In October 2016, the Privacy Amendment (Notifiable Breaches) Bill 2016 (Bill) was introduced to the Federal Parliament. This is the third bill of its type to propose amendments to the Privacy Act 1988 (Cth) (Act) in response to the Australian Law Reform Commission’s recommendation that certain data breaches should activate mandatory reporting obligations.
The Bill proposes to introduce a mandatory data breach notification scheme which will create additional notification obligations for entities that are, in accordance with the Act, subject to the Australian Privacy Principles (APPs), credit reporting bodies, credit providers and/or tax file recipients.
The introduction of this Bill gives rise to an opportunity for not-for-profits (NFPs) to review their obligations under the Act and consider the implications of changes in handling private information. In doing so, NFPs must ask the following questions:
The Act specifies that all APP entities must comply with the APPs and defines APP entities to include bodies corporate, partnerships, incorporated associations, unincorporated associations and trusts. This broad definition will capture most NFPs, including companies limited by guarantee.
In accordance with the Act, your organisation will be subject to the APPs if it meets any one or more of the following conditions:
|(a)||has an annual turnover of more than $3 million;|
|(b)||provides a health service to a person;|
|(c)||is a contracted service provider under a Commonwealth contract;|
|(d)||exchanges an individual’s personal information with others for the purpose of obtaining a benefit or service; and/or|
|(e)||is related to (e.g. parent or subsidiary company) a body corporate that meets any of the above criteria.|
The Act does not apply to all information that a NFP may possess. Principally, the Act regulates personal information. Personal information, in accordance with the Act, is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not that information is true and/or recorded in material form. Such information generally includes an individual’s name, address, date of birth and contact information.
Specific types of personal information will also fall within additional categories of regulated information, namely, sensitive or health information. Such information generally includes information relating to a person’s sexuality, religion, race, health status and medical information. It is important to note that information falling within these categories may give rise to specific and additional obligations which are not discussed in this article.
A number of exemptions are created by the Act. Those exemptions most relevant in the NFP context are outlined below. Generally, the APPs will not apply in relation to:
|(a)||personal information which is publicly available;|
|(b)||personal information directly related to a current or former employee’s employment records;|
|(c)||the transfer of certain information between related bodies corporate; and|
|(d)||conduct which is a direct or indirect requirement of a government contract.|
Additional exemptions may apply to organisations involved in particular journalistic and media based activities.
If a NFP is subject to the APPs and no exemption applies, the NFP, in accordance with the APPs, must, among other things:
|(a)||manage personal information openly and transparently. This includes having an accessible|
|(b)||where possible, allow individuals to remain anonymous or use a pseudonym;|
|(c)||take reasonable steps to ensure the personal information it collects is accurate, up to date and complete;|
|(d)||where it is lawful and reasonable, destroy unsolicited personal information which comes into its|
|possession and which it determines it could not have collected itself and is not contained in a Commonwealth record;|
|(e)||take reasonable steps to ensure that any overseas recipient of personal information adheres to the APPs;|
|(f)||take reasonable steps to protect personal information; and|
|(g)||allow an individual access to their personal information as held by the NFP.|
Additionally, the NFP generally must not:
|(a)||collect personal information that is not reasonably necessary for the entity’s functions;|
|(b)||collect sensitive personal information (e.g. information regarding race and religion) that|
|is not reasonably necessary for the entity’s functions and without consent;|
|(c)||disclose or use personal information for a purpose for which it was not collected, including direct marketing; and|
|(d)||adopt a government identifier (e.g. Medicare number) as an identifier of its own.|
If passed, the Bill will become a Commonwealth Act pursuant to which those NFPs already subject to the APPs must notify the Australian Information Commissioner and any affected individuals, if there has been an eligible data breach.
In accordance with the Bill in its current form, an eligible data breach occurs where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of:
|(a)||unauthorised access to or unauthorised disclosure of personal information; or|
|(b)||personal information being lost in circumstances likely to give rise to unauthorised access to or unauthorised disclosure of personal information.|
Irrespective of whether the Bill is passed or not, the introduction of the Bill should serve as a reminder to NFPs that care must be taken to secure private information and mitigate data security risks. While data breaches have the potential to cause a NFP reputational damage, even more significant reputational damage may result if the NFP is not seen to have taken all reasonable steps to prevent the breach, as well as report it and reduce the likely harm for any affected individuals.