30 May 2013

Aust Data Breach Reporting

Hot on the heels of the Victorian Parliamentary Committee recommendation for a statutory tort regarding invasions of privacy the Australian Attorney-General has announced that new Commonwealth laws "will require businesses and government agencies to notify people when a data breach affecting their privacy occurs".

The Bill - the subject of an inept consultation exercise noted here - reflects recommendations over several years (just like the recommendation by the Victorian Law Reform Commission, NSW Law Reform Commission and Australian Law Reform Commission (eg here) regarding a privacy tort ... disregarded by the current national Government) and a discussion paper late last year [PDF].

The Attorney-General indicates that
With businesses and government agencies holding more information about Australians than ever before, it is essential that privacy is safeguarded. The new laws will alert consumers to breaches of their privacy, so that they can change passwords, improve security settings and make other changes as they see fit. ... Some data breaches have exposed the personal information of tens of thousands of Australians. The laws are good for consumers because they protect privacy, and are good for business because they will help create openness and trust.
Indeed, which is one reason why the Government's disregard is regrettable.

The Bill is a weak response to a substantive problem. The A-G's media release indicates that
The new laws will also require notification of data breaches to the Office of the Australian Information Commissioner. “To make sure that the new laws have teeth, the Information Commissioner will be able to direct agencies and business to notify individuals of data breaches,” Mr Dreyfus said.
The Attorney-General indicates that
The Government is serious about privacy and these new laws demonstrate our continuing commitment.
A weak and belated commitment, strongly expressed?

Neither the Attorney-General's media release nor that from the Office of the Australian Information Commissioner specifies the Bill. The Bill is the Privacy Amendment (Privacy Alerts) Bill 2013 (Cth), described in the Explanatory Memorandum as
This Bill amends the Privacy Act 1988 (the Privacy Act ) to introduce mandatory data breach notification provisions for agencies and organisations that are regulated by the Privacy Act (entities). The Bill will commence immediately after the amendments to the Privacy Act contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 commence on 12 March 2014. ... 
This Bill implements the ALRC’s recommendation by requiring agencies and organisations regulated by the Privacy Act to provide notice to the Australian Information Commissioner ( the Commissioner ) and affected individuals of a serious data breach. The Bill contains general rules for the majority of entities regulated by the Privacy Act as well as analogous rules for credit reporting bodies and credit providers that are subject to specific regulation under Part IIIA, which deals with consumer credit reporting. The provisions in the Bill also apply to recipients of tax file number information. Each type of entity is subject to common requirements under the Privacy Act to protect the types of personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. A data breach arises where there has been unauthorised access to, or disclosure of, personal information, or where personal information is lost in circumstances that could give rise to unauthorised loss or disclosure. A data breach is a serious data breach where there is a real risk of serious harm to the individual to whom the information relates as a result of the breach. This is the standard recommended by the ALRC and also incorporated in the current voluntary data breach guidelines issued by the Office of the Australian Information Commissioner. In addition, the Bill provides for regulations to specify particular situations that may also be serious data breaches even if they do not necessarily reach the threshold of a real risk of serious harm. For example, this could include the release of particularly sensitive information such as health records which may not cause serious harm in every circumstance but should be subject to the highest level of privacy protection. 
Serious harm, in this context, includes physical and psychological harm, as well as injury to feelings, humiliation, harm to reputation and financial or economic harm. The risk of harm must be real, that is, not remote, for it to give rise to a serious data breach. It is not intended that every data breach be subject to a notification requirement. It would not be appropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of notification fatigue on the part of individuals, and the lack of utility where notification does not facilitate mitigation. 
In the event of a serious data breach, the regulated entity is required to provide notification to the Commissioner and affected individuals as soon as practicable after the entity believes on reasonable grounds that there has been a serious data breach.