New laws make reporting of data breaches mandatory


Boardroom Report

Directors are advised to ensure their organisations start implementing robust systems ahead of proposed legislation that will require companies to notify the Privacy Commissioner of "serious" data breaches and which will give the Commissioner enhanced powers.

This follows the introduction into Parliament at the end of May of the Privacy Amendment (Privacy Alerts) Bill 2013, which aims to amend the Commonwealth Privacy Act 1988. If passed, the Bill will come into effect in March 2014, together with the extensive Privacy Act reforms passed in November last year.

At present, while there are obligations in the Commonwealth Privacy Act to keep personal information secure, notification of a breach is voluntary and companies are encouraged to follow the Office of the Australian Information Commissioner's (OAIC's) guide.

However, Minter Ellison special counsel Veronica Scott says the proposed changes will require the Privacy Commissioner and "significantly affected individuals" to be notified about serious data breaches when:

  • Personal, credit and/or tax file information "held" by an entity has been subject to unauthorised access or disclosure, including when the loss of such information could compromise its security, in breach of the data security obligations in the Commonwealth Privacy Act (which will from March 2013 be new Australian Privacy Principle 11.1); and
  • The entity believes on reasonable grounds that the breach is "serious" because it will result in a "real risk of serious harm" to the individual. A "real risk" is defined as a risk that is not a remote risk and "harm" includes psychological, physical, reputational, economic or financial harm. Consider the OAIC guide as it applies a similar standard for assessing risk.

Scott says a notification statement must be prepared as soon as practicable after the entity decides there has been a serious data breach. A copy of the statement must be provided to the Privacy Commissioner and reasonable steps must be taken to notify each significantly affected individual. This will include using the communication channels the entity has previously used to contact them.

The Privacy Commissioner can, however, exempt an entity from notifying the significantly affected individuals of a serious data breach if he or she considers that the public interest in not notifying them outweighs the need to inform – for example, if notification would impede a law enforcement investigation or is concerned with matters of national security.

Failure to comply with the proposed changes may result in investigations and determinations that may require the entity to apologise, pay compensation or take (or refrain from taking) certain action. In the meantime, Scott says directors should note that the reputational damage arising from a serious data breach can be significant.

"High-profile data breaches by both the private and government sectors are a hot topic in the media and no doubt have contributed to the impetus to the proposed mandatory notification laws."

She adds: "In the lead up to March 2014, organisations and agencies (whether subject to the Privacy Act or not) exposed to a data breach should consult the OAIC guide and consider notifying the Privacy Commissioner in order to manage the breach and mitigate any reputational damage it may cause, and review their privacy practices and procedures to minimise the risk of data breaches."

Scott's advice to directors is: "Good privacy is good business. The best way to avoid having to report a data breach is to prevent them from happening in the first place. As March 2014 approaches and the new reforms kick in, directors should be asking their organisations how they are preparing to comply with the new regime."

She warns that the new civil penalty regime that will also take effect from March 2014 means that organisations and individuals could face significant financial penalties for repeated serious data breaches. "Staff training is essential, as the reports are that most data breaches are caused by simple human error."

Scott says privacy and data security should be key items on the agenda of risk committees, in particular the policies and procedures for responding to data breaches, taking into account the requirements in the proposed legislation and the nature of the personal information the organisation handles.

"The disclosure of credit information and more sensitive personal information is more likely to have a significant effect on affected individuals. And all new systems being developed, which involve the use or processing of personal information, should include privacy by design and privacy should be built in to the business case for new projects." "The arrangements for overseas disclosure of personal information should be reviewed because of the ongoing responsibility for data breaches by the overseas recipient organisations," she adds.

"Transparency and clarity in how organisations manage data privacy issues is key to good customer service and building a good relationship so that in the event of a crisis there is goodwill and cooperation with key stakeholders."


Email Banner