Bills Digest no. 52,
2016–17
PDF version [678KB]
Mary Anne Neilsen
Law and Bills Digest Section
8 December 2016
Contents
Purpose of the Bill
Structure of the Bill
Background
Data breach notifications
The Privacy Act and data
breaches
Australian Law Reform Commission:
report
Parliamentary Joint Committee on
Intelligence and Security: reports
The three Bills
Privacy Amendment
(Privacy Alerts) Bill 2013
Exposure draft: Privacy
Amendment (Notification of Serious Data Breaches) Bill 2015
The current Bill
Committee consideration
Senate Standing Committee for the
Scrutiny of Bills
Policy position of non-government
parties/independents
Position of major interest groups
Australian Bankers’ Association
Law Council of Australia
Electronic Frontiers Australia
Australian Privacy Foundation
Financial implications
Statement of Compatibility with Human
Rights
Parliamentary Joint Committee on
Human Rights
Key issues and provisions
What is an eligible data breach
Threshold test for an eligible data
breach
What is serious harm?
‘Likely to result in serious harm’
Exception to an eligible data
breach—remedial action
Notification of eligible data
breaches
Exceptions to notification
Commissioner written directions
Overseas entities
Enforcement and review
Concluding comments
Date introduced: 19
October 2016
House: House of
Representatives
Portfolio: Attorney-General
Commencement: 12
months from the day after the Bill receives the Royal Assent or earlier by
proclamation.
Links: The links to the Bill,
its Explanatory Memorandum and second reading speech can be found on the
Bill’s home page, or through the Australian
Parliament website.
When Bills have been passed and have received Royal Assent,
they become Acts, which can be found at the Federal Register of Legislation
website.
All hyperlinks in this Bills Digest are correct as
at December 2016.
Purpose of
the Bill
The purpose of the Privacy Amendment (Notifiable Data
Breaches) Bill 2016 (the Bill) is to amend the Privacy
Act 1988 in order to introduce mandatory
data breach notification provisions which will apply to entities currently
subject to the Privacy Act, namely most Commonwealth Government agencies,
some private sector organisations (‘entities’), credit reporting bodies, credit
providers and tax file number recipients.
Structure
of the Bill
The Bill contains one Schedule of amendments to the Privacy
Act. The main amendment in Schedule 1 is item 3 which inserts a new
Part IIIC, titled ‘Notification of eligible data breaches’. This new Part
contains the substantive elements of the mandatory data breach notification
provisions, which apply to entities that are regulated by the Privacy Act.
The new Part IIIC is divided into three Divisions.
Broadly, the first Division sets out preliminary general matters including
relevant definitions and application provisions, the second Division sets out when
an ‘eligible data breach’ will have occurred and the third Division contains
obligations for entities to notify that such a data breach has occurred,
subject to certain exceptions.
Background
Data breach notifications
As the Explanatory Memorandum notes, mandatory data breach
notification commonly refers to:
... a legal requirement to provide notice to affected
individuals and the relevant regulator when certain kinds of security incidents
compromise information of a certain kind or kinds. In some jurisdictions,
notification is also only required if the data breach meets a specified harm
threshold. Examples of when data breach notification may be required could
include a malicious breach of the secure storage and handling of information
(e.g. in a cyber security incident), an accidental loss (most commonly of IT
equipment or hard copy documents), a negligent or improper disclosure of
information, or otherwise, where the incident satisfies the applicable harm threshold
(if any).[1]
Data breach notification has been a topical issue in
privacy regulation around the world for some years, with concerns about
identity theft and identity fraud driving the development of new laws in this
area.[2]
The Privacy
Act and data breaches
The Australian Privacy Principles (APPs),
which are contained in Schedule 1 of the Privacy Act, outline how most
Australian Government agencies, all private sector and not-for-profit
organisations with an annual turnover of more than $3 million, all private
health service providers and some small businesses (collectively called ‘APP
entities’) must handle, use and manage personal information.
Currently, the Privacy Act does not impose an
obligation on entities to notify the Australian Information Commissioner (the
Commissioner) or any individuals whose personal information has been
compromised. However, APP 11 requires that agencies and organisations take
reasonable steps to maintain the security of the personal information they hold
from misuse, interference and loss, and from unauthorised access,
modification or disclosure. Other provisions in
the Privacy Act create equivalent obligations in relation to credit
reporting information, credit eligibility information and tax file number
information.[3]
The Office of the Australian Information Commissioner
(OAIC) currently has in place a voluntary guide for entities giving advice on
how to handle a data breach.[4]
Although not mandatory, entities regulated by the Privacy Act are
encouraged to comply with this guide so as to ‘voluntarily put in place reasonable measures to deal
with data breaches (including notification of affected individuals and the
OAIC), while legislative change is considered by the Australian Government’.[5]
The Commissioner has stated that he continues to support the introduction of a
mandatory data breach reporting scheme for serious data breaches noting that the
OAIC continues to see evidence of a high number of serious data breaches. He
quotes the McAfee Labs Threat Report for August 2015, which reviewed
changes in cyber threats and cybersecurity from 2010 to 2015 and which states
that there has been a ‘monumental increase in the number of major data breaches
and in the volume of records stolen’.[6]
In the Commissioner’s view a mandatory notification scheme is necessary to:
- give confidence to all Australians that if they are affected by
serious data breach, they will be given a chance to protect their interests,
and
- signal to entities that protection of individuals’ personal
information should be a priority in the digital age.[7]
Australian
Law Reform Commission: report
The Australian Law Reform Commission (ALRC) in its 2008
report on privacy, For Your Information: Australian Privacy Law and Practice
(the ALRC Report), considered the topic of data breach notification and made a
recommendation regarding the establishment of a mandatory notification scheme. The
ALRC noted that, with advances in technology, entities were increasingly
holding larger amounts of identifying information in electronic form, raising
the risk that a breach of this information could result in another individual
using the information for identity theft and identity fraud. A notification
requirement for entities that suffer data breaches would allow individuals
whose personal information had been compromised by the breach to take remedial
steps to lessen the adverse impact that might arise from the breach.[8]
The ALRC recommended that the Privacy Act be amended to impose a
mandatory obligation to notify the Privacy Commissioner and affected
individuals in the event of a data breach that could give rise to a real risk
of serious harm to affected individuals. Notification would be compulsory
unless it would impact upon a law enforcement investigation or was determined
by the regulator to be contrary to the public interest. Failure to notify would
attract a civil penalty.[9]
Parliamentary
Joint Committee on Intelligence and Security: reports
Recommendations regarding a mandatory data breach
notification scheme were also made as part of the Parliamentary Joint Committee
on Intelligence and Security (PJCIS) inquiries into a mandatory data retention
regime. Firstly in May 2013, the PJCIS released a Report of the Inquiry into
Potential Reforms of Australia’s National Security Legislation. The report
recommended that, if a mandatory data retention regime should proceed, its
introduction should include the introduction of a robust mandatory data breach
notification scheme.[10]
Again, in February 2015 the PJCIS in its Advisory report
on the Telecommunications (Interception and Access) Amendment (Data Retention)
Bill 2014 (the Data Retention Bill 2014) recommended the introduction of a
mandatory data breach notification scheme by the end of 2015.[11]
The three Bills
Since 2008 when mandatory data breach
notification was first recommended by the ALRC, there have been three different
Bills that would establish a mandatory data breach notification scheme:
- Privacy Amendment (Privacy Alerts) Bill 2013[12]
- exposure draft of the Privacy Amendment
(Notification of Serious Data Breaches) Bill 2015[13]
- the current Bill.
Privacy Amendment (Privacy Alerts) Bill 2013
On 29 May 2013 the then Labor Government
introduced the Privacy Amendment (Privacy Alerts) Bill 2013 (2013 Bill) into
Parliament. The Bill was intended to implement ALRC recommendation 51–1 and to strengthen
the existing voluntary data breach notification framework in order to counter
underreporting of data breaches and to help prevent or reduce the effects of
serious crimes like identity theft. The Bill passed the House of Representatives
with bipartisan support. It was referred to Committee but lapsed on
prorogation of the 43rd Parliament.[14]
Exposure
draft: Privacy Amendment (Notification of Serious Data
Breaches) Bill 2015
On 3 March 2015 the Coalition Government, as part of its response
to the PJCIS report on the Data Retention Bill 2014, agreed to introduce a
mandatory data breach notification scheme by the end of 2015 and to consult on
draft legislation.[15]
In December of that year, the Attorney-General released an
exposure draft of the Privacy Amendment (Notification of Serious Data Breaches)
Bill 2015 (the 2015 exposure draft) and a discussion paper for public
submission. Forty-seven public submissions were received before submissions
closed on 4 March 2016.[16]
The 2015 exposure draft was similar to the
2013 Bill in that it applied the same threshold test for when an entity would
be required to notify a ‘serious data breach’ and imposed similar data breach
notification requirements. There were a range of views in submissions—a common
theme being that the legislation needed further explanation and clarification
on how to determine when a serious data breach might occur.
The current Bill
The current Bill, introduced on 19 October
2016, is based on the 2015 exposure draft but includes significant amendments.
In particular it introduces a higher threshold test for when data breach notification
is mandatory, and provides other changes aimed at reducing and streamlining the
need for notification. Many of these changes would appear to be responding to recommendations
from the various submissions on the 2015 exposure draft.
Further discussion on the differences
between the three Bills is found in the Key issues and provisions section
below.
Committee
consideration
At the time of writing the Bill had not been referred to a
parliamentary committee for inquiry and report.
Senate
Standing Committee for the Scrutiny of Bills
The Committee has considered the Bill and noted that it
includes a number of exceptions to the mandatory data breach notification
provisions:
These exceptions limit the right to privacy as in such
circumstances individuals will not be notified of an eligible data breach if
one of the exceptions apply.[17]
However, the Committee chose not to make any further
comment in relation to this matter given the detailed discussion about any
limitation on the right to privacy contained in the explanatory material.[18]
Policy
position of non-government parties/independents
From the time of its response to the 2008 ALRC Report on
privacy, the Labor Party has consistently supported mandatory data breach
notification. While in Government, Labor initiated the first legislation in
2013.
The Shadow Attorney-General Mark Dreyfus has been critical
of the current Government’s delay in introducing legislation stating:
It has only taken Attorney-General George Brandis three
years, but he has finally caught up with Labor’s proposed legislation for
mandatory notification of consumers when their personal data has been breached.[19]
At the time of writing this Bills Digest, the Labor Party
had not provided any public comment on the current Bill, however, in August
prior to the tabling of the Bill, the shadow Attorney-General called on the
Government to negotiate with Labor on the proposed legislation to ensure a speedy
passage through Parliament.
Mr Dreyfus also cautioned the Government against bending
to the wishes of the banking industry on this matter stating:
Senator Brandis will face the same resistance from special
interests as Labor did when it first proposed this legislation three years ago,
including the ridiculous assertion that it would be too large an administrative
burden for banks to implement data breach alerts ... Mr Turnbull and Senator
Brandis must not bend to the banking industry’s will on this very important
issue.[20]
The Australian Greens supports mandatory data breach
notification and have also been critical of the Government’s delay in
introducing legislation. On 2 February 2016 Senator Scott Ludlam called on the
Attorney-General to explain to the Senate why such legislation has not been
introduced, and to clarify the Government's intentions.[21]
The position of the cross bench Senators is not known at
this date.
Position of
major interest groups
At the time of writing, there appears to be little public reaction
to the Bill from relevant interest groups. However, the Explanatory Memorandum
notes that submissions generally supported the 2015 exposure draft, or supported
it subject to technical change.[22]
The Regulation Impact Statement to the Explanatory Memorandum states that of
the 56 submissions received during the 2015–16 consultation, 38 strongly or
conditionally supported the mandatory scheme:
These submissions were received from a wide range of sources
including businesses from varied industry sectors, industry bodies, civil
society groups, individuals, academia, regulators and government agencies.
There were 12 submitters who didn’t express a definitive view although most of
these did not expressly oppose a mandatory scheme. The majority of these were
from industry groups. Six submissions opposed the proposed mandatory reporting
scheme. Of these six, three were from digital marketing and games/entertainment
businesses, two were from the health industry and one from the insurance
industry.[23]
At this point, it is worth noting that small businesses
are generally not subject to the Privacy Act and therefore would also be
exempt from the mandatory notification scheme proposed in the Bill. The
Regulatory Impact Statement attached to the Explanatory Memorandum explains the
implications:
The proposed scheme will only apply to around 6% of
Australian businesses. The Privacy Act exempts small businesses (entities with
an annual turnover of $3 million or less) from the operation of the Privacy
Act. This exemption does not apply to some small businesses, including those
that provide a health service, are a credit reporting body, or trade in
personal information. The Attorney-General’s Department commissioned statistical
analysis from the Australian Bureau of Statistics that showed that in 2013
about 94% of entities on the ABS Business Register are below the $3 million
threshold and are therefore not likely to be subject to the Privacy Act or the
proposed scheme.[24]
The following is a small selection of views expressed in
submissions during consultation on the 2015 exposure draft. The selection
focuses on general concerns with the exposure draft and would apply equally to
the current Bill.
Australian Bankers’
Association
The Australian Bankers’ Association (ABA) appreciated the
detailed consultation process initiated by the Government, although it
expressed some reservations about mandatory data breach notification. ABA made
some preliminary comments which the Association said were aimed at ensuring that
the Government’s approach would avoid under resourcing, implementation and
ongoing costs for businesses to comply with the law. One of ABA’s concerns was that
the scheme does not encompass ‘small business operators’. In ABA’s view:
... small businesses often have the least mature privacy and
security capabilities; nevertheless, in the information economy and with modern
computing tools, a small business may still have a large customer base, or
collect personal information about large numbers of individuals.
...
In addition, the ABA observes new businesses and start-ups
may fall under the $3 million threshold; this could create a situation in which
new entrants to an industry will be granted an unreasonable commercial
advantage by not being required to comply with the notification obligation (to
the detriment of their customers).[25]
Amongst other things, the ABA also made substantial
comments about an appropriate threshold test for determining when to notify a
data breach. These comments are discussed below in the Key issues and provisions
section.
Law Council of Australia
In its submission on the 2015 exposure draft, the Law
Council stated that it supported the passage of that Bill as a mechanism which
would allow individuals whose personal information has been compromised in a
serious data breach to take remedial steps to avoid potential adverse
consequences.[26]
The Law Council made a number of recommendations for amendment which it argues
are further aimed at strengthening the Bill’s safeguards, clarity, transparency
and oversight mechanism. Some of these recommendations are discussed in the Key
issues and provisions section below. In relation to the law enforcement
exception the Law Council recommended that that the Commonwealth Ombudsman, who
has oversight of the data retention regime for law enforcement bodies, is well
placed to also have independent oversight of enforcement agencies’ exercise of
powers in the Bill. To enhance oversight and public confidence in the proposed
exception, the Law Council recommended that the exception be subject to annual
reporting to the Parliament and appropriate oversight by the Commonwealth
Ombudsman.[27]
The Law Council also raised the question of the resourcing
of the OAIC, stating that it must be appropriately funded and resourced in
order to properly oversee the data breach notification scheme.[28]
Electronic Frontiers Australia
Electronic Frontiers Australia (EFA) in its submission on
the 2015 exposure draft commented generally that it has long been a supporter
of the introduction of legislation requiring notification of data breaches
involving personal data. In EFA’s view:
Mandatory data breach notification is an important addition
to Australia’s privacy protection regime which EFA believes will provide an
additional impetus for privacy and data security to be regarded as a critical
organisational risk factor requiring attention at the highest levels of
management among Australian organisations. It is particularly critical in the
context of the mandatory retention regime for telecommunications data that came
into effect in October 2015.
It is suspected that many organisations have avoided
disclosure of serious data breaches in the past, demonstrating the inadequacy
of the current voluntary notification regime.[29]
EFA had some concerns with the exposure draft which would
also be applicable to the current Bill. In particular EFA is concerned that
allowing enforcement agencies to self-determine whether a breach should be
excepted from the notification requirement is likely to lead to exceptions
becoming the default approach.[30]
EFA also supports the Australian Privacy Foundation’s policy that the threshold
for requiring notification should be based on either of the following
conditions being satisfied:
- a
real risk of harm without qualifications such as proposed ‘serious’ risk or
- a
significant breach, whether or not real risk of harm has arisen.[31]
Australian Privacy Foundation
The Australian Privacy Foundation (APF) argued that the
2015 exposure draft went some way to provide a structure for notification of
data breaches. However, in its view, the exposure draft had structural defects
and weaknesses which made it a significantly less effective framework than it
could be and thus diminished its likely effectiveness.[32]
The APF made several recommendations for amendment, some
of which would also be relevant to the current Bill including:
- there
is an urgent need for a mandatory data breach notification scheme and a time
delay of 12 months in implementing the regime has not been made out[33]
- a
serious data breach should constitute a serious interference with the privacy
of an individual[34]
- there
should be a minimum of exceptions to notification and these should specify the
precise circumstances in which they are available[35]
and
- all
actions arising out of a breach of mandatory data breach notification
provisions should be posted on the OAIC web site.[36]
The APF maintains that even with a satisfactory mandatory
data breach notification regime, the limited scope and operation of the Privacy
Act constitutes a fundamental flaw in regulation:
That small business can be excluded from the operation of the
Privacy Act is an ongoing failure of public policy. The other exemptions, such
as employment information and personal information held by media and political
parties compound this problem ... The lack of broad coverage of the Privacy Act,
including in relation to mandatory data breach notification provisions will,
with time, cause both a regulatory problem and raise issues of fairness. Small
businesses rely on the collection and use of personal information and are as
prone to data breaches as businesses falling within the scope of the regime.
That a small business operator should not be required to notify a client or customer
of the misuse of his or her personal information while a slightly larger
organisation must do so is inequitable. It may also lead to avoidable losses
being suffered by an individual who is not notified.[37]
Financial
implications
The Explanatory Memorandum states that this Bill has no
significant impact on Commonwealth expenditure or revenue.[38]
Statement of Compatibility with Human Rights
As required under Part 3 of the Human Rights
(Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the
Bill’s compatibility with the human rights and freedoms recognised or declared
in the international instruments listed in section 3 of that Act. The
Government considers that the Bill is compatible.[39]
Parliamentary
Joint Committee on Human Rights
At the time of writing the Committee had not reported on the
Bill.
Key issues
and provisions
What is an
eligible data breach
Both the 2013 Bill and the 2015 exposure draft used the term
‘serious data breach’. Following consultations on the exposure draft, the Bill
has been amended to refer to ‘eligible data breach’.[40]
Proposed subsection 26WE sets out the circumstances
in which an ‘eligible data breach’ occurs. In short, an eligible data breach occurs
when, in respect of personal information, credit reporting information, credit
eligibility information or tax file number information held by a relevant entity required
to comply with the Privacy Act, the following conditions are satisfied:
- there
is unauthorised access to, or unauthorised disclosure of, the information and
- a
reasonable person would conclude that the access or disclosure would be likely
to result in serious harm to any of the individuals to whom the information
relates (proposed paragraph 26WE(2)(a)).
In the case of loss of information, (assuming that
unauthorised access or unauthorised disclosure were to occur) an eligible data
breach occurs if:
- a
reasonable person would conclude that it would be likely to result in serious
harm to any of the individuals to whom the information relates (proposed
paragraph 26WE(2)(b)).
These provisions apply to information subject to existing Privacy
Act information security requirements held by:
- APP
entities[41]
(proposed paragraph 26WE(1)(a))
- credit
reporting bodies (proposed paragraph 26WE(1)(b)))
- credit
providers (proposed paragraph 26WE(1)(c)) and
- tax
file recipients (proposed paragraph 26WE(1)(d)).
Threshold
test for an eligible data breach
What is
serious harm?
The Explanatory Memorandum explains that serious harm is
broadly construed. It could include serious physical, psychological, emotional,
economic and financial harm as well as serious harm to reputation.[42]
In contrast to the 2015 exposure draft, the current Bill does
not contain a definition of harm, however, proposed section 26WG sets
out a non-exhaustive list of relevant matters to have regard to when
determining whether access or disclosure would be likely/not likely to result
in serious harm:
- the
kind/s and sensitivity of the information
- whether
the information is protected by security measures and the likelihood any such
security measures would be overcome including the use of an encryption key to
circumvent the encryption technology or methodology
- the
persons or kinds of persons who have or could obtain the information
- the
likelihood that any persons who have or could obtain the information could
obtain information or knowledge or circumvent any security technology or
methodology applied to the information with the intent to cause harm
- the
nature of the harm and
- any
other relevant matters.
These factors would be considered according to a
‘reasonable person test’. The Explanatory Memorandum states that the
‘reasonable person’ element of this section makes clear that regard is intended
to be had to these matters by considering information that would be available
to a reasonable person in their position, including following reasonable
inquiries, noting also that not all the matters listed will necessarily be
particularly relevant in all circumstances:
While in some cases one matter may be determinative in
considering whether a reasonable person would reach the aforementioned
conclusion, in other cases, it may be that a reasonable person would only reach
that conclusion when regard is had to the relevant matters as a whole.[43]
The 2013 Bill did not include such a list, but it was included
in the 2015 exposure draft in response to concerns that additional guidance is
needed for entities regulated by the scheme. The OAIC considers that this
section will give entities more certainty about when the obligation to notify
applies.[44]
The Explanatory Memorandum states most of these matters
are based on matters identified in the current OAIC Data Breach
Notification: A Guide to Handling Personal Information Security Breaches,
or matters identified in the ALRC 2008 Report.[45]
The Explanatory Memorandum also provides explanations and examples of how these
matters should be interpreted.[46]
‘Likely to
result in serious harm’
The 2016 Bill requires data breach reporting
where a reasonable person would conclude that the access, disclosure or
loss would be likely to result in serious harm to that individual.
In contrast, the 2013 Bill and the 2015
exposure draft required reporting of a data
breach where there was a ‘real risk of serious harm’—‘real risk’
meaning a risk that is not a remote risk.
These different threshold tests are significant with the
test in the current Bill arguably imposing a higher threshold and therefore
resulting in fewer data breach notifications.
The 2008 ALRC report in its discussion on data breach
notification noted that in international law the terms ‘likelihood’ and ‘real
risk’ are similar and related:
In international law, the term ‘a real risk of serious harm’
has been defined to mean ‘a reasonable degree of likelihood’, ‘real and
substantial danger’ and ‘a real and substantial risk’.[47]
The Australian Bankers’ Association submission on the Discussion
Paper, Mandatory Data Breach Notification and Materials, argued that the
term ‘real risk that is not a remote risk’ does not provide enough guidance to
those agencies deciding when they should/should not notify a risk:
The guiding principle is that the threshold test - where
notification is required when there has been a serious data breach because it
would result in a real risk of serious harm - should strike an appropriate
balance between the interests of customers while minimising the impact of
notification on businesses by being a test that is clear and can be relied on
with certainty.
...
In the course of the consultation process it was suggested
that for greater certainty “real risk” might be replaced with “likely risk” or
“probable risk” of serious harm.
For banks, there is the possibility that a data breach could
involve a very large number of a bank’s customers’ data and could involve
multiple parties. It would be practically very difficult for the bank to
identify the individuals who may be at risk of serious harm. Yet to notify all
affected customers could lead to or contribute to “notification fatigue” and,
more concerning, customers developing a form of “immunity” to numerous
notifications particularly where there may not be steps a customer could take
to mitigate their own risk.
The ABA is concerned that the test is still too vague and
specific guidance, including case study examples of where the threshold is and
is not met, is explicitly needed in the Bill or must be developed and published
by the OAIC well before the scheme commences.[48]
The Regulation Impact Statement in the Explanatory
Memorandum to the Bill explains why the threshold in the 2016 Bill is defined
differently to that in the 2013 Bill and the 2015 exposure draft:
The vast majority of submitters to the 2012 consultation who
commented on the possible design of a mandatory scheme were in favour of the
ALRC’s recommended trigger for notification, or a variation of that test, i.e.
a test based on a ‘real risk of serious harm’ to an individual. This would not
require entities to report less serious privacy breaches to affected
individuals or the OAIC.
However, in the 2013 targeted consultation and the 2015-16
consultation support was expressed for more explanation about, or a definition
of what constitutes, ‘a real risk of serious harm’. Without this additional
assistance, it was argued that some regulated entities may adopt a more risk
adverse approach to notification by taking a narrow interpretation that could
lead to notification fatigue and create resourcing issues at the OAIC.
To address this concern, the proposed model:
a.
modifies the ALRC’s ‘real risk of serious harm’ threshold by introducing
well-known legal concepts that involve an objective ‘reasonable person’ element
and a reference to ‘likely risk’ rather than ‘real risk’ — retaining the core
elements of the ALRC’s recommended test while improving ease of compliance for
regulated entities.
b.
has an exception providing that notification is not required if a
reasonable person would conclude that serious harm is not likely as a result of
remedial action taken by the entity (see below) and
c.
provides a list of relevant matters, including encryption, when
determining whether a reasonable person would conclude that there is a likely
risk of serious harm to an individual.[49]
The different threshold test used in the current Bill is
aimed at providing more certainty for entities who will have to decide when to
notify a data breach. While the two tests are very similar, ‘likely to result
in serious harm’ would appear to provide a slightly higher threshold,
particularly when combined with the list of relevant matters for consideration
in proposed section 26WG. As already noted, the effect is that there
would probably be fewer breaches reported under this test. Privacy advocates
may be critical of this outcome, although businesses such as banks would appear
to support it as a way of reducing the regulatory burden of mandatory data
breach notification.
Exception
to an eligible data breach—remedial action
A key change to the Bill since the exposure draft is the
introduction of a ‘remedial action’ exception.
Proposed subsection 26WF(1) provides that the
unauthorised access or disclosure of the information will not be an eligible
data breach where, as a result of remedial action taken by the relevant entity
in relation to the breach, before it results in serious harm to any
individual to whom the information relates, a reasonable person would conclude
that the access or disclosure of the information is unlikely to result in
serious harm to any of those individuals.
In such cases where remedial action is taken and the
unauthorised access or disclosure is determined not to be an eligible data
breach, the entity will not be required to notify those individuals of the
unauthorised access or unauthorised disclosure (proposed subsection 26WF(2)).
Similar exceptions apply in the case of lost information.
Where there is a loss of information covered by proposed paragraph
26WE(2)(b), it will not be an eligible data breach where, as a result of
remedial action taken by the relevant entity in relation to the breach, before
it results in serious harm to any individual to whom the information relates, a
reasonable person would conclude that the loss of the information is unlikely
to result in serious harm to any of those individuals (proposed subsections
26WF(3) and (4)). In such cases where remedial action is taken and the loss
is determined not to be an eligible data breach, the entity will not be
required to notify those individuals of the loss (proposed subsection 26WF(5)).
Notification
of eligible data breaches
Division 3 of Part IIIC contains obligations for entities to
notify an eligible data breach, subject to certain exceptions.
Proposed section 26WH requires an entity to carry out
an assessment of whether there is a suspected eligible data breach of the
entity in certain circumstances. An assessment is required if:
- the
entity is aware that there are reasonable grounds to suspect that there may
have been an eligible data breach of the entity and
- the
entity is not aware that there are reasonable grounds to believe that an
eligible data breach of the entity has occurred.
This provision covers the circumstance where an entity has
reason to suspect a breach but the not enough to be certain. Where it is
reasonably certain, an assessment is unnecessary and the entity can simply
prepare a statement under proposed section 26WK.
The entity must carry out a reasonable and expeditious
assessment of whether there are reasonable grounds to believe that the relevant
circumstances amount to an eligible breach of the entity (proposed paragraph
26WH(2)(a)). In addition, the entity must take all reasonable steps to
ensure that the assessment is completed within 30 days after becoming aware of
the reasonable grounds of the suspicion (proposed paragraph 26WH(2)(b)).
If the eligible data breach applies to more than one
entity, only one entity needs to undertake an assessment for all entities to
comply with this requirement (proposed section 26WJ).
An equivalent of proposed section 26WH was not included in
the 2013 Bill. The introduction of this additional step of allowing entities time
to assess whether notification is necessary would appear to be intended to
appease submitters concerned about the regulatory burden and the uncertainty of
determining when a data breach should be notified.
Proposed sections 26WK and 26WL set out the
circumstances in which an entity must prepare a statement about an eligible
data breach and provide that statement to the Commissioner.
Where an entity becomes aware (either by assessment, if
required according to section 26WH above, or by other means) that there are
reasonable grounds to believe that there has been an eligible data breach of
the entity, the entity must meet the notification obligations as set out below
as soon as practicable.[50]
The Explanatory Memorandum states that what constitutes ‘reasonable grounds’
will vary depending on the circumstances.[51]
The statement must set out:
- the
identity and contact details of the entity (proposed paragraph 26WK(3)(a))
- a
description of the eligible data breach that the entity has reasonable grounds
to believe has happened (proposed paragraph 26WK(3)(b))
- the
kinds of information concerned (proposed paragraph 26WK(3)(c)) and
- recommendations
about the steps that individuals should take in response to the serious data
breach that the entity has reasonable grounds to believe has happened (proposed
paragraph 26WK(3)(d)).
The entity must give a copy of this statement to the
Information Commissioner (proposed subsection 26WK(2)).
Proposed section 26WL provides that if it is
practicable the entity must also take such steps as are reasonable to notify
the contents of the statement to:
- each
individual to whom the information relates
- each
individual at risk from the eligible data breach
- in
the method the entity normally communicates with the individual (if any).
If individual notification is not practicable, the entity
must:
- publish
a copy of the statement on the entity’s website (if any) and
- take
reasonable steps to publicise the contents of the statement.
Exceptions
to notification
There are exceptions to these notification obligations
which include:
- exceptions
for law enforcement bodies in cases where the Chief Executive Officer of the
particular body believes on reasonable grounds that compliance with a
notification requirement would be likely to prejudice law enforcement
activities (proposed section 26WN))
- exceptions
where, to the extent of the inconsistency, compliance with the notification requirement
would be inconsistent with a law of the Commonwealth that prohibits or
regulates the use or disclosure of information laws (proposed section 26WP))
- exceptions
declared by the Information Commissioner (either in response to an application
from an entity or on the Commissioner’s own initiative) (proposed section
26WQ)). In making such a declaration the Commissioner must be satisfied
that it is reasonable in the circumstances to do so having regard to the public
interest, any relevant advice from an enforcement body, the Australian Signals
Directorate of the Defence Department and such other relevant matters.
If the eligible data breach applies to more than one
entity, only one entity needs to undertake the statement and notification for
all entities to comply (proposed section 26WM)) The Explanatory Memorandum
indicates that these provisions are designed to address situations involving
outsourcing, joint venture or shared services arrangements.[52]
Proposed section 26WD provides an exemption in
relation to eHealth information. An unauthorised access, unauthorised
disclosure or loss of personal information cannot give rise to an eligible data
breach if that access, disclosure or loss has been, or is required to be
notified under the mandatory data breach notification requirement in section 75
of the My Health
Records Act 2012. Mandatory data breach notification is already
required in the event of unauthorised access to eHealth information under the My
Health Records Act and the rationale for this exemption is to avoid
imposing a double notification requirement.[53]
Commissioner
written directions
Proposed section 26WR provides the Commissioner with
the power to issue a written direction to an entity to provide notification of
an eligible data breach. The information to be provided to the Commissioner and
affected individuals will be the same as if the entity had initiated the
notification itself and methods of communication will also be the same. For
this direction, the entity must be invited to make a submission. In exercising
the above powers, the Commissioner must be satisfied that the direction is
reasonable in the circumstances, having regard any relevant advice of an
enforcement body or the Australian Signals Directorate of the Defence
Department, any relevant submissions from the entity concerned and any other
matters the Commissioner considers relevant.
Such a direction would be expected to primarily operate in
cases where an entity fails to comply with its notification obligations.[54]
The Explanatory Memorandum states that
section 26WR Commissioner directions could also be enlivened in
circumstances ‘such as where an eligible data breach comes to the attention of
the Commissioner but has not come to the attention of an entity’.[55]
There are also exceptions where an entity would not be
required to comply with Information Commissioner directions. An entity is not
required to comply if it would be likely to prejudice enforcement-related
activity of an enforcement body or it would be inconsistent with a secrecy
provision in another Australian law (proposed sections 26WS and 26WT)).
Overseas
entities
APP 8 requires organisations that are disclosing personal
information to entities outside Australia to take reasonable steps to ensure
that the person does not breach the APPs. Proposed subsection 26WC(1) provides
that where APP8 applies to a disclosure, then an APP entity will retain accountability
for a ‘serious data breach’ involving personal information even though that APP
entity might not be otherwise responsible for the breach.
This would mean that, where an entity has
disclosed information to an overseas recipient, it may be liable for serious
data breaches of the recipient as though those breaches had happened to the
entity itself. The Explanatory Memorandum provides a further description
of how this provision would work.[56]
Enforcement
and review
Section 13 of the Privacy Act outlines the
circumstances that will result in an ‘interference with the privacy of an individual’.
It includes for example breaches of the APPs and breaches of a registered APP
code.
Item 2 would amend section 13 to add that failure
to comply with the obligations relating to notification of a data breach in proposed
subsection 26WH(2), 26WK(2), 26WL(3) or 26WR(10), would be deemed to be an
interference with the privacy of an individual (proposed subsection 13(4A)).
The effect of this amendment would be to engage the Commissioner’s existing
powers to investigate, make determinations and provide remedies in relation to
non-compliance with the Privacy Act. The Explanatory Memorandum states that
this includes:
... the capacity to initiate own motion investigations, make
determinations, seek enforceable undertakings, and pursue civil penalties for
serious or repeated interferences with privacy.[57]
Existing section 13G of the Privacy Act
provides that serious or repeated interferences with the privacy of an
individual may attract a civil penalty of up to 2,000 penalty units or $360,000.
Section 13G would apply where such failure to notify eligible data breaches would
be considered serious or repeated.
The Cyberspace Law and Policy Community at the UNSW
Faculty of Law (CLPC) in its comment on the 2015 exposure draft noted that the
Australian option differs greatly in relation to penalties from other
jurisdictions. CLPC recommends that it would be preferable to have specific
penalties for entities contravening the legislation
— for example, a specific monetary penalty per breach, and an ongoing daily
penalty for continued non-compliance. CLPC argues that the use of ‘softer
penalties’ (as per the 2015 exposure draft Bill and also in this Bill) implies
that prevention of a data breach is not one of the purposes of the amendment.[58]
Section 96 of the Privacy Act deals with the review
of Information Commissioner decisions by the Administrative Appeals Tribunal (AAT).
Item 4 amends section 96 to provide the following Commissioner
decisions to do with notifiable data breaches are also reviewable by the AAT:
- a
decision to refuse an application for a declaration of an exemption (subsection
26WQ(7))
- a
decision to make a declaration of an exemption (paragraph 26WQ(1)(d)) and
- a
decision to give a direction to notify a data breach (subsection 26WR(1)).
Concluding comments
The Bill is the third iteration of a legislative scheme
for mandatory notification of data breaches. It has been described as long
overdue, implementing a recommendation of the ALRC dating back to 2008 and a
Government commitment made in 2015 with the enactment of its mandatory data
retention legislation. Mandatory data breach notification has bipartisan
support in the Parliament and previous iterations of this Bill have been the
subject of consultation with opportunities for interest groups to submit their
views to Government and the Parliament. It would appear therefore that there is
no reason for the Bill’s operation to be delayed.
It is a significant Bill. In terms of consumer privacy
protection, it will help keep Australians personal information more secure in
the digital age when there is evidence that data breaches and data security are
an ever increasing problem. Perhaps of equal
importance, it is likely to have the secondary effect of encouraging agencies
and private sector organisations to improve their data security practices.
That said, the Bill does have more limited application
than might initially be thought. Due to current exemptions in the Privacy
Act, mandatory notification of data breaches will not apply to
organisations such as many small business enterprises, political parties, media
organisations and national security agencies. Furthermore, the Bill would
appear to be more cautious than its predecessors, including amongst other
things a higher threshold test for determining what is an ‘eligible data breach’
and a new exception allowing entities to avoid notification where they take
remedial action before any serious harm has occurred. Some of these changes will
presumably be welcomed by big businesses such as banks who have lobbied that the
previous Bills would impose a heavy regulatory burden and result in
notification fatigue amongst consumers. Others, such as privacy advocates who
saw structural defects in the previous Bills may see the amendments as
providing an even less effective framework for a mandatory data breach
reporting scheme and further diminishing the Bill’s effectiveness.
[1]. Explanatory
Memorandum, Privacy Amendment (Notifiable Data Breaches)
Bill 2016, p. 2.
[2]. Australian
Law Reform Commission (ALRC), For
your information: Australian privacy law and practice, ALRC
report, 108, Sydney, 12 August 2008, paragraph 51.1. Mandatory
data breach notification laws apply in the European Union including the United
Kingdom and some 47 American states. Attorney-General’s Department (AGD), Mandatory
data breach notification, Discussion paper, AGD, Canberra, December
2015 p. 12.
[3]. For
example, sections 20Q and 21S of the Privacy Act impose
equivalent obligations to APP 11 on credit reporting agencies and all credit
providers.
[4]. Office
of the Australian Information Commissioner (OAIC), Data breach notification: a guide to handling personal information
security breaches,
OAIC, Sydney, August 2014.
[5]. Ibid.
[6]. OAIC, Submission to AGD, Inquiry into mandatory data breach notification discussion paper,
3 March 2016, p. 2.
[7]. Ibid.
[8]. ALRC,
For your information, op. cit., pp. 1668–1669.
[9]. Ibid.,
recommendation 51–1.
[10]. Parliamentary Joint Committee on Intelligence and Security, Report of the Inquiry into Potential
Reforms of Australia's National Security Legislation, May 2013, Recommendation 42.
[11]. Parliamentary
Joint Committee on Intelligence and Security, Advisory report on the Telecommunications (Interception and Access)
Amendment (Data Retention) Bill 2014, February
2015, Recommendation 38.
[12]. Parliament of Australia, ‘Privacy Amendment (Privacy Alerts) Bill 2013 homepage’, Australian Parliament website. See also: MA Neilsen, Privacy Amendment (Privacy Alerts) Bill 2013, Bills digest, 146, 2012–13, Parliamentary Library,
Canberra, 2013.
[13]. Privacy Amendment (Notification of Serious Data Breaches) Bill 2015:
exposure draft.
[14]. In
the following Parliament the Labor Party, then in opposition, re-introduced
this Bill as a private member’s Bill: Parliament of Australia,
‘Privacy Amendment (Privacy Alerts) Bill 2014 homepage’, Australian Parliament website.
[15]. G Brandis (Attorney-General) and M Turnbull (Minister for
Communications), Government response to Committee report on the Telecommunications
(Interception and Access) Amendment (Data Retention) Bill 2014, joint media release, 3 March 2015.
[16]. Explanatory
Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill
2016, op. cit., p. 2.
[17]. Senate
Standing Committee for the Scrutiny of Bills, Alert
digest, 8, 2016, The Senate, 9 November 2016, p. 31.
[18]. Ibid.
[19]. M Dreyfus (Shadow Attorney-General), Brandis finally catches up with privacy alert commitment, media release, 22 August 2016.
[20]. Ibid.
[21]. Australia,
Senate, Journals, 135, 2015–16, 2 February 2016.
[22]. Explanatory Memorandum, Privacy
Amendment (Notifiable Data Breaches) Bill 2016, op.
cit., p. 2.
[23]. Ibid., p. 53.
[24]. Ibid., pp. 40–41.
[25]. Australian
Bankers’ Association, Submission to AGD, Inquiry into
mandatory data breach notification discussion paper, 4
March 2016, pp. 2–3.
[26]. Law
Council of Australia, Submission to AGD, Inquiry into mandatory data
breach notification discussion paper, 4 March 2016, p. 3.
[27]. Ibid.,
p. 15.
[28]. Ibid.,
p. 16.
[29]. Electronic
Frontiers Australia, Submission to AGD, Inquiry into mandatory data
breach notification discussion paper, 7 March 2016, p. 3.
[30]. Ibid.
[31]. Ibid.
[32]. Australian
Privacy Foundation, Submission to AGD, Inquiry into mandatory data breach notification discussion paper, 4 March 2016, p. 1.
[33]. Ibid.,
p.2.
[34]. Ibid.,
p. 5.
[35]. Ibid.,
p. 6.
[36]. Ibid.
[37]. Ibid.,
p. 2.
[38]. Explanatory
Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill
2016, op. cit., p. 3.
[39]. The
Statement of Compatibility with Human Rights can be found at pages 58–63 of the
Explanatory Memorandum to the Bill.
[40]. For example the Law Council of Australia submitted that the
phrase ‘serious data breach’ of itself has a heavy emotional weight and that
more qualified language should be used. Law Council of Australia, Submission to AGD, op. cit., p. 6.
[41]. APP entities consist of most Australian
Government agencies, all private sector and not-for-profit organisations with
an annual turnover of more than $3 million, all private health service
providers and some small businesses.
[42]. By way of comparison, the 2015 exposure draft
contained a definition of ‘harm’ as including: physical harm; psychological
harm; emotional harm; harm to reputation; economic harm; and financial harm.
The Law Council amongst others recommended that this definition be removed. Law
Council of Australia, Submission to AGD, op. cit., p.
12.
[43]. Explanatory
Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill
2016, op. cit., p. 75.
[44]. OAIC, Submission to AGD, op. cit.
[45]. Explanatory
Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016,
op. cit., p. 75.
[46]. Ibid.,
pp. 74–79.
[47]. ALRC,
For your information, op. cit., p. 1690.
[48]. ABA,
Submission to AGD, op. cit., p. 4.
[49]. Explanatory Memorandum, Privacy Amendment (Notifiable Data
Breaches) Bill 2016, op. cit., p. 28.
[50]. What
constitutes a ‘practicable’ timeframe for the purposes of
paragraph 26WK(2)(b) to prepare a subparagraph 26WK(2)(a)(i) statement and
give a copy of the statement to the Commissioner will vary depending on the
time, effort or cost required to comply with paragraph 26WK(2)(b), when
considered in all the circumstances of the entity and the data breach. Ibid.,
p. 84.
[51]. For
example, a pattern of complaints may provide the entity reasonable grounds to
believe that an eligible data breach of the entity has occurred. On the other
hand, if the complaints merely provide the entity with reason to suspect that
there has been an eligible data breach of the entity, the assessment
requirement under section 26WH will apply. Ibid., p. 84.
[52]. Ibid.,
p. 89.
[53]. Ibid., p. 68.
[54]. AGD, Mandatory data breach notification,
discussion paper, op cit., p. 6.
[55]. Explanatory
Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill
2016, op. cit., p. 98.
[56]. Ibid.,
p. 43.
[57]. Ibid.,
p. 6.
[58]. Cyberspace
Law and Policy Community (CLPC), Submission to AGD, Inquiry into mandatory data
breach notification discussion paper,
7 March 2016, p. 7.
For copyright reasons some linked items are only available to members of Parliament.
© Commonwealth of Australia
Creative Commons
With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.
In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.
To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.
Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.
Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.
Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Enquiry Point for referral.