After a long delay, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Bill) was finally introduced into the Senate on 19 October 2016. The Bill and accompanying explanatory memorandum are available here.
There have been some substantial changes made to the Bill since an exposure draft was published by the Attorney-General’s Department last year. As discussed in our previous update, there were a number of submissions made in response to the release of the exposure draft. It appears that a number of the issues raised in these submissions have been taken into account by the Attorney-General’s Department in the course of finalising the Bill.
Some of the key changes include:
- a change in terminology, with data breaches that are covered by the Bill now being referred to as “eligible data breaches” rather than “serious data breaches”;
- a change to the notification requirement threshold, with eligible data breaches only covering situations where there is a “likely risk of serious harm” (rather than the previous “real risk of serious harm” wording in the exposure draft);
- the removal of a requirement to notify data breaches that an entity ought reasonably to have been aware of;
- the addition of a new exception to cover situations where remedial action is taken by the entity that suffers an eligible data breach, with the effect that data breaches will no longer be considered to be an eligible data breach (and therefore notification will not be required) if the remedial action would be considered by a reasonable person to mean that there is no longer a likely risk of serious harm;
- amendments to the factors that are stated in the Bill to be relevant to determining whether there is a likely risk of serious harm, including to recognise the use of security technologies in relation to that information; and
- clarification of when a notification must be given to affected individuals (as opposed to publishing it on the entity’s website).
While some of the more objectionable elements of the exposure draft have been removed or pared back, overall the substance of the Bill remains broadly similar. Organisations and Commonwealth government agencies will have an obligation to notify the Privacy Commissioner and affected or at risk individuals if an eligible data breach occurs. A failure to notify the Privacy Commissioner and affected individuals (including when the entity is directed to do so by the Privacy Commissioner) will be deemed to be an interference in the privacy of the individual(s).
In addition to receiving and determining complaints regarding interferences with privacy, the Privacy Commissioner has the power to seek civil penalty orders for serious interferences with the privacy of individuals or repeated interferences in the privacy of individuals. The maximum amount of the civil penalty that can be awarded by a Federal court is AU$360,000 for individuals or AU$1,800,000 for bodies corporate.
What does this mean for me?
The provisions of the Bill will commence 12 months after the Bill receives royal assent (unless an earlier date for commencement is fixed by proclamation). As the introduction of a mandatory data breach notification scheme has previously had the support of both Labor and the Greens, it is quite possible that the Bill could pass relatively quickly through the Parliament. This would be consistent with the government’s previous commitment to introduce and pass the Bill by the end of this year. This could mean that organisations and Commonwealth government agencies, which are subject to the Privacy Act 1988 (Cth), would be required to commence notifying any eligible data breaches by the end of 2017.
While this may seem some considerable time away, organisations and agencies need to start preparing now. If passed in its current form, the Bill will require organisations and agencies to be prepared to respond to a data breach, including to assess whether an eligible data breach has occurred and to promptly comply with its notification obligations.
It is critical to have a data breach response plan setting out what to do if a data breach occurs. Also, many breaches arise from weaknesses in external service providers’ IT systems, rather than your own systems. It is therefore important to have a vendor cyber-risk management framework in place. Norton Rose Fulbright has developed two fixed price cyber-risk management packages to address these issues. Please contact us for further details.
In addition, Norton Rose Fulbright offers a global 24/7 incident response service for cyber-incidents (including data breach and network interruption). As ‘breach coach’, we work with you to provide a streamlined response by assessing the size and nature of the incident, taking steps to contain it, and co-ordinating our panel of carefully selected third party vendors of remedial and protective services, all the while managing stakeholders’ interests and advising on mitigation of potential loss. Our early involvement and with it establishment of the protection afforded by legal professional privilege protect your interests to the maximum extent possible.