.
Are there any exceptions?
An APP entity is not required to take steps to notify the individual of the contents of a statement that relates to the access or disclosure if:
What steps must be taken if there is an “eligible data breach”?
- an eligible data breach occurs; and
- the APP entity takes action in relation to the access or disclosure before the access or disclosure results in serious harm to a particular individual to whom the information relates; and
- as a result of the action a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to the individual.
If there is an eligible data breach, the APP entity must prepare a statement that sets out the identity and contact details of the APP entity, describes the data breach that there are reasonable grounds to believe happened, sets out the kind of information concerned, and recommends steps that individuals should take in response.
If the APP entity has reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach is an eligible data breach of one or more other entities, the statement may also set out the identity and contact details of those other entities.
The APP entity must provide a copy of the statement above to the Office of the Australian Information Commissioner as soon as practicable after the APP entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach of the APP entity.
If it is practicable for the APP entity to notify the contents of the statement to each of the individuals to whom the relevant information relates or who are at risk from the eligible data breach, the APP entity must take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals at risk or to whom the relevant information relates.
If it is not practicable to notify the contents of the statement to each of the individuals as set out above, the APP entity must publish a copy of the statement of the APP entity’s website (if any), and take reasonable steps to publicise the contents of the statement.