Australia’s Privacy Act & The Notifiable Data Breaches Amendment Thoughts
A troublesome issue many have encountered over the last few years with the Notifiable Data Breaches (NDB) Amendment is how some organisations and individuals view it as separate to the Privacy Act (1988), struggling to understand what it means. It’s an amendment to the existing act and improves the accountability and enforcement where individuals whose information may be compromised is concerned. With significant discretionary (as opposed to mandatory) penalties, the onus on compliance is much greater.
Understandably, the confusion for some organisations is regarding whether they are bound by the NDB Scheme and how. The language presented in the media (including social media, forums, and blogs) is often incomplete, confusing, or misleading. Having read dozens, if not hundreds, of such articles, we can understand how one may be left more confused than before they began trying to understand the intricacies of this amendment.
Before considering whether the NDB Scheme applies and what to do for compliance, one must consider the Privacy Act itself and who does and does not have responsibilities under the act. You will likely have to ask a series of questions to understand what your rights are, who has obligations to protect those rights, and interestingly, who does not have those same obligations.
Who has rights under the Privacy Act?
As individuals, we must be aware of our rights and how the Privacy Act gives us control over the way that our personal information is used. The act permits us to:
- Know why our personal data is being collected, how it will be used, and who will access it
- Maintain an option to not identify ourselves or use an alias if need be
- Request access to our personal data and yes, this includes our sensitive health data. Let’s also consider the recent “My Health Record” system here.
- Demand that we stop receiving unwanted direct marketing such as telemarketing calls
- Request that when our personal information is inaccurate that it is corrected.
- Officially complain about an entity covered by the Privacy Act if we believe they have mishandled or abused our personal data
Who has responsibilities under the Privacy Act?
Being aware of our rights is critical, and we must also understand who is and is not bound to protect those rights against abuse. Those covered by the act include:
- Australian Government agencies, businesses, and Not-For-Profit (NFP) organisations with an annual turnover of $3 million or more (subject to some exceptions whether you agree or not and it’s these exceptions that perhaps cause the most confusion.)
- Some small business operators, such as organisations with a turnover of $3 million or less, including:
- Private sector health service providers. “Health Service Providers” includes traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals, but we also must consider:·
- Complementary therapists, such as naturopaths and chiropractors
- Gyms and weight loss clinics, which many may overlook as “Health Service Providers”
- Child care centres, private schools and private tertiary education facilities.
- Businesses that sell or purchase personal information, and these are both a goldmine and a minefield of personal information.
- Credit reporting organisations
- Service providers with a Commonwealth contract (basically government contractors)
- Employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
- Businesses that have chosen to opt-in to the Privacy Act
- Businesses related to an entity covered by the Privacy Act (such as partner organisations and parent organisations)
- Businesses prescribed by the Privacy Regulation 2013.
In special circumstances, some practices of small businesses are covered by the Privacy Act such as:
- Activities of reporting entities or authorised agents related to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 including its specific rules and regulations.
- Acts and practices relating to the operation of a residential tenancy database, so some aspects of real estate must be considered.
- Activities related to the conduct of a protected action ballot, which may directly impact employees of some organisations in addition to the clients and business partners of the organisation.
The Privacy Act also covers specified persons responsible for handling the following personal information:
- Consumer credit reporting information, including credit reporting bodies, credit providers (which includes energy and water utilities and telecommunication providers) and specific third parties. We may believe that the growth of energy resellers belongs in this group. Who among us hasn’t been confronted by them outside of their local shops or received unsolicited calls from someone looking to save you money on your power bill?
- Tax file numbers under the Tax File Number Guidelines, so perhaps even your local accounting firm is likely covered.
- Personal information contained on the Personal Property Securities Register
- Old conviction information under the Commonwealth Spent Convictions Scheme
- “My Health Record” information under the My Health Records Act 2012 and Individual Healthcare Identifiers under the Healthcare Identifiers Act 2010
Who doesn’t have responsibilities under the Privacy Act?
While the previous section may seem to cover just about everyone who may have personally identifiable information, we usually then ask, “Who is exempt from the Privacy Act?”
Currently, the Privacy Act does not cover:
- State or territory government agencies, including state and territory public hospitals and health care facilities (which are covered under state and territory legislation) except:·
- Certain acts and practices related to “My Health Records” and Individual Healthcare Identifiers
- Entities prescribed by the Privacy Regulation 2013
- Individuals acting in their own capacity (friends, family, and neighbours). It’s kind of scary when you think about the sheer number of people out there with personal information about you that are not bound by any law other than common decency and mutual respect!
- Universities, other than private universities and the Australian National University
- Public schools
- In some circumstances, the handling of employee records by an organisation in relation to current and former employment relationships. I’ve often wondered where recruitment agencies and labour-hire organisations fit, either here or elsewhere.
- Small business operators, unless an exception applies.
- Media organisations through the conduct of journalism if the organisation is publicly committed to observing published privacy standards. Again, another potentially concerning area.
- Registered political parties and political representatives. I’m sure many of you are equally uneasy about this exemption just as I am!
It’s easy to disagree with some of these exemptions because clearly, they either have or may have personally identifiable information that, if breached, may lead to harm of that individual. Whether the act applies or not should be secondary to safeguarding the information of individuals and every reasonable attempt must be made to protect that data.
We are by no means legal experts, so consulting your legal counsel is strongly advised; all we can do is make you start thinking about your rights and obligations. We urge individuals within all organisations to ask themselves two simple questions:
- “Do we/I have any personal information about individuals that is not freely available to the public?”
- “If this information were to become publicly available, will it cause serious harm to those individuals in any way?”
If the answer is yes to either or both questions, or if you hesitate before answering, you should undertake an immediate assessment to determine a firm answer. As individuals, we must be aware of our rights and, as business stakeholders, we must be aware of our obligations under The Privacy Act.
How does the introduction of the Notifiable Data Breaches Amendment change things?
With an understanding of The Privacy Act, we must then consider how the NDB Amendment changes things for us, both as individuals and as businesses. Basically, The NDB scheme applies to “ all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.”
The most significant change is the obligation to report an eligible breach to both the individuals whose personal information is at stake (with a likely result being serious harm) and the Office of the Australian Information Commissioner (OAIC). The notification must include recommendations individuals should take in response. Think of it like, “Yes, it’s broken, but here’s how to fix it.”
Previously, we lacked the obligation to report such breaches and when one occurred, we often found out too late and after the harm had already been done. Admittedly, harm may still come from a breach and we shouldn’t treat this scheme as a silver bullet, but it gives us a “heads-up” and may permit us to mitigate or even prevent harm we’re otherwise unaware of.
How do we determine what is considered “serious harm?”
‘Serious harm’ is not explicitly defined in the Privacy Act. In the context of a breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm. Responsible entities should assess the risk of serious harm holistically and consider the likelihood of the harm eventuating for individuals whose personal information was part of the breach and the likely consequences. We would recommend reviewing the OAIC website where the NDB Scheme includes a non-exhaustive list of ‘relevant matters’ that may assist entities in their assessment.
What kinds of information may cause “serious harm?”
The type of information about an individual that may cause harm is quite broad, but commonly may include:
- Information considered “sensitive”, such as information about an individual’s health
- Documents commonly used for identity fraud such as Medicare cards, driver licenses, and passport details. These must be safeguarded with all reasonable measures.
- Personal financial information such as income, liabilities, assets, and so on
- An aggregation of several types of personal information (i.e. more than one of the above) that allows more to be known about the individuals, thus increasing the risk to that person. Sadly, with the state of social media these days, many unwittingly share far too much personal information that can be aggregated to just as much of a harmful effect.
What kind of “serious harm” may arise as a result?
Just like the types of information about a person are broad, so too are the types of harm that may occur as a result. When making this assessment, entities doing so must consider this broad range as the likelihood of each occurring. We must consider some of the following scenarios:
- Identity theft
- Significant financial loss
- Threats to physical safety of the individual, family, friends, or associates
- Loss of business or employment opportunities
- Humiliation and reputational damage, including personal and professional relationships
- School, workplace, or social bullying and marginalisation.
The likelihood of a harm occurring, as well as anticipated consequences for individuals whose personal information is involved in the data breach if the harm occurs must be considered.
Who makes this determination and how do they go about it?
The Privacy Act does not specify how an assessment should occur but the OAIC suggests using a three-step approach:
- Initiate — decide if an assessment is required and which person or group will be complete it. We would recommend involvement of business owners and system stakeholders with the inclusion of the IT teams in making this decision. With the outcome possibly impacting the entire business, it cannot be left entirely to one individual or group.
- Investigate — Urgently gather relevant information about the suspected breach including details such as what personal information is affected, who may have accessed to the information and likely impacts.
- Evaluate — decide, based on the investigation, about whether the identified breach is eligible for notification.
We would recommend that those charged with initiating, investigating, and evaluating, then deciding if a breach has occurred adopt an objective approach to consider the individuals impacted as well as the business. Where possible, emotion and knee-jerk reactions should be avoided.
Who gets notified?
Once an entity has reasonable grounds to believe there has been an eligible breach, the entity must, as soon as possible (and within 30 days) decide which individuals to notify, prepare a statement for the OAIC, and notify individuals. The NDB Scheme is flexible and three options are provided for notifying individuals at risk of serious harm, depending on what is practical.
I often wonder if that 30 days will ever change because the European Union (EU) General Data Protection Regulation (GDPR) only allows 72 hours for notice to be provided and this has a global reach.
What is “practical” involves considering the time, effort, and cost of notifying individuals at risk of serious harm. Factors must also consider capabilities and capacity of the entity to deliver the notice. These options can include:
Option 1: Notify all individuals. If practical, an entity can notify each of the individuals to whom the relevant information relates. That is, all individuals whose personal information was part of the eligible data breach. This option may be appropriate, and the simplest method, if an entity cannot reasonably assess which individuals are at risk of serious harm from the breach instead has the view that serious harm is likely for one or more of them.
The benefits of this approach include ensuring that all individuals who may be at risk of serious harm are notified and allows them to consider whether they need to take any action in response to the eligible data breach. This may also cause stress for individuals who may not be at risk of serious harm but at least gives them awareness of potential risk, even if the entity making the assessment thinks otherwise.
Option 2: Notify only those at risk of serious harm. If practical, an entity can notify only those individuals who are at risk of serious harm from the breach. If an entity identifies that only an individual, or group involved in a breach, is at risk of serious harm and can specifically identify those individuals, only those individuals need to be notified. The benefits of this targeted approach include avoiding unnecessarily distressing individuals not at risk, limiting public notification fatigue, and reducing administrative costs where not required.
Option 3: Publicly publishing the notification. If neither of the two previous options are practical, such as if the entity does not have up-to-date contact details for individuals, then they must publish a copy of the statement on its website if it has one and take reasonable steps to publicise the contents of the statement.
It is not enough to simply upload a copy of the statement prepared for the OAIC on any webpage of the entity’s website; entities must also take proactive steps to publicise the details of the breach such as through the media. This is done to increase the likelihood the breach will come to the attention of individuals at risk. While the Privacy Act does not specify the amount of time that an entity must keep the statement accessible on their website, the OAIC would generally expect that it is available for at least 6 months.
How do we provide the notification and what must be included?
Options 1 and 2 above require that entities take “reasonable steps to notify individuals about the contents of the statement prepared for the OAIC. The entity can use any method to notify individuals such as a telephone call, SMS, physical mail, social media post, or in-person conversation if the method is reasonable.
To consider whether a method or using more than one method is reasonable, the notifying entity should consider the likelihood that the people being notified will become aware of and understand the notification. This is considered against the resources involved in provide the notification. An entity can notify an individual using their usual methods of communicating with them. For example, if an entity usually communicates through email, they may also choose to notify this way.
The entity can tailor the form of its notification to individuals if it includes the content of the statement required. That statement and notification to individuals must include the following information:
- The identity and contact details of the entity
- A description of the breach that the entity reasonably believes has occurred
- The type of information concerned
- Recommendations about the steps that individuals should take in response
Decisions about the appropriate recommendations will depend on the circumstances of the breach. This may include choosing to tailor recommended steps around an individual’s personal situation or providing general recommendations that apply to all individuals. In some circumstances, the entity may have already mitigated the threat, reducing the necessity for action by affected individuals. The entity may choose to explain this activity in the notice to individuals as a part of their recommendations.
For Option 3, which can only be used if the other options are not practicable, the entity to must publish a copy of the statement prepared for the OAIC on its website and take reasonable steps to publicise the contents of that statement.
An entity should consider reasonable steps in publicising the statement; the purpose of publicising the statement is to draw it to the attention of individuals at risk of serious harm. The entity should consider what mechanisms would be most likely to bring the statement to the attention of those people. Reasonable steps when publicising an online notice might include:
- Ensuring that the notice is prominently placed on the relevant webpage, easily located by individuals, and indexed by search engines
- Publishing an announcement on the entity’s social media channels
- Taking out print or online advertisements in publications or websites the entity considers likely to reach the individuals at risk
In some cases, it might be reasonable to take multiple steps to publicise the contents of the statement. Consider that if a breach involves particularly serious forms of harm, or affects many individuals, an entity could take out multiple print or online advertisements (both free or paid), publish posts on multiple social media channels, or use both traditional media and online channels.
Entities should keep in mind the ability and likelihood of individuals at risk of serious harm to access the statement when determining the appropriateness of relying solely on this method. Entities must take care to ensure that the online notice does not contain any personal information. While helpful to provide a general description of the cohort of affected individuals, it should not identify any of the affected individuals or provide information that may make an individual identifiable. There is no point making an already stressful situation any more so!
Wait a minute! What about jointly-held information?
The PageUp breach form a few years ago highlighted an important facet of modern business; the organisation that you have entrusted your data to may not be the only location in which it is stored. Many organisations use outsourced service agreements with hosted infrastructure and cloud services being two perfect examples. In this instance, PageUp was that jointly held location. Long story short, a breach that impacts one impacts the other by extension.
It gets confusing, I know, but let’s say I have given my information to XYZ Company. Let’s say that like most people, I haven’t read the Terms of Service (ToS) because they’re verbose, ambiguous, and written in a very complex language I’d need a Harvard Law Degree to understand. As an aside, the GDPR aimed to change that, but I digress.
XYZ Company uses a company such as PageUp, which many organisations did, to hold the information. The breach happens to PageUp and the information is lost, stolen, or otherwise compromised and after performing an assessment, it’s determined that this breach may cause me serious harm. The company that has been breached does the right thing and notifies impacted individuals using one of the three methods as well as the OAIC within 30 days. All good? Not quite.
Let’s say that XYZ Company does not notify me, but the breached organisation does. I’ve not read my ToS and I have no idea who this group is, so I think it’s a scam and ignore it. Next minute, XZY Company notifies me and I am sceptical, but suspicious.
So, when a breach happens, which organisation is on the hook?
Technically, both because the information is jointly held. The NDB Scheme leaves it up to the entities to sort this out to some degree but agrees they are jointly responsible. Interestingly, only one of them really must do the assessment to determine if it’s an eligible breach and only one of them really must provide notification. The OAIC suggests that the organisation with the most direct relationship, i.e. XYZ Company in my case, is best positioned to notify the individuals impacted by the breach.
My problem with all of this is going to be the inevitable blame-storming and finger-pointing between the two organisations while we’re caught in the crossfire. I may not care so much as which one is responsible if one takes responsibility and does the right thing. It’s my data, after all!
For more on this topic, The OAIC has a great information page .
I think organisations that jointly hold information should get their ducks in a row, if they haven’t already, to make sure who is responsible for the assessment and notification. Equally, if our data is jointly held by more than one organisation, it should be spelled out to us clearly up front to state that fact. This should apply to both the NDB Scheme and the GDPR.
Communication is going to be the most critical element when it comes to this situation.
When do we notify the OAIC, what do we provide, and how?
Entities must prepare and give a copy of the statement to the Commissioner as soon as practical after becoming aware of the breach. The timeframe will vary depending on the entity’s situation includes considerations of the time, effort, or cost needed in preparing a statement. The OAIC expects this will occur quickly unless circumstances exist that hinder the entity’s ability to do so.
It may be appropriate for an entity to advise individuals about the contents of the statement in advance of or in parallel to providing the statement to the Commissioner rather than waiting. While a statement provided to the OAIC and individuals must include certain information, additional relevant details that become available after submitting this statement may should also be provided to the OAIC. The OAIC will instruct the entities on how to provide supplementary information upon receipt of the statement.
The OAIC has an online form for entities to lodge breach statements and if unable to use the online form, contact the OAIC enquiries line to make alternative arrangements.
Are there any circumstances where we don’t have to provide notice?
Yes. At any time, such as while the assessment is being performed, an entity can (and should) take remedial action to reduce potential harm to individuals that has arisen from a suspected or eligible data breach. If the actions are successful in preventing serious harm to impacted individuals, notification is not required. For breaches where information is lost, the remedial action is adequate if it prevents unauthorised access to, or disclosure of personal information
What are the consequences of failing to provide notice?
First, the individuals whose information has been breached may unfairly realise serious harm as a direct result of the breach that an entity has failed to address. This result, in and of itself, it unacceptable and is one of the drivers for the introduction of this legislation. Admittedly, it is difficult to prevent all harm from befalling an individual in the wake of a breach but arming them with information they need to protect themselves, take preventative measures, and mitigate the risks is good practice and common sense. We need to look out for each other at a personal level.
For entities that fail to provide notice when they are aware or ought to be reasonably aware a breach has occurred, the penalties are significant. These penalties are discretionary and not simply automatic, so conviction that invokes these penalties constitutes that a serious, egregious offence is occurred (or even reoccurred) that could not be remedied satisfactorily. These penalties include:
- Up to $1.8 million for organisations
- Up to $360,000 for individuals
These penalties still pale in comparison to those of the GDPR. Consider the possibility of running afoul of BOTH the NDB Scheme and the GDPR. Perish the thought! Failure to comply may result in impacted individuals filing a formal complaint with the OAIC, or the OAIC investigating without any complaints having been made. The outcome of an investigation may result in the organisation having to perform one or more of the following actions:
- Pay compensation for losses or damages to the impacted individuals
- Undertake actions to redress any loss or damage suffered
- Take specific steps that will ensure that their conduct is not repeated or continued.
It is in the best interest of all concerned that organisations take reasonable steps to safeguard the personally identifiably information they possess and understand their obligations under this amendment. If there is any amount of uncertainty regarding compliance under the Privacy Act or the NDB Scheme, entities are urged to seek assistance from organisations that specialise in information assurance. Starting with your legal counsel is often a good way to get things moving.
Are there any other implications?
Yes. Entities that operate in other jurisdictions may have notification obligations under other breach notification schemes, such as the European Union General Data Protection Regulation (GDPR). Entities are urged to ensure that they are aware of not only their obligations under the Privacy Act and the NDB Scheme, but also obligations governed by foreign interests. With the GDPR in effect since May 25, 2018, you can expect others to follow suit. Please do your company and yourself a favour and stay informed! Obligations are not bound strictly to Australian sovereign territory.
Stay safe out there. Stay secure. Stay Aware. We’re all on the same side!
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock.
Originally published at https://www.linkedin.com.