Is online still driven by trust?

What drives the internet and life online: technology or trust? Would you make a transaction or interact online without trusting that your credit card details, personal information (such as family and social information) or sensitive information (health, race, etc) would not be misused or treated insecurely? If you answered yes, perhaps the internet is now so ingrained in your daily l ife that it is too difficult to extricate yourself from it?

It's easier to build trust when you do not have to report breaches of data. Until the introduction on 22 February, 2018 of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (NDB Act), Australia's mandatory data breach notification laws were limited.

Australian government tops the charts in reporting voluntary data breaches

Despite this, the Office of the Australia Information Commissioner (OAIC) still received 107 breach notifications in 2015-2016, with the Australian Government leading the way. This is surprising; surely government is one sector we would expect to take the utmost steps to store personal information safely and securely.

Or perhaps the Government was simply acting as a good citizen, reporting breaches that others might have swept under the carpet. If so, the Notifiable Data Breaches Act now puts pressure on those others to also do the right thing.

The new Act amends the Privacy Act 1988 (Cth) (Privacy Act) to introduce Part IIIC – the Notifiable Data Breaches Scheme. The Scheme, which applies to agencies and organisations covered by the Privacy Act, requires them to notify an individual likely to be at risk of serious harm due to a data breach.

What about the NSW Public Sector's Data Breach obligations?

Generally, NSW public sector agencies are not regulated by the Privacy Act. However, given the expectation on such agencies to act as model citizens, they should take note of the Notifiable Data Breaches Scheme.

"Until the introduction on 22 February, 2018 of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (NDB Act), Australia's mandatory data breach notification laws were limited. "

What's more, public sector agencies (including local government agencies) must notify data breaches pursuant to:

  • the Privacy (Tax File Number) Rule 2015 issued pursuant to section 17 of the Privacy Act
  • the Data Sharing (Government Sector) Act 2015, which imposes an obligation on an agency that receives personal or health information to inform a data provider and the NSW Privacy Commission as soon as practicable of a breach (that is, when the agency becomes aware that a breach of privacy legislation has occurred or is likely to have occurred)
  • the General Data Protection Regulation, which comes into force on 25 May 2018 and will apply to any organisation offering goods or services to, or monitoring the behaviour of, individuals living in the European Union.

So what are the requirements under the Notifiable Data Breaches Scheme?

A breach occurs when data, such as a TFN, is lost, or where there has been unauthorised access to or disclosure of such data. A breach becomes notifiable if it is likely to result in serious harm to an individual.

The Privacy Act does not define what "serious harm" is. According to the Australian Privacy Commissioner, it may include serious financial, physical, psychological, emotional or reputational harm.

The Scheme recommends four steps when responding to a data breach. They are:

  1. contain the breach
  2. evaluate and mitigate the risks
  3. notify and communicate
  4. prevent future breaches.

In future articles we will examine the requirements of the Scheme in more detail.

Trust and Open Government

"Good government, sound policy and just decisionmaking demand that information is collected, stored, managed, used and disclosed wisely and appropriately. Every decision and every activity of government uses information. Each year the amount of information held by government grows and at a faster pace." 'Towards an Australia Government Information Policy" November 2010 Issues Paper 1 Office of the Australian Information Commissioner.

As data breach disclosure culture (whether through mandatory or voluntary disclosure) sets in, the NSW public sector response will be closely monitored and may set the scene for open government.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.