Posted on March 26, 2018 by Matt Harker and Sue Puckeridge
What you need to know: amendments to the Privacy Act 1988
The Commonwealth Government’s recent reforms to the Privacy Act 1988 have taken effect, heralding new obligations for a number of organisations across the country.
This article will consider what those obligations are, who is affected, and how organisations will be required to change their current practices.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Amendment Act) imposes obligations on organisations to notify affected individuals, and the Office of the Australian Information Commissioner (OAIC), of data breaches which are likely to result in serious harm.
By imposing this obligation, the Amendment Act purports to provide affected individuals with an opportunity to safeguard their private information, and provides greater transparency about how private and personal information is being dealt with. In this respect, the Amendment Act marks an important step in the protection of privacy in Australia.
Nonetheless, the Amendment Act seeks to achieve this largely through self-regulation. Organisations will be required to identify when a data breach has occurred, and whether the breach needs to be reported.
This requires consideration of three criteria:
- whether there is, or has been, unauthorised access to, unauthorised disclosure of, or loss of personal information held by the organisation;
- whether this is likely to result in serious harm to an individual/s; such harm may be physical, emotional, psychological, financial, or reputational; and
- whether the organisation has been able to prevent the risk of serious harm by taking remedial action subsequent to the data breach.
If an organisation has reasonable grounds to believe that these criteria are met, it must promptly report the breach to the OAIC and any affected person.
Who is affected?
There is commentary to suggest that local councils are exempt from the new reforms. This is inaccurate.
Although councils are excluded from the provisions of the Privacy Act 1988 with respect to most of the personal information that they hold, the Amendment Act will apply to the extent that a council holds the tax file numbers of its employees or other individuals.
The notifiable data breach obligations apply to ‘file number recipients’ so far as they hold tax file number information relating to one or more individuals.
There are two concepts here of particular note:
- a ‘file number recipient’ is a person who is in possession or control of a record that contains tax file number information;
- ‘tax file number information‘ is information that records the tax file number of a person in a manner connecting it to that person’s identity.
Significantly, local councils are ‘persons’ under Commonwealth legislation (see the Acts Interpretation Act 1901 s 2C). As a result, if a council possesses and controls records, such as tender documents and employee payment details, which contain tax file numbers, it will be a file number recipient and therefore subject to the notifiable data breach provisions in respect of those records.
Ultimately, this means that a local council will be required to report a data breach only if the breach involves the disclosure of tax file number information.
State government authorities
An initial reading of the Amendment Act suggests that state government departments may also be caught by the new reforms by reason of the Secretary being a file number recipient because he or she has control over tax file number information. This appears to be the view of the OAIC.
Entities created by the State which are corporations are ‘persons‘ and therefore tax file number recipients in their own right to the extent that they hold or control tax file number information.
As with local councils, however, the notification obligations will not apply to data breaches concerning all personal information held by a state government authority. The obligations will only apply to data breaches involving records containing tax file number information.
The reforms generally apply to any organisation which is currently subject to the Australian Privacy Principles. This includes any business with over $3 million in annual revenue per year that holds personal information about an individual/s.
Businesses meeting this threshold are required to notify of a data breach involving personal information. This is much broader than tax file number information, and amounts to information or an opinion about an individual who is identified in the information or otherwise reasonably identifiable.
Most significantly, organisations need to put procedures in place to identify data breaches and respond immediately. The OAIC has recommended that this be done by way of a data breach response plan. By developing a plan or similar policy document, organisations will give themselves the best chance to respond effectively to data breaches and consistently with the obligations imposed by the Amendment Act.
The plan should detail:
- an explanation of what constitutes a data breach;
- a strategy for containing and addressing data breaches as soon as possible;
- demarcating roles for staff in monitoring and responding to data breaches; and
- strategies to prevent future data breaches.
The OAIC has published a detailed guide on the recommended contents of a data breach response plan, and how organisations should manage data breaches. A copy of that guide can be found here.
Given the significance of the obligations imposed under the Amendment Act, organisations who have not already done so should develop a data breach response plan as soon as possible.
If you require guidance in the development of such a plan, or wish to discuss the Amendment Act more generally, please contact Sue Puckeridge, Partner on 8235 9702 or Matt Harker on 8235 9714.