The Privacy Amendment (Privacy Alerts) Bill 2013 was introduced into Parliament on 29 May 2013. Having been recommended by the Senate Committee report tabled on 24 June, it appears that Parliament intends to pass the Bill before the winter break despite concerns from industry about the Bill and the rushed consultation process. If passed, the Bill introduces mandatory data breach notification provisions for agencies and organisations (entities) that are regulated by the Privacy Act 1988 (Privacy Act) and will commence on the same day that the operative provisions of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 commence (12 March 2014).
From 12 March 2014, failure to comply with the mandatory breach reporting regime may result in enforcement action by the Privacy Commissioner. The Commissioner may, among other things, conduct investigations, make determinations and obtain enforceable undertakings from an entity. In situations of serious or repeated noncompliance, the Privacy Commissioner may also apply for civil penalties of up to AUD1.7 million for corporations and AUD340,000 for individuals. Now that breach reporting is a compulsory requirement, data breaches will potentially impact on your reputation and brand name.
What is Mandatory Breach Reporting?
Under the mandatory data breach notification framework, an entity must notify the Australian Information Commissioner and individuals (or in some circumstances the general public by publication on its website and a newspaper circulating in each state) of serious data breaches that significantly affect an individual as soon as practicable.
What is a Serious Data Breach?
A serious data breach includes the unauthorised access to or disclosure of personal information that will result in a real risk of serious harm to an individual that the personal information relates to. A prominent example of this is when an entity's systems have been hacked into but may also include inadvertent disclosures of personal information, for example, lost or stolen electronic devices such as laptops or mobile phones, removable storage devices or paper records containing personal information. However, minor data breaches will not need to be reported.
In addition, future regulations may stipulate other circumstances that may constitute a serious data breach.
What is Serious Harm?
Serious harm may include physical and psychological harm to an individual as well as injury to feelings, humiliation, harm to reputation and financial or economic harm1. Prior to reporting, entities need to assess whether the risk of harm is real and not too remote.
Notice to Commissioner and Individuals
The Bill will make it compulsory to report serious data breaches to the Privacy Commissioner and affected individuals. The notice provided to the Australian Information Commissioner and individuals must include the following information:
the identity and contact details of the entity
a description of the serious data breach that the entity believes has happened
the kinds of information concerned
recommendations about the steps that individuals should take in response to the serious data breach
any additional information specified by regulations.
Rationale for Mandatory Breach Reporting
Data breach notification allows individuals that have been affected by a breach to take steps to reduce the impact of data breaches, for example, by changing passwords or notifying their financial institutions.
Currently, entities may report data breaches to the Australian Information Commissioner and affected individuals voluntarily under the voluntary breach reporting framework. The Australian Information Commissioner has issued a guide (Data breach notification: A guide to handling personal information security breaches) in relation to this. However, there is currently no requirement under the Privacy Act to notify the Australian Information Commissioner or any other individual in the event of a data breach. In the 2011-2012 financial year, under the current voluntary breach reporting framework, 46 data breaches were reported. This represents a decrease of 18%2 from the previous financial year despite a general belief that breach incidents are increasing, entities are holding larger amounts of personal information and hacking incidents are increasing3.
What Should You Do?
You should ensure that you are prepared for mandatory breach reporting by taking the steps below.
Creating a breach reporting policy. The policy should include processes for identifying data breaches, timeframes for actioning privacy breach responses and notification procedures.
Training appropriate staff. Staff should be trained in identifying data breaches, reducing the impact of data breaches and reporting data breaches.
Identification of risks. It may also be prudent to identify any potential risks and vulnerabilities within your business to data breaches.