Member Article

The Federal Attorney-General has released a Discussion Paper seeking comment on whether to introduce laws to make notification of data breaches by government agencies and large private sector entities mandatory in Australia. The Government is calling for submissions by 23 November 2012, asking what the triggers should be and what penalties should apply for failure to comply. The Federal Privacy Commissioner has given his support to the Discussion Paper and a mandatory notification scheme.

Whilst there are obligations in the Privacy Act 1988 (Cth) (Privacy Act) to keep personal information secure from misuse and loss and from unauthorised access, modification or disclosure, neither agencies nor private entities are required to notify the Office of the Australian Information Commissioner (OAIC) or affected individuals of a data breach of any kind. Notification is voluntary and organisations are encouraged to follow the OAIC's Guide - Data Breach Notification: A Guide to Handling Personal Information Security Breaches, that was first introduced in 2008.

A Private Members Bill was introduced in 2007 to make data security breach notifications mandatory. One of the recommendations in the Australian Law Reform Commission's (ALRC) 2008 Report on Australian Law and Practice, was to introduce a mandatory data breach notification scheme. The Federal Government did not respond to this recommendation in the first part of its response to the ALRC report and there is no scheme proposed in the Privacy Amendment (Enhancing Privacy Protection) Bill (Bill) which is currently before the Senate.

However, data breach notification has become a major focus for privacy regulators worldwide, as larger amounts of personal data are being held electronically and the increase in reported data breaches, with some high profile examples such as Sony in 2011 and Telstra this year. Most US States have enacted some form of data breach notification legislation and a whitepaper supporting a national uniform notification standard was issued by the Obama Administration earlier this year. Elsewhere data protection legislation has been amended to include data breach notification provisions or guidelines introduced. The Discussion Paper includes a range of these laws.

The OAIC Guide describes useful practical steps that can be taken following a data breach, including risk evaluation, assessment of whether there is a real risk of serious harm, containment of the breach and prevention of recurrence. However, the Guide does not require notification, impose penalties, define a real risk of serious harm or prescribed particular time frames or modes for the notification. The possibility of having supporting guidelines is canvassed in the Discussion Paper.

In addition to the overarching questions of whether a mandatory reporting system is required for either agencies and/or large organisations only or the existing voluntary system is sufficient, the Discussion Paper sets out number of key areas for consultation and determination by the Government. While acknowledging issues raised such as the cost of notification, the concerns raised with the ALRC about data breaches, the incentives on business to voluntarily respond to data breaches and the capability of businesses to detect breaches, it sees the key objectives of mandatory notification as:

• mitigating the breach by resecuring the data;
• deterrence and incentive to improve privacy protection; and 
•  information gathering so breaches are tracked.

Triggers for notification

A key consideration in the Paper is what types of breaches should be reported, and how to clearly define those types of breaches with the aim of ensuring that 'remedial action can be taken quickly to mitigate actual and possible adverse effects of the breach, while ensuring that notification is only required in relation to appropriately serious breaches.' For example, if the notification requirement extends to minor breaches, this may place an unnecessary administrative burden on entities and may place undue stress on the individual's whose information is concerned where the breach is in fact under control. The ALRC recommended a 'catch all' test to be used to determine the trigger point, being 'a real risk of serious harm', being the test adopted in the Guide. The Discussion Paper describes tests used in other jurisdictions and ask the questions:

• what should be the appropriate test to determine the trigger for notification;
• should it be based on a 'catch all' test, or based on more specific triggers, or another test (eg based on the amount and/or type of data affected); and
• what specific elements should be included in the notification trigger?

Timing and responsibility of Notification

The timing of the notification is critical as the primary objective of data breach notification is to give affected individuals adequate opportunity to take corrective action before real harm occurs, for example by changing passwords or cancelling credit cards. The Discussion Paper sets out tests that have been used internationally and asks the question:

• should there be a set time limit for notification or a test based on notifying a soon as is practicable or reasonable;
• who should be notified (the OAIC, the affected individuals or both) and who should be responsible for deciding whether to notify affected individuals; and
• should other organisations who can assist eg the police, also be informed.

Penalty for failure to notify

The Privacy Act will need to provide for an enforcement and compliance mechanism to encourage entities to comply with data breach notification obligations. The Privacy Act already has mechanisms for penalising entities for the data breach itself. The ALRC suggested that a civil penalty should apply, but did not discuss the specific elements of the penalty. The Government will need to consider whether a penalty scheme be introduced at all, and if so, the type of penalty, elements of the offence, maximum quantum, and whether regulatory responses such as seeking to conciliate before imposing a penalty should be set out in the data breach notification section, or in the more general parts of the Privacy Act. 
The Discussion paper poses the questions:

• should there be a penalty or sanction for failing to comply with a legislative requirement to notify; and
• if so, what should be the penalty or sanction, and the appropriate level of that penalty or sanction?

Exceptions

Finally, the Discussion Paper asks whether there should be a specific exception to notification where law enforcement activities might be compromise, or whether the public interest test proposed by the ALRC is sufficiently broad to cover occasions when notification would not be required.

Conclusion

It will be interesting to see how quickly changes in this area occur as any mandatory scheme will only place further pressures on the Office of the Australian Information Commissioner where resources will already be stretched when the current Bill to amend the Privacy Act becomes law.

 

Link to article