The recent data breaches involving Optus and Telstra highlight the potential risks facing businesses and entities that collect and store personal information.
Where entities employ individuals, those entities are required by law to collect and keep various forms of personal information relating to their employees. Such information can include employees' contact information, health information, banking details, and tax file numbers.
For NSW state public sector and local government entities, the obligations relating to the collection, retention, use and disclosure of personal information are set out in the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).
Amongst other things, the PPIP Act:
- contains protections for individuals' privacy by imposing obligations in respect of the collection, retention, use and disposal of personal information;
- enables individuals to request access to their personal information held by an entity, and to request amendments to that personal information in certain circumstance including when that information is inaccurate or no longer required to be held by the entity; and
- confers regulatory powers upon the NSW Privacy Commissioner, which may receive and investigate privacy related complaints from the general public.
What is personal information?
Personal information is defined under section 4(1) of the PPIP Act as 'information or an opinion about an individual... whose identity is apparent or can reasonably be ascertained from the information or opinion'. Personal information includes an individual's name, contact/address details, date of birth, sexual orientation, health information and tax file number.
The PPIP Act provides that NSW state public sector and local government entities must not retain personal information any longer than is necessary, and that such personal information must be stored and disposed of securely. The PPIP Act also requires NSW state public sector and local government entities to take reasonable steps to prevent the unauthorised use or disclosure of all personal information in their possession, such as in the case of data breaches.
A data breach occurs when personal information relating to an individual has been lost, disclosed or accessed without that individual's authorisation. Examples of data breaches include where an employer sends an email containing an employee's personal information to the wrong recipient, or where a third party accesses personal information by using an easily guessed password.
Unlike the Privacy Act 1988 (Cth) (Privacy Act), the PPIP Act does not currently require NSW state public sector or local government entities to report data breaches. Nevertheless, the PPIP recommends that entities voluntarily report such data breaches as matter of best practice.
However, where a data breach involves the disclosure of or access to tax file numbers, such disclosures are subject to the jurisdiction of the Privacy Act. The Privacy Act provides that an entity must report a data breach of Personal Information to both the Australian Privacy Commissioner and all individuals to whom the data relates where the data breach is 'likely to result in serious harm' to the individuals concerned.
What if a data breach involving employees' tax file numbers occurs?
The appropriate response to a data breach involving employees' tax file numbers will depend on the circumstances. In general, NSW state public sector and local government entities should:
- take immediate steps to contain the breach, including by ensuring the circumstances that gave rise to the breach have been corrected and the tax file numbers and other personal information is no longer accessible by unauthorised parties;
- conduct an assessment in respect of the risks associated with the data breach and take steps to mitigate these risks;
- notify the individuals affected by the data breach and the
Australian Privacy Commissioner, if it is concluded there are
reasonable grounds to believe that the data breach has or will
result in serious harm to the individuals affected. Such
notification should include:
- the identity of the NSW state public sector agency or local government entity that held the data affected by the data breach;
- description of the data breach and type of personal information and other data involved in the breach; and
- the actions the entity has taken in response to the data breach;
- take all reasonable actions to prevent similar or other data breaches in the future, including by introducing new security procedures / programs, updating relevant policies, providing employees with further training, and reviewing the use of particular third-party product and service vendors (e.g. external payroll service providers).
Although the above commentary sets out the current state of the law applicable to personal information held by NSW state public sector agencies or local government entities, the law may (and probably will) change at some stage in the future.
At the current time, there is a Bill before the NSW Parliament which proposes to amend the PPIP Act so as to bring the reporting obligations under the PPIP Act in line with the obligations under the Privacy Act. If this Bill is passed, any breach or disclosure of personal information by a NSW state public sector or local government entity (whether involving a tax file number or not), must be reported where the breach is likely to result in serious harm to the individuals concerned.
While employee information may be a valuable or necessary resource to employers, the personal and private nature of such information behoves employers to limit the collection and retention of such information to the fullest extent possible.
The Optus and Telstra data breaches have highlighted the potential financial and reputational damage that can arise in the cases of data breaches – both for the organisations holding the information and for the individuals to whom the information relates.
Accordingly, NSW state public sector and local government entities should:
- conduct regular reviews and audits of its IT and data privacy systems;
- ensure that all personal information is collected and retained only to the extent reasonably required and/or required by law;
- incorporate mechanisms that allow for the safe and secure return or destruction of personal information as soon as it is no longer required; and
- seek professional legal advice as soon as possible in the event of any actual or suspected data breaches.