By Luke Hooper, Special Counsel
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) amends the Privacy Act 1988 (Cth) (Privacy Act) to introduce mandatory “eligible data breach” notification provisions for entities regulated by the Privacy Act, and will likely take effect by 22 February 2018. These entities include super funds.
Currently, there is no compulsion to notify individuals who may be affected by a data breach – in other words a breach of Australian Privacy Principle 11 (security of personal information), which requires an entity to take reasonable steps to protect personal information (Information) from misuse, interference and loss unauthorised access, modification or disclosure.
However, the Office of the Australian Information Commissioner (Commissioner) has previously stated (in its Data breach notification guide: A guide to handling personal information security breaches (Data Breach Guide)) that ‘[b]eing open and transparent with individuals about how personal information may be handled is recognised as a fundamental privacy principle. Part of being open about the handling of personal information may include telling individuals when something goes wrong and explaining what has been done to try to avoid or remedy any actual or potential harm.’ Therefore, if an entity identifies a data breach, notifying individuals of the data breach is an important option available to them. We take the view that many super fund trustees would have processes in place to notify members of (at least significant) data breaches.
Once the Act takes effect, new obligations will be placed on entities regulated by the Privacy Act, and we explain the concepts and obligations below.
An eligible data breach happens if:
|(i)||there is unauthorised access to, or unauthorised disclosure of, Information held by an entity; or|
|(ii)||information is lost in circumstances where there is likely to be unauthorised access to or unauthorised disclosure of
(b) a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the Information relates.
However, if an entity takes remedial action:
(a) prior to any serious harm occurring (from unauthorised access or disclosure) and, as a result of the remedial action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals;
(b) prior to any loss of Information resulting in unauthorised access to or disclosure of Information; or
(c) after the loss of Information results in unauthorised access to or disclosure of that Information, but before the access or disclosure results in any serious harm to an individual and, as a result of the remedial action, a reasonable person would conclude that the subsequent access or disclosure would not be likely to result in serious harm to the Individual,
the access, disclosure, or loss (as relevant) is not, and is never taken to have been an eligible data breach.
For a data breach to constitute an eligible data breach, a reasonable person would need to conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the Information relates.
The Act does not define the term “serious harm”. However “serious harm” is a concept referred to in the Commissioner’s Data Breach Guide. Further, the Explanatory Memorandum states that serious harm ‘could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach. Though individuals may be distressed or otherwise upset at an unauthorised access to or unauthorised disclosure or loss of their personal information, this would not itself be sufficient to require notification unless a reasonable person in the entity’s position would consider that the likely consequences for those individuals would constitute a form of serious harm.’
It is apparent that when assessing whether “serious harm” is likely to occur, entities need to apply a reasonableness test to the circumstances. In order to aid entities reach a conclusion, the Act details matters that an entity should consider when determining whether a data breach would likely result in serious harm, as follows:
(a) the kind of Information and its sensitivity;
(b) whether the information is protected by any security measures and, if so, whether those security measures could be overcome;
(c) the person or kinds of persons (Recipients) who have obtained, or could obtain, the Information;
(d) if a security technology or methodology was used in order to make the information unintelligible or meaningless to unauthorised Recipients (for example, it was encrypted)the likelihood that the Recipient kinds of Recipient have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates, have obtained or could obtain, information of knowledge required to circumvent the security technology or methodology;
(e) the nature of the harm; and
(f) other relevant matters.
If an entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach by the entity, but is not aware that there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach, the entity must:
(a) carry out reasonable and expeditious assessment of whether there are grounds to believe that the relevant circumstances amount to an eligible data breach of the entity; and
(b) take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes aware of the reasonable grounds to suspect an eligible data breach.
This assessment requirement does not relate to eligible data breaches made by other entities, where for example, one entity stores Information in an online platform provided by another entity, and both entities “hold” the information (as per the definition in section 6 of the Privacy Act). However, it makes sense for trustees who may provide administrators or insurers with Information to ensure that these service providers carry out such assessments if the trustee takes the view that such assessments are warranted.
As soon as becoming aware that there are grounds to believe that the relevant circumstances amount to an eligible data breach by the entity, the entity must:
(a) prepare a statement that sets out:
|(i)||the entity’s identity and contact details;|
|(ii)||a description of the eligible data breach;|
|(iii)||the kind or kinds of Information concerned; and|
|(iv)||recommendations about the steps that individuals should take in response to the eligible data breach; and|
(b) give a copy of the statement to the Commissioner.
The Commissioner may also direct an entity to prepare a statement, if the Commissioner is aware that there are reasonable grounds to believe that there has been an eligible data breach (subject to the entity’s right to make a submission in respect of the Commissioner’s direction).
If the entity has reasonable grounds to believe that the eligible data breach was caused by another entity, the statement may also set out the identity and contact details of the other entity.
If an entity is required to provide the Commissioner with a statement, it must as soon as practicable:
(a) take steps that are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant Information relates (if this is practicable); or
(b) take steps that are reasonable in the circumstances to notify the contents of the statement to each of the individuals who are at risk of the eligible data breach (if this is practicable); or
(c) if neither of the above apply, publish a copy of the statement on the entity’s website and take reasonable steps to publicise the contents of the statement.
If an entity prepares a statement, after an eligible data breach, but that eligible data breach was caused by another entity, those other entities are not required to prepare a statement. This might mean that if an administrator causes an eligible data breach, it may provide the statement to the Commissioner (however, again, trustees may wish to review the relevant statement).
The Commissioner may declare that the requirement to prepare a statement does not apply, or may extend the period in which a statement may be prepared, if to do so is in the public interest, or due to other relevant considerations.
The amendments introduced by the Act will commence on a date to be fixed by proclamation are otherwise no later than 22 February 2018.
Super funds, as recipients, recorders and transmitters of personal information for every member, are highly exposed to potential data breaches. In 2014, the personal information of some Cbus members was leaked by certain employees, resulting in significant legal costs and reputational risk to Cbus.
The amendments to the Privacy Act place further obligations upon trustees, their administrators, insurers, and their staff to ensure that they maintain the security of personal information received by them. As a starting point, confidentiality and privacy provisions in any agreement should ensure that a counterparty is required to notify the trustee of any actual or potential breaches within a very limited timeframe. Sometimes it might be easy to dismiss these provisions as mere boilerplate, however our view is that these provisions require as much review and negotiation as other key provisions such as liability and indemnity, termination, and fees and costs.
These amendments will require compliance teams to ensure that policies and procedures are put in place to ensure that the trustee can respond to any potential eligible data breach within the required time, by identifying, taking actions to remedy, and notifying parties of any eligible data breach.
If you have any questions, please do not hesitate to contact me.
Luke Hooper| Special Counsel
T: +61 3 9605 0894