“Once more unto the Breach”: Review of the Eligible Data Breach Scheme

New legislation requires entities with an annual turnover of $3 million or more, or who provide health services or store health records, to take positive steps to determine whether a data breach has or may have occurred, and in certain circumstances, to notify affected individuals.

1. The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth.) (NDB Act) as implemented under Pt IIIC of the Privacy Act 1988 (Cth.) (Privacy Act) establishes a regulatory scheme (NDB Scheme) to which all “APP entities” (entities) are now subjected.

To whom does it apply?

2. It is first necessary to clarify who exactly is an APP entity. An APP entity is defined as an “agency or organisation”. This includes an individual, body corporate, partnership, a trust or any other unincorporated association. This does not include a small business operator with an annual turnover of less than $3 million, unless the business provides health services and stores health records.

3. The NDB Scheme, which came into effect on 22 February 2018, places duties upon APP entities (entities) in relation to the handling of personal information of individuals. In essence, if a data breach is likely to result in serious harm to an individual, an entity is obliged to notify the affected individuals as well as the Office of the Australian Information Commissioner (OAIC).

Notable changes under the scheme

i) Notification obligation

4. Where an entity has reasonable grounds to believe that there has been an “eligible data breach”, it must prepare and provide a statement to the OAIC, as well as notify each individual to whom the relevant information relates. What constitutes an eligible data breach is discussed below.

ii) Circumstances where there is an “eligible data breach”

5. Section 26WE of the Privacy Act provides the circumstances for when an “eligible data breach” occurs. A breach will arise in the following circumstances:

5.1 if there is unauthorised access to or disclosure of personal information; or

5.2 the information is lost in circumstances where it is likely that unauthorised access or disclosure of personal information will occur; and

5.3 a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.

iii) When Notification not necessary: merely “suspecting” a breach

6. The obligation to notify does not arise if an entity has merely reasonable grounds to “suspect” that an eligible data breach has occurred.

7. However, if an entity suspects an eligible data breach has occurred, then within 30 days it must undertake an assessment of whether, considering the circumstances there are reasonable grounds to “believe” that an eligible data breach has occurred.

iv) When is there a “serious likelihood of harm”?

8. What constitutes “serious harm” is not defined within the Act. The Explanatory Memorandum suggests this could include the following:

8.1 serious physical, psychological, emotional, economic and financial harm; and

8.2 serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.

9. The Explanatory Memorandum continues by suggesting that an individual suffering mere distress or embarrassment is not enough to constitute serious harm.

10. The Explanatory Memorandum refers to the element of “likelihood” as intending to provide clarity and ensure that not every data breach is subject to the notification requirement.

v) Exceptions: “Remedial Action”

11. Provided a series of factors are adhered to, section 26WF offers an exception to the privacy breaches and corresponding notification obligations.

12. The relevant factors are as follows:

12.1 the access or disclosure of information is covered by s 26WE(2)(a); and

12.2 the entity must take action in relation to the access or disclosure; and

12.3 the entity takes this action before the access or disclosure results in serious harm to any of the individuals to whom the information relates; and

12.4 as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to those individuals.

vi) Other Exceptions

13. Other exceptions under the NDB Scheme include:

13.1 if notification would be inconsistent with other security provisions (s 26WP);

13.2 if it would prejudice an enforcement related activity (s 26WN); and

13.3 if the breach affects multiple entities and one of the other affected entities has already given notice of the breach in accordance with the requirements (s 26WM).

vii) Penalties for breach

14. If an entity fails to inform OAIC of an eligible data breach it will be considered an “interference with the privacy of an individual”. This will activate the Privacy Act’s enforcement and Civil Penalty framework opening up a range of remedies including the uncapped facility for monetary compensation under s 52(1)(b)(iii).

RECOMMENDED RESPONSE TO DATA BREACH

15. Outlined below is a proposed response that an APP entity should take following a data breach. The response is drawn from the recommendations by the Office of the Australian Information Commissioner.

Step 1: General obligation of entities

APP entities have an ongoing obligation to take reasonable steps to handle personal information. This includes protecting personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Step 2: Is there a suspected or known data breach?

A data breach is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds.

Step 3: Contain

An entity’s first step should be to contain a suspected or known breach where possible. This means taking immediate steps to limit any further access or distribution of the affected personal information, or the possible compromise of other information.

Step 4: Assess

4.1 If breach “likely” to result in serious harm

Consider whether the data breach is likely to result in serious harm to any of the individuals whose information was involved. If the entity has reasonable grounds to believe this is the case, then it must notify affected individuals, and inform them of the contents of this statement. There are three options for notifying:

Where serious harm is likely, an entity must prepare a statement for the Commissioner that contains:

The entity’s identity, contact details and description of the breach; and
The kind/s of information concerned; and
Recommended steps for the individuals affected.

4.2 If merely “suspected” to result in serious harm

If it only has grounds to suspect that this is the case, then it must conduct an assessment process. Organisations can develop their own procedures or conducting an assessment. A three-stage process is recommended by the OAIC. This includes:

1. Initiate: plan the assessment and assign a team or person to undertake the task;
2. Investigate: gather relevant information about the incident to determine what has occurred;
3. Evaluate: make an evidence-based decision about whether serious harm is likely, and document the determination within 30 days.

Entities should review the incident and take action to prevent future breaches. This may include:

Fully investigating the cause of the breach
Developing a prevention plan
Conducting audits to ensure the plan is implemented
Updating security/response plan
Considering changes to policies and procedures
Revising staff training practices

Entities should also consider reporting the incident to other relevant bodies, such as:

Police or law enforcement
ASIC, APRA, or the ATO
The Australian Cyber Security Centre

Step 5: Remedial action

As part of the assessment, entities should consider whether remedial action is possible. For example, where possible, an entity should take steps to reduce any potential harm to individuals.

This might involve taking action to recover lost information before it is accessed or changing access controls on compromised customer accounts before unauthorised transaction can occur. If remedial action is successful in making harm no longer likely, then notification is not required.