The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Act) amends the Privacy Act 1988 (Cth) (Privacy Act) to introduce mandatory data breach notification provisions for organisations, agencies and certain other entities that are regulated by the Privacy Act (entities).1

"Mandatory data breach notification" commonly refers to a legal requirement to assess whether an eligible data breach has occurred and, if necessary, provide notice to affected individuals and the Australian Information Commissioner (Commissioner).2

The amendments introduced by the Act are due to take effect on 22 February 2018, unless an earlier date is proclaimed.
What is an "eligible data breach"?

A data breach arises where there is unauthorised access to, or unauthorised disclosure of, certain information about one or more individuals (the affected individuals), or where certain information is lost in circumstances that is likely to give rise to unauthorised access or unauthorised disclosure.3

For a data breach to be an "eligible" data breach, a reasonable person would need to conclude that the unauthorised access or disclosure (or in the case of loss of information, likely unauthorised access or disclosure) would result in a likely risk of serious harm to any of the affected individuals to whom the information relates.4
When is an affected individual at risk of "serious harm"?

To give rise to an "eligible" data breach, the reasonable person would need to be satisfied that the risk of serious harm occurring is likely, meaning more probable than not.5

The Act does not define the term "serious harm". Instead, the Act provides a list of 'relevant matters' that an entity should consider when determining whether access to or disclosure of information is likely to result in serious harm to an affected individual, as follows:

  • the kind or kinds of information;
  • the sensitivity of the information;
  • whether the information is protected by one or more security measures;
  • if the information is protected by one or more security measures – the likelihood that any of those security measures could be overcome;
  • the persons, or the kinds of persons, who have obtained, or who could obtain, the information;
  • if a security technology or methodology was used in relation to the information and was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information, the likelihood that the persons, or the kinds of persons, who have obtained (or could obtain) the information, and have (or likely to have) the intention of causing harm to any affected individual to whom the information relates, have obtained (or could obtain) information or knowledge required to circumvent the security technology or methodology;
  • the nature of the harm;
  • any other relevant matters.6

The Explanatory Memorandum to the Act notes that serious harm 'could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity's position would identify as a possible outcome of the data breach. Though individuals may be distressed or otherwise upset at an unauthorised access to or unauthorised disclosure or loss of their personal information, this would not itself be sufficient to require notification unless a reasonable person in the entity's position would consider that the likely consequences for those individuals would constitute a form of serious harm'.7

Requirement to assess suspected eligible data breaches

If a relevant entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach in respect of it and is not aware that there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach, the entity must:

  • carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity; and
  • take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes aware of the reasonable grounds to suspect an eligible data breach.8

Requirement to notify the Commissioner

If an entity has reasonable grounds to believe that there has been an eligible data breach and provided that no exceptions to notification (as set out in the Act) apply, the entity must:

  • prepare a statement setting out the contact details of the entity, a description of the eligible data breach, the kind or kinds of information concerned and recommendations about the steps that individuals should take in response to the eligible data breach; and
  • give a copy of the statement to the Commissioner.9

Requirement to notify the affected individual

Where an entity has reasonable grounds to believe that there has been an eligible data breach and is required to provide the Commissioner with a statement, the entity must as soon as practicable after the completion of the preparation of the statement:

  • take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant information relates; or
  • take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach; or
  • if neither of the above apply, publish a copy of the statement on the entity's website and take reasonable steps to publicise the contents of the statement.10

Failure to comply

Failure to comply with the obligations of the Act will be 'deemed to be an interference with the privacy of the affected individual for the purposes of the Privacy Act'.11 This will allow the Commissioner to use their 'existing powers to investigate, make determinations and provide remedies in relation to the non-compliance with the Privacy Act'.12

Therefore, it is crucial that organisations and entities covered by the Privacy Act and these provisions, take appropriate steps now to ensure that they will be able to comply with these requirements when they come into effect.

Footnotes

1 Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) 1.

2Ibid 2, 6.

3 Ibid 7; Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) s 26WE(2).

4 Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) s 26WE(2).

5 Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) 11.

6 Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) s 26WG.

7 Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) 10.

8 Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) s 26WH.

9 Ibid s 26WK.

10 Ibid s 26WL.

11 Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) 28.

12 Ibid.