Data Breaches Notification: Serious Breaches Affecting Privacy: New Federal Laws

Friday 31 May 2013 @ 10.18 a.m. | IP & Media

The federal government introduced into the House of Representatives on 29 May 2013, new laws that will require businesses and government agencies to notify people when a data breach affecting their privacy occurs.

The Privacy Amendment (Privacy Alerts) Bill 2013 proposes to amend the Privacy Act 1988 (the Act) by introducing mandatory data breach notification provisions for agencies and organisations that are regulated by the Act (referred to as entities). The changes proposed by the Bill are proposed to commence immediately after the amendments to the Act contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 on 12 March 2014.

What is Mandatory Data Breach Notification?

Mandatory data breach notification commonly refers to a legal requirement to provide notice to affected persons and the relevant regulator when certain types of personal information are accessed, obtained, used, disclosed, copied, or modified by unauthorised persons.

In his speech to the House the Federal Attorney-General (the AG) explained that: "such unauthorised access may occur following a malicious breach of the secure storage and handling of information (for example, a hacker attack), an accidental loss (for example, loss of technical IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise".

In his speech the AG pointed to the Australian Law Reform Commision (ALRC) Report 108 titled "For Your Information: Australian Privacy Law and Practice", to further illustrate why data breaches had become a greater problem in Australia, quoting the ALRC where it stated in the report: "with advances in technology, entities were increasingly holding larger amounts of personal information in electronic form, raising the risk that a security breach around this information could result in others using the information for identity theft and identity fraud".

How Notification will Assist?

A notification requirement on entities that suffer data breaches will allow individuals whose personal information has been compromised by a breach to take remedial steps to lessen the adverse impact that might arise from the breach such as changing passwords or taking other steps to protect personal information.

How Will Notification Work?

The ALRC's recommendation that the Act be amended to require notification be given, proposed the test/requirement, that notification would be provided to those whose privacy had been infringed when data breaches causing "a real risk of serious harm" occurred. Such a notification requirements would be compulsory unless it could impact upon a law enforcement investigation or was determined by the regulator to be contrary to the public interest.

Agencies and organisations regulated by the Act it is proposed by the Bill would provide notice to the Australian Information Commissioner (the Commissioner) and affected individuals of a serious data breach. The Bill contains general rules for the majority of entities regulated by the Act as well as analogous rules for credit reporting bodies and credit providers subject to specific regulation under Part IIIA of the Act dealing with consumer credit reporting.

It is interesting to note the provisions in the Bill would also apply to recipients of tax file number information, namely; employers.

Each type of entity is subject to common requirements under the Act to protect the types of personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure thus placing a greater onus on those who hold private information on behalf of others.

What Constitutes a Data Breach?

According to the AG's speech "[a] data breach arises where there has been unauthorised access to, or disclosure of, personal information, or where personal information is lost in circumstances that could give rise to unauthorised loss or disclosure. A data breach is a serious data breach where there is a real risk of serious harm to the individual to whom the information relates as a result of the breach." According to the AG this is the standard recommended by the ALRC in its report and is also currently the standard the voluntary data breach guidelines issued by the Office of the Commissioner.

The Bill provides also provides for regulations to specify particular situations that may also be serious data breaches even if they do not necessarily reach the threshold of "a real risk of serious harm". An examples of this cited by the AG is "the release of particularly sensitive information such as health records which may not cause serious harm in every circumstance but should be subject to the highest level of privacy protection".

In his Media release of 28 May 2013 prior to introducing the Bill the AG said of the legislation:

“With businesses and government agencies holding more information about Australians than ever before, it is essential that privacy is safeguarded,” ... “The new laws will alert consumers to breaches of their privacy, so that they can change passwords, improve security settings and make other changes as they see fit.”

In summary under the new laws:

  • Notification of data breaches to the Office of the Commissioner will be required.

  • The notification requirements do not apply to all data breaches, only breaches that give rise to a risk of serious harm.

  • The Commissioner will be able to seek civil penalties if there is serious or repeated non-compliance with the notification requirements,

  • The laws will apply to all entities covered by the Privacy Act 1988 including many businesses, but they will not impose an unreasonable burden on business.

Sources:

Our Intellectual Property Point-in-Time product is a reliable, one stop shop for Intellectual Property Legislation and other related materials. Contact TimeBase for a free trial.

Related Articles: