Explanatory Memorandum(Circulated by authority of the Attorney-General, Senator the Hon George Brandis QC)
1. This Bill amends the Privacy Act 1988 ( the Privacy Act ) to introduce mandatory data breach notification provisions for agencies, organisations and certain other entities that are regulated by the Privacy Act ( entities ). The Bill will commence on a single day fixed by proclamation. However, if the provisions do not commence before 12 months from the day after the Bill receives the Royal Assent, they will commence on that day.
2. Mandatory data breach notification commonly refers to a legal requirement to provide notice to affected individuals and the relevant regulator when certain kinds of security incidents compromise information of a certain kind or kinds. In some jurisdictions, notification is also only required if the data breach meets a specified harm threshold. Examples of when data breach notification may be required could include a malicious breach of the secure storage and handling of information (e.g. in a cyber security incident), an accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise, where the incident satisfies the applicable harm threshold (if any).
3. In its Report 108, For Your Information: Australian Privacy Law and Practice, the Australian Law Reform Commission ( ALRC ) noted that, with advances in technology, entities were increasingly holding larger amounts of personal information in electronic form, raising the risk that a security breach around this information could result in others using the information for identity theft and identity fraud. A notification requirement on entities that suffer data breaches will allow individuals whose personal information has been compromised by a breach to take remedial steps to lessen the adverse impact that might arise from the breach. For example, the individual may wish to change passwords or take other steps to protect his or her personal information.
4. The ALRC recommended that the Privacy Act be amended to require that such notification be given. Under the ALRC's proposed test, notification would be provided to those whose privacy had been infringed when data breaches causing 'a real risk of serious harm' occurred. Notification would be compulsory unless it would impact upon a law enforcement investigation or was determined by the regulator to be contrary to the public interest.
5. In February 2015, the advisory report of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 also recommended the introduction of a mandatory data breach notification scheme by the end of 2015. The Government's response to the PJCIS report in March 2015 agreed to this recommendation. The Government subsequently released exposure draft legislation for public comment between 3 December 2015 and 4 March 2016. Forty-seven public submissions were received on the exposure draft, with submissions generally supporting the legislation or supporting it subject to technical changes. The Attorney-General's Department also undertook targeted consultation with industry and civil society stakeholders about the exposure draft, resulting in a range of feedback and suggestions that were considered when finalising a Bill to present before Parliament.
6. This Bill implements the recommendations of the ALRC and the PJCIS by requiring agencies and organisations regulated by the Privacy Act to provide notice to the Australian Information Commissioner ( the Commissioner ) and affected individuals of an eligible data breach. The Bill contains general rules for the majority of entities regulated by the Privacy Act as well as analogous rules for credit reporting bodies and credit providers that are subject to specific regulation under Part IIIA, which deals with consumer credit reporting. The provisions in the Bill also apply to recipients of tax file number information. Each type of entity is subject to similar requirements under the Privacy Act to protect the types of personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
7. A data breach arises where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals ( the affected individuals ), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure. A data breach is an eligible data breach where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure (assuming, in the case of loss of information, that the access or disclosure occurred). This is based on the standard recommended by the ALRC and also incorporated in the current voluntary data breach guidelines issued by the Office of the Australian Information Commissioner ( OAIC ). An eligible data breach is 'notifiable' (as per the Bill's title) when no exceptions to notification apply.
8. The 'reasonable person' and 'likely risk' elements of the notification standard do not expressly reflect the ALRC's recommended 'real risk of serious harm' standard, which is also used in the OAIC voluntary notification guidelines. These elements, however, respond to significant stakeholder concerns about the practicability of determining what degree of probability and what kind of harm would be captured in the phrase 'real risk of serious harm'. The 'reasonable person' and 'likely risk' elements of the notification standard, by using commonly-understood legal standards of objectivity and probability, are intended to provide greater certainty for regulated entities while maintaining consistency with the core element of the ALRC recommendation.
9. Serious harm, in this context, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity's position would identify as a possible outcome of the data breach. Though individuals may be distressed or otherwise upset at an unauthorised access to or unauthorised disclosure or loss of their personal information, this would not itself be sufficient to require notification unless a reasonable person in the entity's position would consider that the likely consequences for those individuals would constitute a form of serious harm.
10. It is expected that a likely risk of serious financial, economic or physical harm would be the most common likely forms of serious harm that may give rise to notification. Nonetheless, a reasonable person may conclude in some cases that a likely risk of serious psychological or emotional harm, serious harm to reputation or other serious harms arising from an unauthorised access, unauthorised disclosure or loss of personal information may exist. For example, this may be the case where an eligible data breach involves health information or other 'sensitive information' (in the sense of the definition of that term in existing subsection 6(1) of the Privacy Act or otherwise).
11. To give rise to an eligible data breach, however, the reasonable person would also need to be satisfied that the risk of serious harm occurring is likely, that is, more probable than not. In deciding whether this is the case, entities are required to have regard to a list of 'relevant matters' included in the Bill. It is not intended that every data breach be subject to a notification requirement. It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of 'notification fatigue' on the part of individuals, and the lack of utility where notification does not facilitate harm mitigation.
12. If more than one entity jointly and simultaneously holds the same particular record of personal information, an eligible data breach of one entity may also be an eligible data breach of each of the other entities. This situation could potentially arise in cases involving outsourcing, joint ventures or shared services arrangements. For example, if one entity stores personal information in an online platform provided by another entity, and both entities 'hold' the information (as per the definition in existing subsection 6(1) of the Privacy Act), an eligible data breach involving the information could potentially be an eligible data breach of both entities.
13. In these circumstances the Bill provides that, where one of the entities concerned complies with its obligations under the new Part IIIC in relation to the eligible data breach, each of the entities is taken to have complied with their obligations. The various exceptions, including the Commissioner's ability to grant exemptions, also deal with these circumstances (so that an exception applying to one entity will typically apply to each of the entities). The Bill does not, however, specify which entity must comply with the obligations under Part IIIC in these circumstances. This will be a matter for the relevant entities to determine themselves.
14. If an entity suspects that an eligible data breach has occurred, they must undertake an assessment into the relevant circumstances. In the event of an eligible data breach, an entity is required to notify the Commissioner and affected individuals as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (unless an exception applies). The notification must include:
- the identity and contact details of the entity
- a description of the serious data breach
- the kinds of information concerned, and
- recommendations about the steps that individuals should take in response to the serious data breach.
15. When providing the information described above to affected individuals, the entity may use the method of communication (if any) that it normally uses to communicate with the individual. This is designed to reduce the cost of compliance for entities, and also to ensure that individuals trust and act upon the information provided. Information received from an entity using a different method of communication may be dismissed as a scam resulting in individuals failing to take steps to mitigate harm arising from an eligible data breach. Where there is no normal mode of communication with the particular individual, the entity must take reasonable steps to communicate with them. Reasonable steps could include making contact by email, telephone or post.
16. In providing the information described above to affected individuals, the entity also has discretion to notify either each affected individual or, if not all affected individuals are deemed to be 'at risk' from an eligible data breach, only those affected individuals who are deemed to be at risk. This discretion is intended to provide flexibility to respond to different kinds of eligible data breaches. For example, in some cases it may be impracticable for an entity to consider the circumstances of each affected individual to determine which individuals are at risk from an eligible data breach and which are not. In these circumstances notifying the entire cohort of affected individuals may be appropriate. In other cases it may be practicable for an entity to determine with a high degree of confidence that only some individuals from a broader group of affected individuals are at risk, meaning that notification to the broader group may not be necessary from a harm mitigation perspective.
17. There may be circumstances in which it is impracticable to provide a notification to affected individuals, either collectively or only to those at risk. The Bill provides that, in these circumstances, an entity will not be required to provide notice directly to each affected individual but will rather be required to provide the information described above on its website (if any) and to take reasonable steps to publicise the information.
18. Not all entities will be subject to the data breach notification requirement. Those entities already exempt from the operation of the Privacy Act in whole or in part, such as intelligence agencies and small business operators, will enjoy the same exemption in relation to the measures in this Bill. Law enforcement bodies will not be required to notify affected individuals if compliance with this requirement would be likely to prejudice law enforcement activities.
19. Further exceptions to the data breach notification requirement may apply to other entities that are subject to the operation of the Privacy Act. If compliance would be inconsistent with another law of the Commonwealth that regulates the use or disclosure of information, an entity will be exempt to the extent of the inconsistency. If compliance would be inconsistent with another law of that kind which is prescribed in regulations under the Privacy Act, an entity will be exempt from the notification requirement. Finally, to avoid creating a double notification requirement, an unauthorised access, unauthorised disclosure or loss of personal information cannot give rise to an eligible data breach if that access, disclosure or loss has been, or is required to be, notified under the mandatory data breach notification requirement in section 75 of the My Health Records Act 2012 ( the My Health Records Act ).
20. Another exception applies in various circumstances where entities have taken remedial action following an eligible data breach or potential eligible data breach. Specifically, this exception applies where a reasonable person would conclude that, as a result of the remedial action, the unauthorised access or unauthorised disclosure of personal information (including an unauthorised access or unauthorised disclosure following loss of the information) is not likely to result in serious harm to the affected individuals. The exception also applies where remedial action has prevented a loss of information from leading to an unauthorised access or disclosure. If remedial action following an access or disclosure would lead a reasonable person to conclude that only particular individuals within a broader group are not likely to be at risk of serious harm following the remedial action, the entity is not required to notify those particular individuals (but would still be required to notify the remainder of the individuals).
21. In addition, the Commissioner may exempt an entity from providing notification of an eligible data breach where the Commissioner is satisfied that it is reasonable in the circumstances to do so, having had regard to several matters prescribed in the Bill. The Commissioner may issue an exemption on application from an entity or on the Commissioner's own initiative. The exemption may absolve an entity from complying with the notification requirement altogether or for a period of time that the Commissioner considers reasonable in the circumstances.
22. In deciding whether to grant an exemption, the Commissioner must have regard to any relevant advice about the reasonableness of doing so from a law enforcement body or the Australian Signals Directorate ( ASD ). For example, a law enforcement body may advise the Commissioner that an entity should be granted an exemption for a period of time to avoid compromising an investigation into an eligible data breach, or ASD may advise that notifying an eligible data breach would be likely to lead to further eligible data breaches (for example, if vulnerabilities in an entity's IT security systems became publicly known before they could be rectified).
23. This advice function for ASD reflects ASD's cyber-security expertise and role in providing advice and assistance on information and communications security (including through the Australian Cyber Security Centre).
24. An enforcement body or ASD could approach the Commissioner with relevant advice, the Commissioner could seek relevant advice from them or an entity applying for an exemption could potentially provide a copy of such advice with appropriate bona fides. Regardless, the decision about whether granting an exemption would be reasonable in the circumstances would remain with the Commissioner. The requirement to have regard to advice from these entities would also not prevent the Commissioner from considering other advice when deciding whether to grant an exemption.
25. In circumstances where the Commissioner believes that an eligible data breach has occurred and no notification has been given by the entity that suffered the breach, the Commissioner may give a written direction to the entity requiring it to provide notification of the data breach. Before giving a direction, the Commissioner must invite the entity concerned to make a submission to the Commissioner about the direction, and consider any response from the entity. The Commissioner has discretion to decide on the manner in which the invitation is made and the time the entity has to respond, given that in some cases a long period of time may not be appropriate. As with the exemption process, the Commissioner must also consider any relevant advice from a law enforcement body or ASD, and has discretion to also consider other advice.
26. Where a direction is given, the information to be provided to the Commissioner and affected individuals will be the same as if the entity had initiated the notification itself, with the exception that the Commissioner may also require the entity to provide other information about the eligible data breach that the Commissioner considers appropriate in the circumstances. If the eligible data breach in question is an eligible data breach of more than one entity, the Commissioner can also require the entity receiving the direction to include details of each entity concerned.
27. Similarly, the requirements as to communicating with individuals will be the same as though the entity had initiated notification itself. A law enforcement body that reasonably believes that compliance with the Commissioner's direction would be likely to prejudice law enforcement activities will be exempt from complying with the direction. A secrecy provision exception equivalent to that described above will also apply.
28. Failure to comply with an obligation included in the Bill will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act. This will engage the Commissioner's existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act. This includes the capacity to undertake Commissioner initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.
29. This approach will permit the use of less severe sanctions before elevating to a civil penalty. These less severe penalties could include public or personal apologies, compensation payments or enforceable undertakings. A civil penalty would only be applicable where there has been a serious or repeated non-compliance with mandatory notification requirements. Civil penalties would be imposed by the Federal Court or Federal Circuit Court on application by the Commissioner.
30. A decision by the Commissioner to refuse to grant an exemption in response to an application from an entity, to grant an exemption for a lesser period of time than an entity requested, or to give a direction that an entity provide notification of an eligible data breach will be reviewable by the Administrative Appeals Tribunal.
31. It is anticipated that the Commissioner will update the current OAIC Data Breach Notification: A guide to handling personal information security breaches or release other guidance material to reflect the passage of this Bill and to assist entities in preventing, identifying, notifying and containing serious data breaches.