What is an eligible data breach?
An eligible data breach includes:
- unauthorised access to, or disclosure of, personal information
- personal information lost in circumstances where unauthorised access or disclosure is likely to occur
Who determines whether an eligible data breach has occurred?
The APP Entities (those entities regulated by the Privacy Act) themselves make this determination. An APP Entity must:
- have reasonable grounds to suspect an eligible data breach
- conduct a reasonable and expeditious assessment
What data breaches must be notified?
Not all breaches are notifiable. Where the Privacy Act applies, eligible data breaches must be notified to the regulator, OAIC, and affected individuals
- These are breaches that are "likely to result in serious harm" to the individual
- Serious harm includes, but is not limited to, psychological, financial, reputational, emotional, or physical harm
- A ‘reasonable person’ test is applied:
- a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person)
- who is properly informed
- based on information immediately available or following reasonable inquiries or an assessment of the data breach
- There is no obligation to notify if an entity merely “suspects” a breach – there has to be a “belief”
Accordingly, we emphasise the importance of undertaking a thorough assessment and obtaining advice before notifying a breach
What is relevant regarding whether a breach is likely, or would not be likely, to result in serious harm?
Factors, including but not limited to the following, should be taken into account in determining whether a breach is likely to result in serious harm:
- the kind or kinds of information
- the sensitivity of the information
- whether the information is protected by one or more security measures
- the persons, or the kinds of persons, who have obtained, or who could obtain, the information
- the nature of the harm
- the length of the opportunity for unauthorised access
- whether any personal information was exfiltrated from systems
- whether any personal information was made public
The OAIC has also issued guidance indicating that ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).
How long to assess and notify a breach?
Currently APP entities have 30 days to carry out a reasonable and expeditious assessment
Who notifies affected individuals?
- Existing OAIC guidance indicates that the entity with the ‘most direct relationship’ with the individuals concerned should carry out the notification
- There are significant difficulties if a breach involves a third party that holds personal information and:
- that third party does not have a direct relationship with an individual; and
- if the entity with a direct relationship is not an APP Entity / subject to the Privacy Act
Have there been any recent changes to the notification scheme (NDB Scheme)?
Yes, there have been 3 recent reforms to the NDB Scheme:
- The OAIC has new powers to obtain information or documents in relation to an actual or suspected eligible data breaches
- There has been an expansion of OAIC’s power to assess an entity’s compliance to include notification of eligible data breaches
- There is a new requirement for APP Entities to set out the kinds of information involved in the breach to ensure the OAIC has a comprehensive knowledge of the information compromised in a breach
What preventative measures can be taken?
Consideration should be given to the following measures:
- Auditing the personal information collected and held
- Considering why particular personal information is required
- Considering how long personal information is required to be held
- Considering what personal info is disclosed, including cross border disclosures
- Reviewing privacy policies and terms & conditions
- Considering whether Privacy Impact Assessments are required
- Reviewing service agreements and other contracts, including agreements involving cross border disclosures
- Implementing relevant processes, including for destruction and deletion having regard to industry specific legislation
- Investing in privacy, information management, cyber security and training
- Considering the FOI / GIPA implications for government agencies. For example, under the FOI Act, a government agency can release personal information where it is reasonable and in the public interest, which is also allowed under the Privacy Act. Most government departments and agencies have specific requirements for the return and destruction/ deletion of personal information held by service providers, who may be the subject of FOI requests
Are there any impending changes to the notification scheme, or to the Privacy Act, relevant to data breaches?
Yes, several changes are likely, including the following:
- Either reducing or removing the $3 million threshold so smaller businesses are also bound by the Privacy Act. If the threshold is reduced and there are more entities the subject of the Privacy Act, equally they will also be subject to the NDB scheme
- Expansion of the NDB Scheme to cover employee personal information. Currently employee personal information is exempted and not regulated by the Privacy Act, but by the Fair Work Act
- Expressly require APP Entities to appoint or designate a senior employee responsible for privacy within the entity. This means designating responsibility for data breaches
- Undertake Privacy Impact Assessments for activities with high privacy risks (and provide those assessments to the OAIC on request). This is likely to be of relevance for data breaches (and requested by the OAIC in the event of a breach) and assessments will have to be prepared in a manner that anticipates future disclosure to the OAIC
- Creation of a direct right of action. The action would be available to any individual, or group of individuals, whose privacy has been interfered with by an APP entity. The remedies available under this right would be any order the court sees fit, including any amount of damages. This opens up possibility of actions and (more) class actions by individuals for data breaches
- Introduction of a statutory tort for invasion of privacy, which involves an intrusion upon seclusion and a misuse of private information by anyone (not just APP Entities). This opens up possibility of actions by individuals for data breaches
- Amendment of the Privacy Act to the effect that a statement about an eligible data breach must set out the steps the APP Entity has taken, or intends to take, in response to the breach, including, where appropriate, steps to reduce any adverse impacts on the individuals to whom the relevant information relates
- 72 hours to undertake a reasonable and expeditious assessment, instead of 30 days
What penalties apply for breaches of the Privacy Act?
In order for any penalties to apply, the OAIC must make an application to Federal Court. The Federal Court can impose penalties for each breach of the Privacy Act, being the higher of:
- $50 million, or
- three times the value of any benefit obtained through the misuse of information, or
- 30% of the breaching entity’s annual adjusted turnover during the breach period
How can Moray & Agnew help?
We can help you comply with the Privacy Act, and get you ready for the likely changes, including the following:
- Privacy Policies (and reviews)
- Employee Privacy Policies (and reviews), employee contract reviews and policy handbook reviews
- Service Agreements & Contracts (covering privacy, confidentiality, information management)
- Cross border disclosure agreements
- Terms & Conditions (and reviews)
- Privacy Impact Assessments
- Personal Information audits
- Notifiable Data Breaches
- Privacy complaints
- Freedom of Information / GIPA Issues
For further information and assistance please contact our Privacy Team.
This guide is intended to provide a summary and commentary only. It is not intended to be comprehensive nor does it constitute legal advice, and has been prepared based on applicable legislation at the date of publication (3 May 2023). You should seek legal advice on specific circumstances before taking any action.