Under proposed new laws that were recently released, entities subject to the Privacy Act 1988 (Cth) (Privacy Act) will be required to notify affected individuals and the Privacy Commissioner if there are reasonable grounds to believe a serious data breach has occurred.
On 3 December 2015, the Attorney-General's Department released a package of documents, including its exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the Bill), for consultation.
Previously the Commonwealth Government had stated that it would introduce the Bill into Parliament before the end of 2015. However, in a welcome move, the Government released an exposure draft for consultation rather than attempting to rush legislation through Parliament to meet its self-imposed deadline.
Overview of the proposed changes
If passed, the Bill will introduce a new Part into the Privacy Act, setting out a mandatory notification regime. The key aspects of the proposed regime are:
The general rule under the Bill requires entities subject to the Privacy Act to disclose a serious data breach to the individual and the Privacy Commissioner, if there are reasonable grounds to believe a serious data breach has occurred.
Notification if there is a serious data breach
A "serious data breach" is deemed to have occurred if:
- personal information about one or more individuals
- has been subject to unauthorised access or unauthorised disclosure, or
- is lost in circumstances likely to give rise to unauthorised access or unauthorised disclosure, and
- there is a real risk of serious harm to the individual as a result of the data breach.
To constitute a "real risk of serious harm", the risk must be real, that is, not just remote. Harm is defined broadly and includes physical, psychological, emotional, economic and financial harm as well as harm to reputation.
The notification obligation is triggered if there are reasonable grounds to believe...
The obligation is to notify the Privacy Commissioner and the individuals affected when the entity is aware, or ought reasonably to have been aware, that there are reasonable grounds to believe there has been a serious data breach.
The notification must be given as soon as practicable after the entity is aware, or ought reasonably to have been aware, of those grounds and must include:
- the identity and contact details of the entity
- a description of the serious data breach
- the kinds of information concerned, and
- recommendations about the steps the individuals should take in response.
Privacy Commissioner's power to direct a notification
The Bill provides the Privacy Commissioner with the power to issue a written direction to the entity, requiring it to provide notification if the Privacy Commissioner believes that a serious data breach has occurred and that no notification has been given by the entity.
Failure to comply
If an entity fails to comply with the obligations imposed by the Bill, it will be deemed to have interfered with the privacy of an individual for the purposes of the Privacy Act. Accordingly, the Privacy Commissioner:
- may use his or her existing powers to investigate, make determinations and provide remedies for non-compliance with the Privacy Act, and
- has the capacity to undertake Commissioner-initiated investigations, make determinations, seek enforceable undertakings and pursue civil penalties for serious or repeated interferences with privacy.
The stated reasoning behind this approach is that it will permit the use of less severe sanctions—including public or personal apologies, compensation payments or enforceable undertakings—before elevating sanctions to a civil penalty, which is applicable where there has been a serious or repeated non-compliance with mandatory notification requirements.
The Bill proposes several exemptions from the mandatory notification regime:
- entities exempt from the operation of the Privacy Act
- law enforcement bodies will not be required to notify affected individuals if compliance with this requirement would be likely to prejudice law enforcement activities
- if compliance would be inconsistent with another law of the Commonwealth that regulates the use or disclosure of information
- if the serious data breach falls under the mandatory data breach notification requirement in s 75 of the My Health Records Act 2012, or
- if, after becoming aware that there are reasonable grounds to believe a serious data breach has occurred, the entity subsequently carries out a reasonable assessment of the circumstances within 30 days and finds that there are no reasonable grounds to believe a serious data breach occurred.
There is also provision for the Commissioner to exempt an entity from providing notification of a serious data breach where the Commissioner is satisfied that it is in the public interest to do so.
Consultation on the exposure draft of the Bill is open until 4 March 2016. Agencies likely to be affected should consider the proposed mandatory notification scheme to determine its impact and, if appropriate, make submissions by the closing date.