Introduction of new legislation - Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth)

Last week the Federal Government introduced the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill). One of the key aims of the Coalition's proposed legislation is to require organisations (including non-government schools) who handle personal information to notify the Australian Information Commissioner (the Commissioner) and affected individuals when an 'eligible' data breach occurs.  Currently, there is no mandatory requirement that an organisation inform an individual following a data breach involving their personal information.organisation inform an individual following a data breach involving their personal information.

Non-government schools should be aware of how the Bill will affect their obligations under the Privacy Act 1988 (Cth) (the Act) if it is passed.

Refresh on Privacy law in Australia

The Australian Privacy Principles (APPs) were introduced on 12 March 2014 as part of reforms to the Privacy Act 1988 (the Act). CompliSpace has published a Briefing Paper for non-government schools which provides a plain English overview of the 13 APPs and outlines some key issues relevant to schools. We also have presented a webinar where David Griffiths, Managing Director of CompliSpace discusses the application of the APPs since their introduction.

APP 11 requires schools to take 'reasonable steps' to protect personal information from misuse, interference and loss as well as unauthorised access, modification and disclosure. A failure to do this may lead to a data breach - which is the focus of the Bill.

The Office of the Australian Information Commissioner's (OAIC) publication Data breach notification - A guide to handling personal information security breaches provides guidance on how to manage a data breach, if it occurs, under the current Privacy laws. It is expected that this guidance will be updated by the Commissioner to reflect the contents of the Bill.

It is timely that the Bill has been introduced now, given the increasing risk of data breaches due to changing technology. An Australian Law Reform Commission report noted that, with advances in technology, organisations are increasingly holding larger amounts of identifying information in electronic form, raising the risk that a breach of this information could result in another individual using the information for idorganisation theft and idorganisation fraud. Stalking, embarrassment, or discrimination can also result from the unauthorised release or loss of information held by an agency or organisation.

To whom will the proposed legislation apply?

The notification duty will apply to entities currently regulated by the Privacy Act including those non-government schools with an annual turnover of $3 million or more (known generally as APP entities) as well as credit reporting bodies, credit providers and those that hold health records which includes every school.

What is classified as a breach?

An eligible data breach occurs if:

• there is unauthorised access to, unauthorised disclosure of or loss of personal information held by an organisation and the loss is likely to result in serious harm to any of the individuals to whom the information is related; or
• the unauthorised access to or unauthorised disclosure of the information is likely to occur and if the breach were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.

In the first example, there has been a suspected breach or breach. The second example outlines what would occur where an information security system is so poorly constructed that it is believed that a breach is impending. The second requirement requires no actual suspicion of a breach for the notification provisions to be triggered.

The 'serious harm' referenced above includes serious physical, psychological, emotional, economic, financial, reputational as well as other forms of serious harm that a reasonable person in the organisation's position would identify as a possible outcome of the data breach. This list of potential sources of harm is extensive and would certainly cover the type of breach that was carried out on the Ashley Madison website – with members suffering emotional loss and even divorce.

When does a data breach require notification?

Where a data breach has occurred, the Commissioner must be notified. Essentially, an organisation must make a notification if it:

• has reasonable grounds to believe the breach has happened; or
• is directed to do so by the Commissioner.

Reasonable grounds is a catch-all provision here that may be interpreted broadly by the Commissioner.

What is 'notification'?

Where there is a suspected data breach the organisation must:

• carry out a reasonable and 'expeditious' assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to a breach of the organisation; and
• take all reasonable steps to ensure that the assessment is completed within 30 days of suspecting a data breach.

The key word here is expeditious. Though it must be a reasonable assessment, it must also be done within a time-frame. The organisation must assess the breach and the effect it is likely to have on those whose personal information has been compromised.

The time limit for notifying the Commissioner is 30 days. This short time-frame has been put in place to ensure that the Commissioner's office is, in turn, able to act quickly to restore the safety and security of data and avoid further harm being caused to those whose data is retained by the organisation.

Notifying each individual affected

In addition to notifying the Commissioner, those who are personally affected by the breach must be individually notified. Where it is impracticable to notify every person affected, the Bill provides that instead, an organisation will be required to provide the information described above on its website (if any) and to take reasonable steps to publicise the information.

The Bill proposes exceptions to the notification requirements.

What happens if you don't comply with the data breach notification requirements?

Importantly, the Bill states that if an organisation fails to comply with the new data breach notification requirements, the failure will be deemed to be an interference with the privacy of an individual for the purposes of the Act.  This will then prompt the Commissioner to investigate the failure, make determinations and provide remedies in relation to non-compliance with the Act.

What schools need to know

As we have previously reported, schools are not immune to data breaches. Earlier this year a number of school's websites were hacked and it is believed that data sourced from that hack is now available for sale on the dark web - a largely unmonitored entry point to the internet where illegal trades are undertaken.

Not all data breaches are due to criminal hacks or other subversive conduct. They can occur from simple human behaviour leading to accidental loss or disclosure of personal information such as:

• lost or stolen laptops or misplaced hard drives/paper records; or
• employees accessing or disclosing personal information outside the requirements or authorisation of their employment.

Non-government schools should undertake an audit of how they currently handle personal information to properly understand their current systems and establish whether they have any compliance gaps (a Personal Information Management Audit).

To prepare for the new laws, schools should also contemplate how they will document and manage a process of notification to the Commissioner and to affected individuals if their personal information is breached. For example, if the breach involved the personal information of alumni - how would you contact them to notify them?

For more information on the Bill refer to the Explanatory Memorandum available here.

How secure is your school's information?