House of Representatives

Explanatory Memorandum

(Circulated by authority of the Attorney-General, Senator the Hon George Brandis QC)

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Privacy Amendment (Notifiable Data Breaches) Bill 2016

284. This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Bill

285. The Bill amends the Privacy Act 1988 ( Privacy Act ) by inserting provisions imposing a data breach notification requirement on entities regulated by the Privacy Act ( entity ) in relation to eligible data breaches. The amendments will commence on a single day fixed by proclamation or 12 months from the day after the Bill receives Royal Assent.

286. 'Eligible data breach' is defined in the Bill. For the purposes of the Bill, an eligible data breach occurs where personal information held by an entity is subject to unauthorised access or unauthorised disclosure and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the personal information relates ( affected individuals ). A cyber intrusion involving the publication online of individuals' names and credit card numbers could be an example of an 'eligible data breach'. Another potential example could be the accidental publication of patient records by a medical practice. An eligible data breach would also occur where personal information is lost in circumstances likely to lead to unauthorised access or disclosure, where, assuming the access or disclosure occurred, a reasonable person would conclude that it would be likely to result in serious harm to affected individuals.

287. The Bill provides that, where an entity has suffered an eligible data breach, it must notify affected individuals as well as the Australian Information Commissioner, unless an exception applies. If practicable, entities must notify either:

•

all individuals whose information was subject to unauthorised access, unauthorised disclosure or loss, or

•

only those individuals who are deemed to be at risk of harm (noting that this group will also be notified under the first option).

288. If neither option is practicable, the entity must publish a notification on its website (if any) and take reasonable steps to publish the notification.

289. In addition, subject to some exceptions, the Commissioner may direct an entity to notify affected individuals of an eligible data breach. The notification requirements and available exceptions are largely the same in either case, with the notable difference that, when issuing a direction to notify, the Commissioner may require the entity to include in the notification specified information relating to the eligible data breach.

290. The Bill provides that an entity which fails to satisfy these notification requirements engages in an interference with the privacy of an individual. The Commissioner's existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act may then apply.

291. The Bill's notification requirements are expected to result in more timely opportunities for individuals to promptly respond to an eligible data breach by changing passwords, cancelling credit cards or taking other action to avoid serious harm. It is also anticipated that the notification requirements will provide entities with an incentive to improve security standards relating to personal information.

Human rights implications

292. The Bill engages the following rights:

•

the right to privacy-Article 17 of the International Covenant on Civil and Political Rights (ICCPR), and

•

the right to a fair trial-Article 14 of the ICCPR.

The right to privacy

293. Article 17 of the ICCPR provides that:

1.

No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

2.

Everyone has the right to the protection of the law against such interference or attacks.

294. The Bill promotes the right to privacy in that it provides the protection of the law against unlawful interferences with privacy. Individuals who are notified of an eligible data breach will be able to take prompt measures to protect their privacy. Furthermore, the Bill creates an incentive for entities to improve security standards relating to personal information.

295. The Bill contains exceptions to the mandatory data breach notification provisions which limit the right to privacy as individuals will not be notified of an eligible data breach if one of these exceptions applies. This limitation of the right to privacy is permissible as each of these exceptions is reasonable, necessary and proportionate means to achieve the goals of this Bill and the Privacy Act as a whole.

Remedial action exception

296. The notification requirement will be limited where:

•

an entity takes action following an unauthorised access or unauthorised disclosure of personal information, or a loss that leads to unauthorised access or unauthorised disclosure, and that action that would lead a reasonable person to conclude that the access or disclosure would not be likely to result in serious harm to affected individuals, or

•

an entity takes action following a loss of personal information with the result that unauthorised access or unauthorised disclosure of the information does not occur.

297. Importantly, this exception can only apply where an entity has taken action following unauthorised access, unauthorised disclosure or loss of information to ensure that harm to affected individuals cannot arise as a result of the access, disclosure or loss, as the case may be. Requiring notification in this scenario would not serve any harm mitigation purpose. This exception is therefore a reasonable, necessary and proportionate means to achieve the balance between the protection of privacy and the interests of entities to be able to resolve personal information security incidents on their own initiative wherever possible.

Exception for eligible data breaches of other entities

298. The notification requirement will be limited where an entity experiences an eligible data breach that is also an eligible data breach of one or more other entities, and one of these entities complies with the notification requirement. These exceptions will apply where more than one entity jointly and simultaneously holds the same particular record of personal information (for example, due to outsourcing, joint venture or shared services arrangements). The exceptions are designed so that, in these situations, only one of the entities which experienced the eligible data breach is required to notify the eligible data breach (it will be a matter for the entities concerned to decide which of the entities does so). This ensures that the Commissioner and affected individuals will receive a single notification of an eligible data breach in these situations, rather than requiring each entity to separately notify the Commissioner and affected individuals, which would potentially lead to confusion and 'notification fatigue' for individuals and increased costs for regulated entities. This exception is therefore a reasonable, necessary and proportionate means to achieve the balance between the protection of privacy and the compliance burden on regulated entities.

Law enforcement exception

299. The notification requirement will be limited where: (a) the entity is an enforcement body; and (b) the Chief Executive Office of the enforcement body believes on reasonable grounds that compliance with the notification requirement would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, the enforcement body. Where that is the case, the enforcement body must only notify the Commissioner (unless the Commissioner has given the enforcement body a direction to notify an eligible data breach, in which case the exception will not require the enforcement body to notify the Commissioner). A key objective of the Privacy Act is to balance the protection of privacy with the interests of entities in carrying out their lawful and legitimate functions and activities. Because of their role in providing security to the community, it would not be appropriate for the Bill to contain measures that could prejudice law enforcement activities. It is important to note that enforcement bodies will still have to comply with the notification requirement in circumstances where compliance would not prejudice an enforcement related activity. This exception is therefore a reasonable, necessary and proportionate means to achieve the balance between the protection of privacy and the interests of enforcement bodies.

Commissioner's declaration exception

300. The notification requirement will not apply where the Commissioner decides, either on his or her own initiative or on application from the relevant entity, to issue a notice exempting the entity from complying with the requirement, either entirely or only for a particular period of time. For example, the exception could operate where notification would impede a law enforcement investigation or where the eligible data breach concerns matters of national security (and where the law enforcement exception is not available). The Commissioner will be required to only grant a notice in cases where the Commissioner is satisfied doing so is reasonable in the circumstances, having regard to the public interest, any relevant advice (if any) about the decision to grant a notice a law enforcement body or the Australian Signals Directorate gives to the Commissioner, or such other matters (if any) that the Commissioner considers relevant in the circumstances. These requirements ensure that the exception is only relied upon following consideration of whether the risks associated with notifying a particular eligible data breach would in all the circumstances outweigh the benefits of notification to affected individuals. This exception is therefore a reasonable, necessary and proportionate means to achieve the balance between the protection of privacy and the protection of the public interest.

Secrecy provision exception

301. Where compliance with the notification requirement would to any extent be inconsistent with a provision in a law of the Commonwealth (other than the Privacy Act) that prohibits or regulates the use or disclosure of information, the notification requirement will be limited to the extent of the inconsistency. If a secrecy provision has been prescribed in regulations under the Privacy Act, and compliance with the notification requirement would to any extent be inconsistent with the prescribed provision, then the notification requirement will not apply. This exception is necessary to ensure that the notification requirement does not inappropriately override secrecy provisions in other laws, again recognising that the Privacy Act balances the protection of privacy with the interests of entities in carrying out their lawful and legitimate functions and activities. Where the exception applies, and if the secrecy provision is not prescribed in the regulations, the entity will still be required to comply with the notification requirement to the extent that the provision in the other law allows, meaning that affected individuals may receive notification in some form. Secrecy provisions would only be prescribed in regulations after consideration of whether other exceptions in the Bill would be sufficient to avoid the harm that would be prevented through prescribing the secrecy provision. This exception is therefore a reasonable, necessary and proportionate means to achieve the objectives of the Bill and balance the protection of privacy with the interests of entities in carrying out their lawful and legitimate functions and activities.

eHealth record exception

302. The notification requirement where an access, disclosure or loss that would otherwise constitute an eligible data breach under the Bill has been, or is required to be, notified under section 75 of the My Health Records Act 2012 ( My Health Records Act ). Section 75 of the My Health Records Act establishes mandatory data breach notification requirements that apply to data breaches involving eHealth records, or the integrity of the broader eHealth system. This exception is intended to prevent situations where notification of a eligible data breach would be required under both the Bill and the My Health Records Act. Importantly, where the exception applies, the entity would still be required to comply with the notification requirement in section 75 of the My Health Records Act, which will ensure adequate consideration of the privacy of affected individuals. This exception is therefore a reasonable, necessary and proportionate means to ensure consistency between the Bill and the My Health Records Act.

The right to a fair trial

303. The Bill promotes Article 14 of the ICCPR, which guarantees a person be afforded, in the determination of any criminal charge against them, the right to a fair trial. The United Nations Human Rights Committee has stated that the notion of criminal charges may 'also extend to acts that are criminal in nature with sanctions that, regardless of their qualification in domestic law, must be regarded as penal because of their purpose, character or severity' (see General Comment No. 32, para 15; Communication No. 1015/2001, Perterer v Austria, at para 9.2). It is therefore necessary to consider the substance as well as the form of the civil penalties provided for by the Bill.

304. The Bill provides that an entity which fails to notify affected individuals of an eligible data breach engages in an interference with the privacy of an individual. This is a reasonable and proportionate provision because failure to notify can have similarly adverse consequences for individuals to other interferences with privacy, such as breaching an Australian Privacy Principle. A range of acts and omissions may constitute a breach of an Australian Privacy Principle, from disclosing personal information for the purposes of direct marketing to not properly notifying individuals that their personal information has been collected. Interferences with the privacy of an individual may attract a civil penalty where there has been a serious or repeated interference with the privacy of an individual.

305. The penalties that may be imposed are compatible with Article 14 of the ICCPR because the Privacy Act provides that all persons are equal before the courts and have a right to a fair and public hearing before a competent, independent and impartial court. A civil penalty can only be issued by the Federal Court or Federal Magistrates Court/Federal Circuit Court of Australia following an application by the Commissioner. No minimum penalty is prescribed. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of 2,000 penalty units for individuals and 10,000 penalty units for bodies corporate. The Privacy Act's civil penalty provisions incorporate appropriate safeguards, including the stipulation that in determining pecuniary penalties a court must take all relevant matters into account, including the circumstances of the contravention, the nature and extent of any loss or damage suffered because of the contravention and whether the entity has previously been found to have engaged in similar conduct. The Privacy Act also provides that an entity will not be liable for more than one pecuniary penalty in relation to the same conduct, and that a civil penalty order cannot be made if an entity has already been convicted of an offence involving the same conduct, or conduct that is substantially the same. These provisions ensure that pecuniary penalties are proportionate to any contravention of a civil penalty provision, and protect the rights expressed in Article 14.

Conclusion

306. The Bill is compatible with human rights because it promotes the right to a fair trial in Article 14 and the right to privacy in Article 17 of the ICCPR, and to the extent that it may limit the right to privacy, those limitations are reasonable, necessary and proportionate to achieve the legitimate aims of the Bill and the Privacy Act.