Information commissioner Timothy Pilgrim is pleased that a mandatory data breach notification clause has finally been inserted into the federal Privacy Act, and is beginning a 12-month awareness campaign for organisations covered by the new regime.
In 2015-16, 107 voluntary data breach notifications crossed Pilgrim’s desk, with more coming from Commonwealth government bodies than any other sector.
The standard for when organisations covered by the act will have to come clean about unauthorised access, disclosure or loss of personal information to the victims and the commissioner rests on what the consequences could be. According to the explanatory memo:
“A data breach is an eligible data breach where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure (assuming, in the case of loss of information, that the access or disclosure occurred).”
If too much of one’s personal information gets out into public, the chance of serious harm is fairly high and getting higher. Once it’s happened, prompt notification is the best way to reduce that risk. The official explanation states:
“Serious harm, in this context, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.
“Though individuals may be distressed or otherwise upset at an unauthorised access to or unauthorised disclosure or loss of their personal information, this would not itself be sufficient to require notification unless a reasonable person in the entity’s position would consider that the likely consequences for those individuals would constitute a form of serious harm.”
The EM says serious emotional, psychological and reputational harm that does meet the standard is envisaged to be most likely in cases relating to health data, or some other especially sensitive information.
Organisations often fail to disclose data breaches fearing reputational damage, as the news is almost certain to become public, but Pilgrim does not agree with that view. He says mandatory notification will in fact “strengthen community trust in businesses and agencies” as well as protect Australians from a serious risk.
The legislation recognises other reasons not to disclose “minor breaches” — like the administrative burden and the chance of overwhelming the public with constant alarm bells, leading to “notification fatigue” — as more legitimate issues. Quick “remedial action” that eliminates the risk also takes away the need to make a disclosure.
Notifications have to be made as soon as practicable, provide name and contact details of the entity, describe the breach as well as the type of information involved, and advise the affected parties on steps to protect themselves. If a breach of one organisation technically gives rise to notifiable breaches of partners through outsourcing, shared services or joint ventures, there is a provision for one notification to cover all affected entities.
States, local governments and territories aren’t covered by the Privacy Act and the rules won’t apply to organisations with existing exemptions, like intelligence agencies and small businesses, either. Any “law enforcement bodies” just have to claim a notification would “prejudice law enforcement activities” to keep data breaches secret, and the EM suggests other public service bodies may also be able to find different excuses in their own legislation:
“If compliance would be inconsistent with another law of the Commonwealth that regulates the use or disclosure of information, an entity will be exempt to the extent of the inconsistency. If compliance would be inconsistent with another law of that kind which is prescribed in regulations under the Privacy Act, an entity will be exempt from the notification requirement.”
The commissioner will decide if any further action should be taken following a notification and be able to force organisations to make disclosures, or issue special exemptions under certain circumstances. Pilgrim said in a statement:
“My office will be working closely with agencies and businesses to help prepare for the scheme’s commencement. This will include providing additional guidance over the next 12 months, and events hosted through the OAIC’s Privacy Professionals Network.
“In the meantime, agencies and businesses should continue to take reasonable steps to make sure personal information is held securely – including being equipped with a clear response plan in the event of a data breach.”
The current “best practice model” defined by the Office of the Australian Information Commissioner’s guidelines on data breach notifications and developing a data breach response plan will soon be updated before the mandatory notification law takes effect. The OAIC also has a basic guide to keeping personal information safe.