It's easier to keep calm and respond properly to a privacy breach if you remember some commonsense points at every step of your response.
Privacy breaches by major organisations are increasingly reported in mainstream media, resulting in growing public awareness and concern about privacy and information security issues.
The Commonwealth Government's recent Discussion Paper on privacy breach notification reflects a growing public expectation that organisations will hold information securely, and if a breach were to occur, that organisations will act promptly to rectify the breach and minimise any harm to affected individuals.
Increasingly, the manner in which an organisation deals with a privacy breach is just as important as any security measures put in place to prevent the breach. In addition to adverse reputational consequences, a failure to properly contain and manage a privacy breach can also result in intervention by the Privacy Commissioner.
The Office of the Australian Information Commissioner's 2012 Guide to handling personal information security breaches provides useful guidance for entities on how to handle such breaches. The Guide sets out the four steps for responding to privacy breaches:
- Step 1 – Contain the breach and do a preliminary assessment
- Step 2 – Evaluate the risks associated with the breach
- Step 3 – Notification
- Step 4 – Prevent future breaches.
The Guide helpfully deals with each of the four steps in a comprehensive manner.
When considering how to prepare for a personal information privacy breach and/or when implementing the four steps upon being confronted with a personal information privacy breach, there's some commonsense tips you should consider to ensure your response is as comprehensive (and calm) as possible.
The need to work quickly and consistently
The critical issue in effective personal information privacy breach management is the need for a timely and consistent response. The longer a breach goes undetected and/or uncontained, the greater the opportunity for misuse of personal information.
Your organisation should, as part of its personal information management processes and systems, have a contingency plan for dealing with breaches and an officer nominated within the organisation with responsibility for breach containment so as to increase the consistency of your organisation's response. He or she should know the circumstances in which it may be appropriate to notify the Privacy Commissioner and/or the people whose information is affected.
Privacy issues are often first identified as a result of contact by an external party. External contact can be in the form of a query (or a complaint) about how an entity handles personal information. Certainly, queries can quickly escalate into complaints if they are not dealt with appropriately and in a timely manner. Further, if individuals believe that their query or complaint has not been dealt with satisfactorily by the entity, there is a greater likelihood that they will take their complaint directly to the regulator to compel a response.
When responding to any external query or complaint, it is also important to identify any underlying informational handling or privacy issues so that these can be investigated and (if need be) addressed as part of the overall response to the external party.
Determine the nature of the information affected and the possible privacy breach with specificity
The Privacy Act 1988 (Cth) places obligations on entities in relation to the handling of "personal information" (as defined in the Act), including its collection, storage, use and disclosure.
When investigating a potential breach, entities should firstly determine, with specificity, the nature of the information affected and what is alleged to have gone wrong. If the affected information is not considered "personal information" for the purposes of the Privacy Act, there may be an information handling issue which is not privacy related. Equally, care should be taken to establish the use the organisation was permitted to make of the relevant information and/or the circumstances in which it could be disclosed.
Manage public perceptions
In many instances, public perceptions of "privacy" do not always align with the legal obligations arsing for organisations under the Privacy Act. Even if an information management issue does not technically result in a breach of the Privacy Act, organisations should consider what actions are appropriate to protect its reputation and ensure effective stakeholder management.
Depending on the size and seriousness of any privacy breach, your organisation may need to work with the media and/or set up a team of people to manage contact with the public and those whose information is affected.
Be aware of related Privacy Act breaches
Most reported instances of personal information privacy breaches involve the alleged unauthorised use or disclosure of personal information, or the failure to take reasonable steps to protect personal information. Few people complain that their information has been collected inappropriately.
However, the Privacy Act regulates not only the use and disclosure of personal information but also other aspects of an entity's personal information-handling activities, such as the collection, storage, access to, and maintaining the currency of personal information. When an unauthorised use or disclosure of personal information is alleged to have occurred an organisation should look back at all aspects of its information management process in relation to the subject information to assess if there are any related privacy breaches.
For example, the personal information handling practices which gave rise to an unauthorised use or disclosure of information may also involve:
- the collection of personal information not necessary for an entity's functions or activities; and
- inconsistencies between the entity's personal information handling practices and its privacy statements or policies.
When carrying out step 4 "Preventing future breaches", entities should be mindful of any related breaches so that any preventative measures implemented by the entity can also address them.
Keep the Privacy Commissioner's powers in mind
The Privacy Commissioner is currently able to receive complaints from individuals and investigate possible breaches of the Privacy Act. In certain circumstances, the Privacy Commissioner is able to commence an investigation on his own motion without having first received a complaint.
When dealing with complaints, the Privacy Commissioner can investigate the complaint and attempt to resolve the complaint by conciliation between the parties.
At the conclusion of an investigation, the Privacy Commissioner has the power to determine if the Privacy Act has been breached. Where a breach has been found, the Privacy Commissioner can make determinations regarding compensation or other remedies which can be enforced by the Federal Court or the Federal Magistrates Court. In some instances, the Privacy Commissioner may publish the outcomes of its investigations.
With increasing media scrutiny and rising public expectations in relation to personal information handling practices, it is important that entities are able to promptly and appropriately respond to any actual and potential privacy breaches. Entities which fail to do so run the risk of regulatory intervention and adverse reputational impacts.
The key to successful management of a privacy breach is to adopt a timely, systematic and logical approach to investigating and rectifying the breach, and preventing further breaches.
In light of the renewed scrutiny of Australian privacy law, we suggest that it is timely for entities to consider reviewing their privacy breach response arrangements and ensure they are able to implement them should the need arise.
You might also be interested in ...
- Next stage in privacy law reforms: Discussion paper released on mandatory data breach notifications
- Privacy protection overhauled
- Introduction of Privacy Bill to Parliament
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.