Does 22nd February 2017 ring a bell? We certainly didn’t until we thought very hard about it! For Australian businesses, this might be important because 23rd February 2018 is the date that the changes to current Australian privacy laws made in the Privacy Amendment (Notifiable Data Breaches) Act 2017 (‘Act’) will be rolled out and implemented – just one year after the bill was passed.
We know, more argh and ugh…. new legal obligations and responsibilities to learn under Australian privacy laws. Well…. only if you want to prevent any future potential headaches down the line with the Office of the Australian Information Commissioner (OAIC).
But first, our spin on the new Act for 2018!
Is there a cyber-storm coming to digital businesses?
Living in a digital age means new ways of storing information. With this comes new challenges for Australian businesses. Some of them include:
- If information is stored online, how can businesses ensure that information is protected?
- Do Australian businesses have sufficient cyber security to protect that information?
These questions raise concern whether Australian businesses have adequate cyber security infrastructure to protect personal and sensitive information. Cyber security reports suggest the contrary. They raise the possibility that Australian businesses are not ready for the emerging cyber challenges and threats that lie ahead.[1] Now, doesn’t that sound scary for the future? Imagine a spyware on a computer that tracks all our clients’ personal information like credit card details, and then bam, one night, everything is gone and taken away!
In Telstra’s 2016 Cyber Security Report, the report identified that more than 68% of businesses were collecting or managing personal information. [2] While 36% of Australian organisations were reported as being unprepared for a security incident, the latest 2017 report identified that 59% of Australian organisations experienced at least one security incident (like phishing email attacks, for example) at least on a monthly-basis.[3] Moreover, many businesses are transitioning to cloud services, but more than 50% of Australian organisations reported identifying data theft in cloud services as a risk, while many reported of not being ready for that risk.[4]
Is there cyber storm brewing in the midst? How about you decide on the facts with your mates over some beer at the pub.
What are the current privacy obligations?
Relevant to the incoming changes made under the Act, the applicable Australian Privacy Principle 11.1 states:
“11.1 Australian Privacy Principle 11 – security of personal information
If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.”[5]
In other words, if there has been a data breach of an APP entity, then that APP entity might be in breach of APP 11.1. However, under current privacy laws, notification of a breach is only voluntary.
The new changes from 23rd February 2018 will require mandatory notification and is an additional compliance obligation on top of the existing Australian Privacy Principles.[6] Just like icing on a cake.
So, what is an APP entity exactly?
An APP entity is quite a complicated term, but in a nutshell, is generally understood by OAIC to include businesses and non-government organisations with more than $3 million annual turnover.[7] Remember, this is just the very bare bones of an APP entity, and assistance should always be sought to determine whether your organisation is an APP entity.[8]
Why is knowing privacy obligations important?
Making sure to understand your privacy obligations is important for your business because if a breach occurs then OAIC may investigate. Any investigation will be a costly and time-consuming exercise. Depending on the breach, penalties may be imposed to a maximum of $420,000 for individuals and $2,100,000 for bodies corporate for serious or repeated non-compliance. [9]
Reviewing current privacy practices to determine whether they are compatible with the new incoming privacy laws is suggested. This will help prevent annoyed regulatory bodies knocking on doorsteps and holding pitchforks (in a metaphorical sense, of course).
When is a breach, a breach?
Under current privacy law, data breaches are commonly understood as “when personal information held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure or other misuse or interference.” [10]
Illustrations of data breaches, as published by the OAIC in Data Breach Notification Guide: A guide to handling personal information security breaches (August 2014):
“Some examples include:
- lost or stolen laptops, removable storage devices, or paper records containing personal information
- hard disk drives and other digital storage media (integrated in other devices, for example, multifunction printers, or otherwise) being disposed of or returned to equipment lessors without the contents first being erased
- databases containing personal information and are ‘hacked’ into or otherwise illegally accessed by individuals outside of the agency or organisation
- employees accessing or disclosing personal information outside the requirements or authorisation of their employment
- paper records stolen from insecure recycling or garbage bins
- an agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address, and
- an individual deceiving an agency or organisation into improperly releasing the personal information of another person.” [11]
Is there a changing meaning of breach from 23rd February 2018?
From 23rd February 2018, voluntary notification will be shifted to mandatory notification. Only eligible data breaches will obligate APP entities to notify the OAIC and the individual whose privacy has been breached or is likely to be breached. [12]
Why is “serious harm” important? Serious or not serious
Serious harm seems ambiguous, but it is broadly interpreted. Serious harm includes serious physical, psychological, emotional, economic and financial harm, reputational harm and any other serious harm that a reasonable person would identify as a possible outcome of a data breach.[13]
APP entities are only obliged to notify when the harm is serious…. phew, a sigh of relief on those compliance obligations. Imagine having to notify individuals and OAIC even when no harm was caused.
What exactly is “likely to result”? Probabilities and possibilities
There was debate whether the Act should adopt the test of “real risk of serious harm” or “likely to result in serious harm.” [14] However, “likely to result in serious harm” won out.
When revising current privacy policies and standard operating procedures, we suggest incorporating the thinking that “likely to result” as being equivalent to “more probable than not.” [15] If unsure what “more probable than not” means, ask.
Is this a sigh of relief for Australian Businesses? A momentary relief
If there is an unauthorised access to an individual’s privacy and because of that unauthorised access, an individual becomes distressed or upset, this is not sufficient to require an APP entity to notify that individual under the new legislation. [16]
A breath of fresh air that not all unauthorised accesses are required to be notified to individuals and OAIC. However, always make sure to doublecheck whether an unauthorised access is required to be notified.
Our thoughts
It appears clear that the new amendments to the current Australian privacy law seeks to rebalance the competing objectives between protecting the privacy of individuals and protecting the interests of APP entities and their legitimate functions or activities. [17] However, APP entities should ensure to fully understand the impact of the new amendments and how privacy policies and standard practices should be amended to comply with those new amendments.
If you have any concerns or queries with the incoming new amendments to Australian privacy law, then AMK Law may be able to help in answering those issues.
Important disclaimer: The material contained in this publication is of a general nature only and it is not, nor is intended to be, legal advice. This publication is based on the law as it was prior to the date of you reading of it. If you wish to take any action based on the content of this publication, we recommend that you seek professional legal advice.
[1] Ponemon Institute LLC, Exposing the Cybersecurity Cracks: A Global Perspective Part I: Deficient, Disconnected & in the Dark (April 2014) Websense, 2 <https://opt/bitnami/apps/wordpress/htdocs.websense.com/assets/reports/report-ponemon-2014-exposing-cybersecurity-cracks-en.pdf> ; Telstra, Telstra Cyber Security Report 2016 (23rd February 2016) Telstra, 13 <https://exchange.telstra.com.au/telstra-cyber-security-report-2016/>; Telstra, Telstra Cyber Security Report 2014 (2014) Telstra, 19 <https://opt/bitnami/apps/wordpress/htdocs.telstra.com.au/business-enterprise/download/document/telstra-cyber-security-report-2014.pdf>.
[2] Telstra, Telstra Cyber Security Report 2016 (23rd February 2016) Telstra, 13 <https://exchange.telstra.com.au/telstra-cyber-security-report-2016/>.
[3] Telstra, Telstra Cyber Security Report 2014 (2014) Telstra, 19 <https://opt/bitnami/apps/wordpress/htdocs.telstra.com.au/business-enterprise/download/document/telstra-cyber-security-report-2014.pdf>; Telstra, Telstra Cyber Security Report 2017 (2017) Telstra, 36 <https://opt/bitnami/apps/wordpress/htdocs.telstra.com.au/content/dam/tcom/business-enterprise/campaigns/pdf/cyber-security-whitepaper.pdf>.
[4] Telstra, Telstra Cyber Security Report 2016 (23rd February 2016) Telstra, 3 <https://exchange.telstra.com.au/telstra-cyber-security-report-2016/>.
[5] Privacy Act 1998 (Cth) sch 1 sub-cl 11.1.
[6] Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth), 22-23.
[7] Privacy Act 1998 (Cth) ss 6, 6C, 6D(3), 15; Office of the Australian Information Commissioner, Data breach notification guide: A guide to handling personal information security breaches (OAIC, 2014) 2.
[8] Privacy Act 1998 (Cth) pt II div 1.
[9] Privacy Act 1998 (Cth) ss 13G, 80W.
[10] Office of the Australian Information Commissioner, above n 7, 2.
[11] Ibid 5
[12] Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) s 26WE(2).
[13] Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth), 3.
[14] Ibid 3.
[15] Ibid 4.
[16] Ibid 3.
[17] Ibid 25.