New Commonwealth Data Breach Notification Laws To Commence in February 2018

Tuesday 6 February 2018 @ 10.46 a.m. | Legal Research

On 22 February 2018, new data breach notification laws will come into effect, potentially leaving many Australian businesses on the wrong side of the law.

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Act No 12 of 2017), was assented on 22 February 2017, and is expected to commence on 22 February 2018, where it will make substantive amendments to the Privacy Act 1988 (Cth) (the Act).

The Explanatory Memorandum (the EM) to the Bill, indicates that the object of the legislation is:

“… to introduce mandatory data breach notification provisions for agencies, organisations and certain other entities that are regulated by the Privacy Act (entities) …”

Background

The Bill’s EM also states that [at para 33]:

“… in May 2008, the Australian Law Reform Commission (ALRC) concluded a 28-month inquiry into the effectiveness of the Privacy Act 1988 (Privacy Act) and related laws as a framework for the protection of privacy in Australia. The ALRC’s report, For Your Information: Australian Privacy Law and Practice (the ALRC report), made 295 recommendations for reform in a range of areas, including creating unified privacy principles, updating the credit reporting system, and strengthening the powers of the Privacy Commissioner. The Government responded to the majority of these recommendations with the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which introduced major privacy reforms and commenced in March 2014.”

One of the ALRC’s other recommendations was that a mandatory data breach notification scheme be introduced [see para 34 of EM]. Submissions to the ALRC’s inquiry indicated strong support for the introduction of a mandatory notification requirement, although some key private sector organisations in the banking and telecommunications industries were not supportive.

The EM also indicates [at para 89] that the magnitude of breaches of data security:

“… are increasing in frequency and scope. A 2014 Australian report found nearly a quarter of businesses surveyed had suffered an IT security breach in the previous 12 months, and 60% had suffered a breach in the previous five years …”

The Need for New Legislation

The Bill’s Draft Consultation Regulation Impact Statement indicates that the Office of the Australian Information Commissioner (OAIC) defines a “data breach” as [see pg 5]:

“… as the situation where ‘personal information held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference’ …”

The ALRC report also noted that with advances in technology, companies are increasingly holding larger amounts of identifying information in electronic form, raising the risk that a breach of this information could result in another individual using the information for identity theft and identity fraud, hence the need for tighter laws regarding the protection of personal information.

Public Comment and Reaction

Director for Internet Safety at the University of Canberra, Adjunct Professor Nigel Phair, is concerned that too many Australian businesses will be caught out, commenting that the businesses he was most worried about were the smaller- to medium-sized organisations:

"When you look at the organisations I talk to, they all think, 'Well, we won't get hacked so why would we put any investment or any effort into being prepared?’ The bigger you get, there is generally a more preparedness to invest in cyber security measures. Unfortunately the smaller you get, they don't see the value proposition, and subsequently the reason to be prepared."

Companies Covered by the new Scheme

The proposed scheme will only apply to around 6 percent of Australian businesses. The Act exempts small businesses (entities with an annual turnover of $3 million or less) from the operation of the Act, but the exemption does not apply to some small businesses, including those that provide a health service, are a credit reporting body, or trade in personal information.

Mr Phair said this was worrying:

"Lots of little organisations still have personally identifying information, which if it lost, [had] stolen [or] abused, is a great threat to the average person out there."

Troy Hunt, an independent security researcher, said any company, regardless of its size, should have to inform people if its personal information has been exposed to an unauthorised party. He said:

"I believe that personal data is personal data. It belongs to the individual … There's an expectation that this is only going to apply to organisations where the breach could result in serious harm to the affected individual. Now the challenge here is that whilst there is some criteria set forth about what might constitute harm, it's still self-assessment. We come back to the point where if it's my data, I would like to know if it's been disclosed."

Recent Data Breach

In June 2017, car-sharing network GoGet identified unauthorised activity in its system and in a statement, Chief Executive Officer Tristan Sender said:

"… it appears that the suspect has accessed personal information of GoGet's members and individuals who have previously attempted to create a GoGet account …"

The Federal Government has reassured businesses that once the legislation is in place, the Privacy Commissioner would be able to conduct investigations into data breaches.

TimeBase is an independent, privately owned Australian legal publisher specialising in the online delivery of accurate, comprehensive and innovative legislation research tools including LawOne and unique Point-in-Time Products. Nothing on this website should be construed as legal advice and does not substitute for the advice of competent legal counsel.

Sources:

Data breach notification laws will force businesses to say if they've been hacked – abc.net.au

Privacy Amendment (Notifiable Data Breaches) Bill 2016 and Privacy Amendment (Notifiable Data Breaches) Act 2017 (No 12 of 2017) - Available from TimeBase LawOne Service.

Related Articles: