Major privacy law reform in Australia gathered pace this week, with newly tabled legislation proposing to significantly increase penalties for privacy breaches, among other reforms.
Now is the time to start asking questions
In preparation for these reforms, companies that collect and process personal information should be asking the following questions:
- Do we know what data assets we have, and the purpose of collecting and processing the information – a Data Asset Inventory? If not, you cannot govern it.
- Do we have an effective information classification process? Effective (and ideally automated) information classification is the bedrock to ensuring the application of appropriate information security controls to the relevant systems and processes.
- Do we have effective information retention and disposal processes that are being used in practice (vs paper compliance)? Many data breaches are exacerbated by poor retention and disposal practices, despite most organisations having a retention policy. Is yours effective?
- Have we reviewed our data breach policies, processes and systems, including the process by which potentially notifiable data breaches are assessed? Do we have a breach register that includes events that were not escalated to incident status and deemed not notifiable?
- Does our Data Protection Impact Assessment (DPIA) or risk assessment processes ensure that high-risk data processing activities are identified and reviewed appropriately? If not, review any existing high risk processing and associated DPIAs - What may have appeared reasonable from a risk perspective may no longer be so.
Asking these five key questions will assist organisations to identify and manage privacy and data protection risks, in light of the proposed reforms, which include increased penalties and additional powers for the Information Commissioner. There are, of course, many other operational privacy and data protection activities that can be used by organisations to manage their privacy and cybersecurity risk.
The reforms at a glance
Corporate bodies that commit serious or repeated interferences with the privacy of an individual now face penalties that are the greater of:
- 3 times the value of any benefit obtained as a result of the contravention;
- if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the “breach turnover period” for the contravention.1
The ‘breach turnover period’ will be at least the 12 months prior to the breach ceasing or proceedings in relation to the breach starting, and up to as long as the contravention was occurring.2 In addition, it would appear that activities that contravene the Privacy Act today, and continue after the change in penalty regime, will be assessed against two penalty regimes when it comes to calculating penalties.
In light of the new penalty regime, assessing an entity’s high-risk data processing will be a critical activity.
The Bill introduces new powers to obtain information or documents, where the Commissioner has reason to believe that a person or entity has information or documents relevant to an actual or suspected eligible data breach, or relating to an entity’s compliance with the requirements of the Notifiable Data Breach Scheme (NDB Scheme).3 As currently drafted, the scope of the power is broad and its availability is not aligned to the timelines provided as part of the NDB Scheme. This could result in the Commissioner exercising the new powers while an entity is still managing a suspected or actual data breach in real time. Notably, these powers will permit the Commissioner to obtain information or documents about actual or suspected data breaches that occurred, or may have occurred, before the date of enactment of the powers.
This will have a direct effect on how entities manage investigations into actual or suspected breaches and the timing of notifications to the Office of the Australian Information Commissioner (OAIC), as well as managing public relations and communications to customers. Organisations will have to weigh the risks of not reporting in the early stages of a breach, against the risk that the story will break and the Commissioner will exercise these powers due to a perceived lack of transparency.
C. Assessment of Notifiable Data Breach Systems
A seemingly innocuous addition to the Commissioner’s assessment powers in section 33C is the ability for the Commissioner to assess an entity’s ability to comply with the NBD Scheme, including their processes and procedures to assess and notify eligible data breaches.4 These powers are retrospective in the sense they will apply to assessments started but not concluded before commencement (as well as to assessments that start after commencement). It is likely that the Commissioner will use these powers to undertake a backward looking review of an entity’s assessment, triage and escalation policies and processes for data breaches, and the documented reasons as to why notification was not made in respect of a breach. In the future, the existence of these powers will likely tip the decision whether to notify borderline incidents, in favour of notifying.
D. Information Sharing and Public Interest Disclosure
The Bill provides the Commissioner with the power to share information, obtained in the course of exercising powers or performing duties under the Privacy Act, with other regulatory bodies, including enforcement bodies and foreign government authorities whose functions include the protection of the privacy of individuals.5 Also retrospective in nature (as the power applies to information obtained by the Commissioner both before or after commencement), these powers are subject to the requirement that there are satisfactory information protections in place in the receiving body. The combination of the Commissioner’s broad investigation and information gathering powers, with the right to disclose information to other regulatory agencies both in Australia and overseas, will significantly increase the Commissioner’s role in managing international data breaches, as well as breaches subject to the jurisdictions of multiple regulatory agencies in Australia.
Further, the Bill will grant the Commissioner powers to disclose this information if the Commissioner is satisfied that it is in the public interest to do so, irrespective of whether the information was obtained by the Commissioner before the commencement of the amendments.6 The use of this power, especially where an organisation is still responding to a live incident, could have grave unintended consequences and will require careful and judicious use by the Commissioner. In particular, the list of mandatory matters the Commissioner must consider in determining whether disclosure is in the public interest ,does not expressly include whether such disclosure would prejudice or impede an investigation and response being undertaken by an entity suffering a breach.
E. Power to cause a public statement
Where the Commissioner determines an interference with privacy has occurred, the Commissioner may require the relevant organisation to prepare and publish a statement describing the relevant conduct and the steps taken to ensure the conduct does not occur again.7 Such public statements are increasingly seen as a powerful weapon in the enforcement toolkit, by creating the risk of longer term reputational harm for entities that infringe individuals’ privacy.
This is the first step in the reform of Australia’s privacy laws, and the increased penalties and new Commissioner powers are significant. While some amendments are likely as the Bill progresses through Parliament, it is likely that many of the proposed provisions will be retained All APP entities should immediately consider their data-based business operations and data protection program status in light of these proposals and assess what uplift or changes are required. You can start by asking questions about your privacy and data protection activities now.