The Commonwealth Government Attorney General's Department has recently released an exposure draft in relation to the increasing cyber risks around online database storage of personal information in electronic form. It proposes the introduction of changes to Privacy Act 1988 (Cth) ('Privacy Act') to impose mandatory obligations on Australian government agencies and private sector organisations (collectively, "APP entities") to report serious breaches of personal information.

Background to the Amendment:

Australian Privacy Principle ("APP") 11 already requires APP entities to take reasonable steps to protect personal information from misuse, interference and loss, as well as from unauthorised access, modification or disclosure. Where the personal information is stored online or in digital form, this principle could measures such as encryption and secure online portals to protect personal information. APP 11 however does not specifically address circumstances where, despite the security measures, the personal information is hacked, leaked or otherwise divulged. Individuals to whom the information pertains may therefore remain unaware that their personal information has been compromised even though it was secured under APP 11.

Notification of Serious Data Breaches:

The proposed changes will set up a mandatory reporting of serious data breaches regime. Credit reporting bodies holding credit reporting information and credit providers holding credit eligibility information under Sections 21Q and 21S of the Privacy Act, would also be affected by the proposed changes even though these entities are presently excused from following APP11 in relation to credit information. The principal reporting obligation will apply when an APP entity becomes aware, or ought to reasonable by aware, that there are reasonable grounds to believe that there has been a serious data breach of personal information held by the entity. In these circumstances, must respond by preparing a statement that sets out:

  1. its identity and contact details;
  2. a description of the serious data breach that the entity has reasonable grounds to believe has happened;
  3. the kind of information concerned; and
  4. recommendations about steps that individuals should take in response to the serious data breach that the entity has reasonable grounds to believe has happened.

This statement must be notified to each of the individuals that the relevant information concerns.

When does a serious breach occur?

The definition of "serious data breach" is comprised of three distinct circumstances which are:

  1. unauthorised access or unauthorised disclosure of the information which will result in a real risk of serious harm to any of the individuals to whom the information relates;
  2. loss of information in circumstances where there has been unauthorised access to or unauthorised disclosure of the information and the access or disclosure of the information would result in a real risk of serious harm to any of the individuals to whom the information relates; or
  3. loss of information in circumstances where unauthorised access or unauthorised disclosure of the information may occur.

In determining whether or not there is a real risk of serious harm to an individual, a number of considerations will be relevant including: the nature, sensitivity and form of information (particularly whether the information is intelligible or can be converted to intelligible form), whether the information is protected by security measures, the nature of the harm, the likely nature of the steps and extent to which the steps that the entity can take in response to the breach may mitigate the harm.

Implications

More public discussions, consultation and submissions are necessary and the Privacy Commissioner needs to provide further interpretive guidance on the meaning of the proposed changes.

It is notable for instance that the entities do not need to hold off a response until they can establish a serious data breach, but reasonable grounds to believe that a serious data breach has occurred will suffice.

Further the response timeframe is "as soon as practicable", which will allow an entity to carry out a reasonable assessment of whether there are reasonable grounds to believe in the relevant circumstances that a serious data breach has or may have occurred. The assessment, however, should be carried out within 30 days after the entity becomes aware or ought to reasonably become aware, of the serious data breach. This 30 day interval can allow for a proper assessment of the data breach, which may be found not to be a serious data breach, in which case the reporting obligations may not apply.

Perhaps the most interesting and critical feature of the proposed amendments will be in relation to determining the seriousness of the data breach. As discussed above, the relevant matters include: the nature of the harm of the data breach, the sensitivity of the information and the remoteness of the risk of harm of the data breach. Accordingly, from the entity's perspective of monitoring for a serious data breach, the remoteness of risk will not always be apparent nor the foreseeability of how the disclosure or release of the information could impact the individual to whom the information under serious breach pertains. The changes could result in a broad scope with entities electing to construe more breaches as serious data breaches rather than non-serious data breaches.

It will be interesting to see in the coming months how the proposed amendments develop and the final form which they may take in addressing these important concerns on data breach and how individuals are to be kept aware of the status of the personal information kept by APP entities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.