On 29 May the Privacy Amendment (Privacy Alerts) Bill 2013 (Mandatory Data Breach Bill) was introduced into the Australian Parliament. With bipartisan support it could be passed into law by July 2013 with the measures to take effect from March 2014, when a number of other important changes are made to Australia's privacy laws.
This Mandatory Data Breach Bill would require a mandatory notification of a data breach if there was a "real risk of serious harm" to the individual (including reputational, economic or financial harm) to whom the personal information relates. A statement describing the breach, the kind of information involved and recommendations about the steps individuals should take in response to the breach must be prepared and provided to the Privacy Commissioner and affected individuals.
This Mandatory Data Breach Bill, if passed into law, will see Australia catch up to most US states that already have mandatory data breach notification. It is interesting that in the US, a significant number of privacy based class actions have been launched in recent years over privacy breaches, arguably triggered by the breach notification process. European countries also have mandatory breach notification provisions and there is talk in New Zealand of an imminent introduction of a similar scheme.
Mandatory notification of a breach will also tend to reveal failures to comply with the new Australian Privacy Principles including, for example, new APP 11 which takes effect from March 2014. APP 11 requires an agency to take reasonable steps to protect the personal information it holds from interference, in addition to misuse and loss, and unauthorised access, modification and disclosure.
On 29 April 2013, the Office of the Australian Information Commissioner (OAIC) released its 'Guide to Information Security: Reasonable steps to protect personal information' (the OAIC Guide). At the time, Privacy Commissioner Timothy Pilgrim said: "[B]usinesses cannot ignore the need to take steps to protect the personal information of their customers or clients. This is critical to meet the current requirements of the Privacy Act 1988 as well as new requirements due to commence in less than 12 months."
In determining which security measures are considered 'reasonable steps', organisations must consider the nature and quantity of the personal data held, the nature of the organisation itself, the potential consequences of failing to secure the data, their data handling practices, and the ease of implementation of the security measure.
From the OAIC Guide it is apparent that the OAIC will require that:
"Entities should design their information security measures with the aim to:
- prevent the misuse, loss or inappropriate accessing, modification or disclosure of personal information;
- detect privacy breaches promptly;
- be ready to respond to potential privacy breaches in a timely and appropriate manner."
"Entities should consider using relevant international and Australian standards on information security to inform their risk based assessments of threats and vulnerabilities. Specific examples include the AS/NZS ISO 27000 series of information security management systems standards and the AS/NZS ISO 31000 of risk management standards."
How many Australian companies outside the largest 50 or so would be comfortable with a privacy investigation by the OAIC based even on these basic requirements?
This is a topical issue, particularly with the ever increasing move towards outsourcing to the cloud. Do cloud contracts promise enough to allow organisations using cloud services to comply with privacy laws? See our white paper touching on this topic – referred to here: http://www.itnews.com.au/News/335616,itnews-dissects-cloud-contracts-2013.aspx
Arguably the increased regulatory focus and increasing obligations of Australian companies in relation to personal information represent a significant opportunity for cloud providers to step in and outsource some of the security functions for Australian companies. It seems likely the largest cloud providers can deal with security of data in a more comprehensive manner than all but the largest of our corporations.
McAfee Australia Pty Ltd's "State of Privacy Awareness in Australian Organisations" commissioned survey from April 2013 reveals Australian organisations are failing to adequately protect personally identifiable information of customers in the lead up to the significant changes to the Australian Privacy Act next year. The survey found that with less than 10 months until the November 2012 changes to the Act enter into effect, 59% of employees responsible for managing the personal information of customers were unaware or unsure of these changes. The research also showed that 21% of Australian organisations admitted to having experienced a data breach.
Australian businesses need to come to terms with the fast moving pace of privacy laws and regulations, which are continuing to strengthen as the level of data held on individuals and its commercial importance escalates. The Privacy Amendment (Enhancing Privacy Protection) Act 2012, passed through the Australian Parliament on 29 November 2012, and will take effect in March 2014. (See our earlier summary of these changes at: http://www.shelstonip.com/news_story.asp?m=12&y=2012&nsid=249) From March 2014, the Australian Privacy Commissioner will have increased powers to:
- enforce (through the Courts) civil penalty orders of up to AU $370,000 for individuals and up to AU $1.7 million for companies that breach Australian privacy laws;
- conduct 'own motion investigations' when organisations are suspected of non-compliance (even without an official complaint);
- agree 'enforceable undertakings' with organisations to develop and document a privacy compliance program that adheres to the Australian Privacy Principles and provides adequate privacy complaint handling mechanisms.
Now is the time for businesses to ensure that they have strong, compliant, privacy policies and procedures in place and mechanisms for regular review and update. Privacy is not going away, and can in fact provide a competitive advantage well worth investing in.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.