What You Need To Know

• The Privacy Amendment (Privacy Alerts) Bill 2013 (Cth) was introduced into the Federal Parliament on 29 May 2013, and lapsed on 12 November 2013.
• The bill was re-introduced by the Opposition as the Privacy Amendment (Privacy Alerts) Bill 2014 (Cth) on 20 March 2014.
• If passed, the Bill will amend the Privacy Act 1988 (Cth) by introducing a requirement to notify the Privacy Commissioner and “significantly affected individuals” if a serious event of unauthorised access or disclosure of relevant information occurs.

What You Need To Do

If the Bill is passed, it will introduce a mandatory requirement for notification of certain parties in the event of a significant data breach.
In the meantime, entities should be aware of their existing obligations with respect to ensuring the security of personal information under the Privacy Act. Given the potential for significant reputational damage arising out of a data security breach, entities may also like to consider:

• taking steps, such as notifying the Privacy Commissioner and affected individuals, if a data breach occurs before the Bill takes effect; and
• reviewing their privacy policies and practices (including, in particular, security and disclosure arrangements) with the aim of avoiding data breaches where possible, and minimising exposure in the event that a data breach occurs.

Background

On 29 May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 (Cth) was introduced into the Federal Parliament as the latest step in a series of initiatives undertaken by the Government since the question of the adequacy of Australia’s privacy laws was initially referred to the Australian Law Reform Commission (ALRC) for consideration in 2006.
However, the Bill failed to be heard in the Senate on its last day of sitting and, accordingly, lapsed.

On 20 March 2014, the Bill was re-introduced as the Privacy Amendment (Privacy Alerts) Bill 2014 (Cth) (Bill) into the Federal Parliament by Tasmanian Labor Senator Lisa Singh. It is in substantially identical form to its 2013 predecessor.

It is not clear what the Bill’s prospects are for successful passage. The Coalition has not previously expressed support for the Bill in its current form. In fact, it expressed concerns in 2013 in relation to certain of the key terms used in the Bill (in particular, “serious breach” and “serious harm”) and noted the possibility of regulatory overload. Nevertheless, it has been reported that the Coalition does support mandatory data breach notification, as a matter of principle.

If passed, the proposed legislation will amend the Privacy Act 1988 (Cth) by introducing a mandatory reporting regime for serious data breaches. It appears from the text of the Bill that the substantive provisions are proposed to take effect within 6 months of the Act receiving Royal assent, once passed.

The Privacy Act does not contain a mandatory data breach notification obligation, nor is one contained in the APPs. The OAIC’s Data Breach Notification Guidelines, published in April 2012, strongly encourage organisations to report data breaches to affected individuals as a part of “good privacy practice” but these guidelines are voluntary and do not impose any binding obligations on organisations.

There is, nevertheless, an existing obligation on the Commonwealth Government under Information Privacy Principle 4 and on private sector organisations under Australian Privacy Principle 11 to keep information secure. While a breach of security is a breach of the existing privacy principles, it does not extend to an obligation to inform individuals who may be potentially affected.

Key Concepts

The concept of “privacy breach notification” contemplates a statutory obligation on Commonwealth and private sector entities to notify individuals potentially affected by an accidental or unauthorised disclosure of personal information under the control of that entity.
The underpinning philosophy is that any personal data breach increases the risk of identity fraud, and accordingly individuals should have as great an opportunity as possible to take action to guard against any unauthorised access to, or use of, their personal information in the event that a data breach has occurred.

Key concepts introduced by the Bill are set out below.

The reporting obligations arise where a serious data breach occurs. This includes where:

• an entity that is bound by the APPs holds personal, credit reporting or credit eligibility information (including tax file number information);
• unauthorised access to or disclosure of the relevant information occurs (including where it may occur because information is lost), in breach of the data security obligations set out in the new APP 11; and
• the access or disclosure will result in a real risk of serious harm to significantly affected individuals.

Significantly affected individuals are those persons to whom the relevant information relates, or if the information is of a kind specified in a regulation, where the regulations specify that the person is taken to be significantly affected by the serious data breach.
Harm is defined as including reputational, economic and financial harm.

Reporting Obligations

The Bill introduces reporting obligations for Commonwealth agencies and private sector entities.

In particular, entities are required to notify the Privacy Commissioner and take reasonable steps to notify significantly affected individuals where a serious data breach occurs.
Where an entity has disclosed personal information to an overseas recipient (and APP 8.1 applied to such disclosure), then the reporting obligations will take effect as if the relevant information were held by, and the data security obligations under APP 11 applied to, the entity.

Notification is required to be made by way of a statement including certain information:

• the entity’s identity and contact details;
• a description of the serious data breach;
• the kinds of information concerned;
• recommendations about steps that individuals should take in response to the serious data breach; and
• any other information specified in the regulations.

A copy of the notification statement must be provided to the Privacy Commissioner. The entity must also take reasonable steps to notify each significantly affected individual of the contents of the statement. Notification of significantly affected individuals can be done using the means of communication ordinarily used by the entity to communicate with the individual. It may also, if certain conditions are satisfied, occur by way of publication on the entity’s website and, in each State, by publication in at least one newspaper circulating generally in that State.

Entities may also be directed by the Privacy Commissioner to prepare a notification statement, submit a copy to the Privacy Commissioner and notify significantly affected individuals where the Privacy Commissioner believes on reasonable grounds that a serious data breach has occurred.

Exemptions And Failure To Comply

The Bill permits the Privacy Commissioner to exempt entities from the obligation to notify significantly affected individuals if the Commissioner is satisfied that it is in the public interest to do so.

The Privacy Commissioner may also grant an exemption where the entity is a law enforcement body, and compliance with the reporting obligations may prejudice one or more enforcement related activities of the entity.

Any entity can apply to the Privacy Commissioner for an exemption, or the Commissioner can give an exemption on his or her own initiative.

If an entity fails to comply with the reporting obligations or a direction by the Privacy Commissioner, it will be deemed an interference with privacy. In such circumstances, the additional powers of the Privacy Commissioner will apply and the entity may be required to take steps such as pay compensation, make an apology or take (or refrain from taking) certain action.

For further information, please contact:

Gordon Hughes, Partner, Ashurst
[email protected]

Amanda Ludlow, Partner, Ashurst
[email protected]

Tim Brookes, Partner, Ashurst
[email protected]

Jane Burton, Ashurst
[email protected]

Ashurst Regulatory & Compliance Practice Profile in Australia

Homegrown Regulatory & Compliance Law Firms in Australia

International Regulatory & Compliance Law Firms in Australia