Explanatory Memorandum
(Circulated by authority of the Attorney-General, Senator the Hon George Brandis QC)Notes on Clauses
Preliminary
Clause 1 - Short title
1. This clause provides for the short title of the Act to be the Privacy Amendment (Notifiable Data Breaches) Act 2016.
Clause 2-Commencement
2. This clause provides for the commencement of each provision in the Bill, as set out in the table. Item 1 in the table provides that sections 1 to 3 which concern the formal aspects of the Bill, as well as anything in the Bill not elsewhere covered by the table, will commence on the day on which the Bill receives Royal Assent.
3. Item 2 in the table provides that Schedule 1 of the Bill, which contains the substantive amendments to the Privacy Act 1988 ( the Privacy Act ) will commence on a single day fixed by proclamation. However, if the provisions do not commence before 12 months from the day after the Bill receives the Royal Assent, they will commence on that day.
4. Subclause 2(2) provides that the information in column 3 of the table, which provides dates and further details, does not form part of the Bill. The subclause also provides that information in column 3 may be edited or inserted in any published version of the Bill once enacted.
Clause 3 - Schedules
5. Clause 3 provides that each Act specified in the Schedule is amended or repealed as set out in the Schedule. Clause 3 also provides that any other item in a Schedule of the Bill will have effect according to its terms.
Schedule 1-Amendments
Privacy Act 1988
Item 1 Subsection 6(1)
6. Item 1 of Schedule 1 inserts definitions of 'at risk' and 'eligible data breach' into existing subsection 6(1) of the Privacy Act. This item provides that the term 'at risk' has the meaning given by section 26WE, while 'eligible data breach' has the meaning given by Division 2 of Part IIIC, both of which are inserted into the Privacy Act by this Bill (see Item 3 below).
7. The definition of 'at risk' is relevant when determining which individuals are notified when an entity makes a notification under subsection 26WL(2) or 26WR(2) (see Item 3 below). The definition of 'eligible data breach' is intended to capture data breaches that are significant enough to warrant notification. This will ensure the Government does not create or impose an unreasonable compliance burden on entities regulated by the scheme, and avoid the risk of 'notification fatigue' among individuals receiving a large number of notifications in relation to non-serious breaches.
Item 2 After subsection 13(4)
8. Item 2 of Schedule 1 inserts a new subsection 13(4A) into the Privacy Act after existing subsection 13(4). New subsection 13(4A) is titled 'Notification of eligible data breaches etc.', and provides that if an entity (within the meaning of Part IIIC) contravenes either new subsection 26WH(2), 26WK(2), 26WL(3) or 26WR(10) of the Privacy Act (all of which are inserted by this Bill), the contravention is taken to be an act that is an 'interference with the privacy of an individual'. Existing subsection 6(1) of the Privacy Act provides that the term 'interference with the privacy of an individual' has the meaning given by sections 13 to 13F of the Privacy Act.
9. The effect of new subsection 13(4A) of the Privacy Act will be to enable the Australian Information Commissioner ( the Commissioner ) to use the powers and access the remedies available to the Commissioner under the Privacy Act to investigate and address contraventions of subsection 26WH(2), 26WK(2), 26WL(3) or 26WR(10), as the case may be. These include the capacity for the Commissioner to initiate investigations, make determinations and seek enforceable undertakings, as well as making applications for civil penalties for serious or repeated interferences with the privacy of an individual.
10. A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of 2,000 penalty units for individuals and 10,000 penalty units for bodies corporate.
11. The Commissioner also has guidance-related functions under existing paragraph 28(1)(a) of the Privacy Act to make guidelines for the avoidance of acts or practices that may or might be interferences with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals. The Commissioner will consequently have the discretion to issue guidelines under paragraph 28(1)(a) about matters relating to compliance with the new Part IIIC inserted into the Privacy Act by this Bill (see Item 3 below).
Item 3 After Part IIIB
Part IIIC-Notification of eligible data breaches
12. Item 3 of Schedule 1 inserts a new Part IIIC, titled 'Notification of eligible data breaches', into the Privacy Act following existing Part IIIB. This new Part contains the substantive elements of the mandatory data breach notification provisions, which apply to entities that are regulated by the Privacy Act.
13. The Part is divided into three Divisions. Broadly, the first Division sets out a simplified outline of the Part and contains some provisions which influence the scope of the Part, the second Division sets out when an 'eligible data breach' will have occurred, and the third Division contains obligations for entities to notify eligible data breaches, subject to limited exceptions.
Division 1-Introduction
Section 26WA Simplified outline of this Part
14. This section sets out a brief outline to the contents of the new Part IIIC-Notification of eligible data breaches. The outline explains the purpose of the Part, what constitutes an eligible data breach and when an entity must notify an eligible data breach.
Section 26WB Entity
15. Existing subsection 6(1) of the Privacy Act defines 'entity' to include an agency, an organisation or a small business operator (all of which are also defined in subsection 6(1)). Section 26WB provides that, for the purposes of Part IIIC, 'entity' also includes a person who is a file number recipient. This will ensure that file number recipients which could experience an 'eligible data breach' as defined in section 26WE below but are not an agency, an organisation or a small business operator will nonetheless still be subject to the notification requirement.
Section 26WC Deemed holding of information
16. This section provides that, where particular kinds of entities subject to Part IIIC have disclosed information subject to the Part to particular recipients, the Part applies as though the entity held the information.
Overseas recipients
17. Subsection 26WC(1), which is titled 'Overseas recipients', establishes the circumstances under which an Australian Privacy Principle ( 'APP' ) entity will retain accountability for an eligible data breach involving personal information even though that APP entity might not be otherwise responsible for the breach due to the fact that the personal information has been disclosed to an overseas recipient.
18. Subsection 26WC(1) provides that where:
- •
- an APP entity has disclosed personal information about one or more individuals to an overseas recipient
- •
- APP 8.1 applied to that disclosure, and
- •
- the overseas recipient holds the personal information
then Part IIIC applies as if the personal information was held by the APP entity, and the APP entity was required under section 15 of the Privacy Act not to do an act, or engage in a practice, that breaches APP 11.1 in relation to the personal information. This means that the requirements of Part IIIC apply, and the disclosing APP entity retains accountability under existing section 16C of the Privacy Act for that personal information, even if the eligible data breach occurred offshore.
Bodies or persons with no Australian link
19. Subsection 26WC(2), which is titled 'Bodies or persons with no Australian link', establishes the circumstances under which a credit provider will retain accountability for an 'eligible data breach' involving credit eligibility information that was disclosed to a body or person with no Australian link.
20. Subsection 26WC(2) provides that where:
- •
- either:
- o
- a credit provider has disclosed, under existing paragraph 21G(3)(b) or 21G(3)(c) of the Privacy Act, credit eligibility information about one or more individuals to a related body corporate, or person, that does not have an Australian link, or
- o
- a credit provider has disclosed, under existing subsection 21M(1) of the Privacy Act, credit eligibility information about one or more individuals to a body or person that does not have an Australian link, and
- •
- the related body corporate, body or person holds the credit eligibility information
then Part IIIC of the Privacy Act applies as if the credit eligibility information was held by the credit provider, and the credit provider was required to comply with existing subsection 21S(1) of the Privacy Act in relation to the credit eligibility information. This means that the requirements of Part IIIC apply, and the credit provider retains accountability for that credit eligibility information, even where a credit provider discloses credit eligibility information to a recipient that does not have an Australian link. The term 'Australian link' is used to define the entities that are subject to the operation of the Privacy Act, and is used throughout the Act, for example, in existing section 5B, APP 8 and throughout the credit reporting provisions. This subsection will apply where credit eligibility information has been disclosed by the credit provider to the entities listed in the specified circumstances, and where these entities hold that information.
21. This item also inserts a Note following subsection 26WC(2) and before section 26WD. The Note provides a cross-reference to existing section 21NA of the Privacy Act, about disclosures to certain persons and bodies that do not have an Australian link.
Section 26WD Exception-notification under the My Health Records Act 2012
22. The effect of this section is to avoid imposing a double notification requirement if an unauthorised access, unauthorised disclosure or loss of information that may constitute an eligible data breach as defined in Division 2 below has also been, or is also required to be, notified under the existing mandatory data breach notification scheme in section 75 of the My Health Records Act 2012. Specifically, the references to an 'unauthorised access', 'unauthorised disclosure' or 'loss' of information in paragraphs 26WD(a), 26WD(b) and 26WD(c) link to the definition of an eligible data breach in Division 2 below to ensure that such an access, disclosure or loss does not constitute an eligible data breach under Division 2.
Division 2-Eligible data breach
Section 26WE Eligible data breach
23. This section sets out the circumstances in which an 'eligible data breach' occurs. In short, the section provides that an eligible data breach occurs where:
- •
- there is unauthorised access to, or unauthorised disclosure of specified kinds of information held by specified entities relating to one or more individuals, or loss of that information that is likely to lead to unauthorised access or unauthorised disclosure of the information, and
- •
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or in the case of loss of information, assuming that unauthorised access or unauthorised disclosure were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
Scope
24. Subsection 26WE(1), which is titled 'Scope', sets out the kinds of entities and information which a data breach must involve to satisfy the definition of an 'eligible data breach'. Each kind of entity included in the subsection is already subject to the Privacy Act. The subsection also provides that an eligible data breach can only occur in relation to information that is subject to existing Privacy Act information security requirements. This also has the effect of preserving existing exemptions in Privacy Act that apply to particular acts and practices (for example, the exemptions for organisations in existing section 7B), meaning that an eligible data breach arising from such an act or practice will not fall under Part IIIC because it is not subject to existing Privacy Act information security requirements.
25. The references to existing Privacy Act information security requirements in subsection 26WE(1) do not mean that an entity has breached those requirements in the event of an eligible data breach. For example, an entity may comply with those requirements but nonetheless still experience an eligible data breach due to circumstances that were not reasonably foreseeable.
26. Paragraph 26WE(1)(a) provides that section 26WE applies if:
- •
- an APP entity holds personal information relating to one or more individuals (subparagraph 26WE(1)(a)(i)), and
- •
- the APP entity is required under existing section 15 of the Privacy Act not to do an act, or engage in a practice that breaches existing APP 11.1 of the Privacy Act in relation to the information (subparagraph 26WE(1)(a)(ii)).
27. 'Personal information' is defined in existing subsection 6(1) of the Privacy Act to include information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not. 'APP entity' is defined in subsection 6(1) of the Privacy Act to include Commonwealth government agencies and private sector organisations regulated by the Privacy Act. APP 11.1 of the Privacy Act requires APP entities to protect personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
28. Paragraph 26WE(1)(b) provides that section 26WE applies if:
- •
- a credit reporting body holds credit reporting information relating to one or more individuals (subparagraph 26WE(1)(b)(i)), and
- •
- the credit reporting body is required to comply with existing section 20Q of the Privacy Act in relation to the information (subparagraph 26WE(1)(b)(ii)).
29. 'Credit reporting information' is defined in subsection 6(1) of the Privacy Act and includes the credit-related information about individuals collected by credit providers. 'Credit reporting body' is defined in subsection 6(1) of the Privacy Act as an organisation, or an agency prescribed by regulation, which carries on a credit reporting business. Section 20Q of the Privacy Act is based on APP 11.1 and requires credit reporting bodies to, among other things, protect credit reporting information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
30. Paragraph 26WE(1)(c) provides that section 26WE applies if:
- •
- a credit provider holds credit eligibility information relating to one or more individuals (subparagraph 26WE(1)(c)(i)), and
- •
- the credit provider is required to comply with existing subsection 21(S)(1) of the Privacy Act in relation to the credit reporting information (subparagraph 26WE(1)(c)(ii)).
31. 'Credit eligibility information' is defined in subsection 6(1) of the Privacy Act as including credit reporting information disclosed to a credit provider by a credit reporting body and information derived from the credit reporting information. 'Credit provider' is defined in existing section 6G of the Privacy Act as including a bank or other organisation that provides credit as a substantial part of its business or undertaking. Subsection 21S(1) of the Privacy Act is based on APP 11.1 and requires credit providers to protect credit eligibility information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
32. Paragraph 26WE(1)(d) provides that section 26WE applies if:
- •
- a file number recipient holds tax file number information relating to one or more individuals (subparagraph 26WE(1)(d)(i)), and
- •
- the file number recipient is required under existing section 18 of the Privacy Act not to do an act, or engage in a practice, that breaches a rule issued under exiting section 17 of the Privacy Act that relates to the tax file number information (subparagraph 26WE(1)(d)(ii)).
33. 'Tax file number' and 'tax file number information' are defined in subsection 6(1) of the Privacy Act. 'File number recipient' is defined in section 11 of the Privacy Act to include a person who is (whether lawfully or unlawfully) in possession or control of a record that contains tax file number information. Section 17 of the Privacy Act provides that the Commissioner must issue rules concerning the collection, storage, use and security of tax file number information. Existing section 18 of the Privacy Act provides that a file number recipient shall not do an act, or engage in a practice, that breaches a rule issued under section 17.
Eligible data breach
34. Subsection 26WE(2), which is titled 'Eligible data breach', establishes the circumstances that will constitute an 'eligible data breach' when information within scope of section 26WE is subject to unauthorised access, unauthorised disclosure or loss. In order not to impose an unreasonable compliance burden on entities and to avoid the risk of 'notification fatigue' among individuals receiving a large number of notifications in relation to non-serious breaches, it is not intended that every data breach be subject to a notification requirement.
35. Paragraph 26WE(2)(a) provides that an eligible data breach will occur in situations where:
- •
- unauthorised access to or unauthorised disclosure of information of a kind referred to in new subsection 26WE(1) occurs (subparagraph 26WE(2)(a)(i)), and
- •
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates (subparagraph 26WE(2)(a)(ii)).
36. Paragraph 26WE(2)(b) provides that an eligible data breach will occur in situations where information of a kind referred to in subsection 26WE(1) is lost in circumstances where:
- •
- unauthorised access to or unauthorised disclosure of the information is likely to occur (subparagraph 26WE(2)(b)(i)), and
- •
- the access or disclosure, assuming it were to occur, would lead a reasonable person to conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates (subparagraph 26WE(2)(b)(ii)).
37. The 'reasonable person' element of subparagraphs 26WE(2)(a)(ii) and 26WE(2)(b)(ii) ensure that an entity cannot be taken to breach Part IIIC if they fail to determine that an unauthorised access, unauthorised disclosure or loss is or would be likely to result in serious harm, if a reasonable person in their position would not have been able to do so based on information available to them, either directly or following reasonable inquiries. Other elements of the Bill also provide greater certainty about how entities are to determine whether an eligible data breach has occurred, including the 'relevant matters' requirement in section 26WG and the assessment requirement in section 26WH below, where an entity suspects but does not have reasonable grounds to believe that an eligible data breach has occurred.
38. In the context of subparagraphs 26WE(2)(a)(ii), the phrase 'likely' is intended to ensure that an eligible data breach only occurs if a reasonable person in the entity's position (rather than the individual to whom the information relates, or any other person) would conclude that serious harm would be more probable than not to occur to any individuals to whom information relates following unauthorised access to or unauthorised disclosure of that information.
39. In the context of subparagraph 26WE(2)(b)(i), the phrase 'likely' is intended to ensure that loss of information will only be considered an eligible data breach if it is more probable than not that the information will be subject to unauthorised access or unauthorised disclosure as a result. Examples of where unauthorised access or unauthorised disclosure would not be likely following loss of information might include hardcopy information lost after it has been accidentally disposed of in a secure waste disposal, or the loss of an electronic storage device that has been encrypted or contains encrypted information where the probability of the encryption being circumvented is low.
40. In the context of subparagraph 26WE(2)(b)(ii), the phrase 'likely' is intended to have an equivalent meaning to the use of that phrase in subparagraph 26WE(2)(a)(ii) above, following a loss of information that is likely to lead to unauthorised access or unauthorised disclosure, and assuming that such access or disclosure were to occur.
41. Part IIIC does not define what constitutes 'serious harm' for the purposes of subparagraphs 26WE(2)(a)(ii) and 26WE(2)(b)(ii). Potential forms of serious harm will vary depending on the circumstances of the individual or individuals concerned and the circumstances of the particular or assumed incident of unauthorised access or unauthorised disclosure. Potential harms, depending on the circumstances, could include physical, psychological, emotional, economic and financial harm, as well as harm to reputation. Even where a reasonable person would consider that the access, disclosure or loss would be likely to result in harm, the reasonable person would also need to consider the harm to be 'serious' in order for an eligible data breach to have occurred under subsection 26WE(2).
42. Part IIIC is expected to predominantly require notification of eligible data breaches where a reasonable person would conclude that there is a likely risk of serious financial, economic or physical harm to individuals. However, the likelihood of other kinds of serious harm (such as serious emotional or psychological harm, or serious harm to reputation) cannot be ruled out, especially for eligible data breaches involving health information, other forms of 'sensitive information' as defined in section 6(1) of the Privacy Act, or other information that would be considered 'sensitive' according to the ordinary meaning of the term. The 'relevant matters' contained in section 26WG below also require consideration of particular matters which may assist in determining whether a reasonable person would conclude a particular unauthorised access or unauthorised disclosure (assumed or otherwise) would be likely to result in serious harm.
Section 26WF Exception-remedial action
43. This section deals with cases where an eligible data breach occurs but the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, which experienced the eligible data breach is able to take action so that a reasonable person would conclude that an unauthorised access, unauthorised disclosure, or loss, as the case may be, would not be likely to result in serious harm to any of the individuals to whom the information relates. A similar exception applies where an entity takes action that prevents unauthorised access or unauthorised disclosure from occurring following a loss of information. If the action remediates harm only to a particular individual or individuals from a larger cohort of individuals whose information was compromised in an eligible data breach, the section also provides that notification to those particular individuals is not required.
44. The section does not define what constitutes 'action' of this kind. What constitutes an action which satisfies an exception contained in the section will vary, but in general terms may include any action which remediates a risk of serious harm, or prevents unauthorised access to or unauthorised disclosure of information from occurring following an eligible data breach or potential eligible data breach. In the case of the exceptions contained in subsections 26WF(1), 26WF(2), 26WF(4) and 26WF(5), the question of whether an action satisfies the applicable exception must be considered from the perspective of a reasonable person.
Access to, or disclosure of, information
45. Subsection 26WF(1), titled 'Access to, or disclosure of, information' applies where an eligible data breach has occurred under subsection 26WE(2)(a), but the entity takes action before the relevant unauthorised access or unauthorised disclosure results in serious harm to any of the individuals to whom the information relates. Examples of potential action that might fall under this subsection could include:
- •
- A financial institution which becomes aware that customer account details have been accessed by unauthorised parties, and freezes the affected accounts before any fraudulent transactions occur.
- •
- An entity which becomes aware that it has mistakenly emailed the information of one individual to another individual, asks the second individual to delete the information without using or disclosing it, and is confident that the second individual has complied with that request.
- •
- An entity which becomes aware that an employee has accessed information without malicious intent but without authorisation, where the entity restricts the employees' access to the information and otherwise ensures that no further unauthorised access, use or disclosure of the information occurs, and continues to otherwise comply with the Privacy Act in relation to the information.
46. If, as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of the individuals to whom the information relates, paragraph 26WF(1)(e) provides that the eligible data breach is not, and is taken never to have been, an eligible data breach of the entity concerned. In considering whether a reasonable person would conclude that harm is not likely, regard must be had to the list of 'relevant matters' contained in section 26WG below.
47. The effect of paragraph 26WF(1)(f) in these circumstances is that the eligible data breach is also taken to have never been an eligible data breach of any other entity. This paragraph would apply where one or more other entities also jointly and simultaneously hold the same particular record of information compromised in the eligible data breach. Extending the exception to these entities, if any, ensures that the entities are not required to notify an eligible data breach where the relevant harm to individuals has already been adequately remediated.
48. Subsection 26WF(2) applies where an eligible data breach has occurred under subsection 26WE(2)(a), but the entity takes action before the relevant unauthorised access or unauthorised disclosure results in serious harm to particular individuals to whom the information relates. The subsection is expected to apply in similar circumstances to subsection 26WE(2)(a) above.
49. If, as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to a particular individual or particular individuals, notification to that particular individual or those particular individuals under Part IIIC is not required (though notification may still be required to any other individuals who a reasonable person would conclude are still at risk of serious harm).
50. Subsection 26WF(2) is intended to apply in circumstances where an eligible data breach occurs involving information relating to one or more individuals, and the entity is only able to remediate harm in relation to a subset of particular individuals.
Loss of information
51. Subsection 26WF(3), titled 'Loss of information', applies where an eligible data breach has occurred under subsection 26WE(2)(b), but the entity takes remedial action before the relevant loss of information results in unauthorised access to or unauthorised disclosure of the information. Examples of potential action that might fall under this subsection could include:
- •
- An entity which takes action to recover hard copy information that an employee of the entity left in a taxi, and the driver assures the entity that he or she has not accessed or disclosed the information while it was in his or her care. An entity in this case, assuming they consider the driver's assurance to be credible, might conclude that the entity's action has prevented an unauthorised access or unauthorised disclosure from occurring.
- •
- An entity which remotely erases the memory of a lost or stolen device before its content can be accessed without authorisation.
52. The effect of paragraph 26WF(3)(e) in these circumstances is that the loss is not, and is taken never to have been, an eligible data breach of the entity. Paragraph 26WF(3)(f) has the same effect as paragraph 26WF(1)(f) above in relation to eligible data breaches involving records of information jointly and simultaneously held by more than one entity.
53. Subsection 26WF(4) applies where an eligible data breach has occurred under subsection 26WE(2)(b), and the entity takes action after the relevant loss of information has led to unauthorised access or unauthorised disclosure, but before the unauthorised access or unauthorised disclosure has led to harm to any of the individuals to whom the information relates. Examples of potential actions that might apply under this subsection are the same as those listed as potential examples under subsection 26WF(1) above.
54. The effect of paragraph 26WF(3)(e) in these circumstances is that the loss is not, and is taken never to have been, an eligible data breach of the entity. Paragraph 26WF(4)(f) has the same effect as paragraphs 26WF(1)(f) and 26WF(3)(f) above in relation to eligible data breaches involving records of information jointly and simultaneously held by more than one entity.
55. Subsection 26WF(5) applies where an eligible data breach has occurred under subsection 26WE(2)(a), and the entity takes action after the relevant loss of information has led to unauthorised access or unauthorised disclosure, but before the unauthorised access or unauthorised disclosure has led to harm to particular individuals to whom the information relates.
56. If, as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to a particular individual or particular individuals, notification to that individual or those individuals under Part IIIC is not required.
57. Subsection 26WF(5) is intended to apply in similar circumstances to subsection 26WF(2) above.
Section 26WG Whether access or disclosure would be likely, or would not be likely, to result in serious harm-relevant matters
58. This section provides a non-exhaustive list of matters relevant to assessing the likelihood of serious harm for the purposes of the Division. The effect of paragraphs 26WG(a) and 26WG(b) is that regard must be had to the relevant matters listed in section 26WG when determining whether a reasonable person would conclude that an access or disclosure would be likely (for the purposes of section 26WE(2) above) or would not be likely (for the purpose of subsections 26WF(1), 26WF(2), 26WF(4) and 26WF(5) above) to result in serious harm to any of individuals to whom the information relates.
59. The 'reasonable person' element of this section makes clear that regard is intended to be had to these matters by considering information that would be available to a reasonable person in their position, including following reasonable inquiries.
60. Not all the matters listed will necessarily be particularly relevant in all circumstances. While in some cases one matter may be determinative in considering whether a reasonable person would reach the aforementioned conclusion, in other cases, it may be that a reasonable person would only reach that conclusion when regard is had to the relevant matters as a whole.
61. Most of the relevant matters listed in section 26WG are based on matters identified in the current OAIC Data Breach Notification: A guide to handling personal information security breaches, or matters identified in Australian Law Reform Commission ( ALRC ) Report 108, For Your Information: Australian Privacy Law and Practice.
62. The current OAIC Data breach notification guide: A guide to handling personal information security breaches and Guide to securing personal information: 'Reasonable steps' to protect personal information already provide advice about encryption and other security measures that are consistent with information security requirements in the Privacy Act. The Commissioner would have the discretion to expand or update this guidance to reflect the introduction of Part IIIC, or to introduce specific security guidelines relating to Part IIIC. This could include guidance material about the matters in section 26WG and the process of determining whether a reasonable person would conclude that an access or disclosure would be likely or would not be likely to result in serious harm for the purposes of new subsection 26WE(2), 26WF(1), 26WF(2), 26WF(4) or 26WF(5).
63. Paragraph 26WG(c) provides that the kind or kinds of information concerned in a data breach is a relevant matter under section 26WG. For example, a data breach involving an individuals' government-issued identifier (such as their Medicare number or driver's licence number) or financial details (such as their credit card details) might pose a greater likelihood of harm to the individual than a data breach involving only their name. Similarly, particular combinations of information (for example, a combination of name, address and date of birth) might pose a greater likelihood of harm than a single piece of information. However, in assessing whether a reasonable person would conclude that an access or disclosure would be likely or would not be likely to result in serious harm, it is relevant to consider whether a reasonable person might reach such a conclusion because of the likelihood that the information could be combined with other information.
64. The permanence of a particular kind of information may be relevant when considering the kind of information concerned in a data breach. For example, an entity could potentially take action to remediate the risk to an individual arising from a data breach involving information that can be re-issued, such as a compromised customer password, but cannot change 'permanent information' such as the individual's date of birth or medical history.
65. Paragraph 26WG(d) provides that the sensitivity of the information is a relevant matter under section 26WG. Where sensitivity arises because of the kind of information involved, the associated issues will in some cases be similar or identical to those discussed under paragraph 26WG(c) above, and it is expected that the matters under paragraphs 26WG(c) and 26WG(d) could be considered together.
66. In other cases the sensitivity of the information may relate to issues that are independent from the kind of information involved. An example would be an unauthorised disclosure of the names and addresses of individuals who are accessing a particular government service, or who are clientele of a particular business: although the data breach would involve information that would generally not be intrinsically sensitive, sensitivity may nonetheless arise if the knowledge that the individual was accessing the service or was a client of the business could cause harm.
67. Paragraph 26WG(e) provides that whether the information is protected by one or more security measures is a relevant matter under section 26WG. For example, if an entity's intrusion detection and prevention systems detect an attack on the entity's IT networks, the entity could consider whether network security mechanisms were likely to have prevented the attacker from accessing information falling under subsection 26WE(1).
68. In relation to electronic information, considerations that may apply under paragraph 26WG(e) may be similar or identical to matters that may be relevant under paragraph 26WG(h) below. But particularly in cases where an entity has reasonable grounds but not definitive proof to believe that unauthorised access to or unauthorised disclosure of information has occurred, consideration of security measures that were in place to protect the information may be of greater utility in assessing whether an eligible data breach has occurred than consideration of the matter dealt with under paragraph 26WG(h).
69. Paragraph 26WG(f) provides that, if the information involved in a data breach is protected by one or more security measures, the likelihood that any of those security measures could be overcome is a relevant matter under section 26WG. Returning to the example mentioned in relation to paragraph 26WG(e) above, the entity could consider the likelihood that the attacker might have overcome network security measures protecting personal information stored on the network. The likelihood of security measures being overcome may depend on matters dealt with in other paragraphs of section 26WG (in particular paragraph 26WG(g) below).
70. Paragraph 26WG(g) provides that the persons, or the kinds of persons, who have obtained, or who could obtain, the information involved in data breach is a relevant matter under section 26WG. For the purposes of paragraph 26WG(g), access by or disclosure to a trusted, known party is less likely to cause serious harm than access by or disclosure to an unknown party, a party suspected of being involved in criminal activity or a party who may wish to cause serious harm to the individual to whom the information relates (for example, a person against whom the individual has a restraining order).
71. An example might be if information falling under subsection 26WE(1) was exfiltrated from an entity's IT network in a cyber intrusion. Paragraph 26WG(g) is intended to require the entity to have regard to whether the information was likely to have been obtained, or could likely be obtained, by individuals with the capability and motive to use the information to cause harm to affected individuals, and whether this would influence a reasonable person's conclusion about whether the access would be likely or would not be likely to result in serious harm to any of the individuals to whom the information relates. Similar considerations could apply if electronic information was inadvertently published online by an entity, or was published online by a third party who had accessed the information without authorisation, and the information could as a result be accessed by a person with the capability and motive to cause harm to affected individuals (such as a person intending to use the information to commit identity theft for financial gain).
72. Paragraph 26WG(h) has the effect that under section 26WG entities must, in short, have regard to:
- •
- the likelihood that a security technique or methodology designed to make information compromised in a data breach unintelligible or meaningless, such as encryption, could be circumvented by individuals with the intent of causing harm, and
- •
- whether that circumvention may contribute to a reasonable person concluding that an access or disclosure would be likely or would not be likely to result in serious harm to any of the individuals to whom the information relates.
73. Subparagraph 26WG(h)(i) applies if a security technology or methodology was used in relation to the information. 'Security technology or methodology' is intended to be a technology neutral term that could apply to a range of technologies or methodologies designed to operate in the way described in subparagraph 26WG(h)(ii). As such, while encryption is expected to be the most common 'security technology or methodology' falling under subparagraph 26WG(h)(ii), the subparagraph could also apply to other technologies or methodologies. One possible example could be tokenisation, where the information to be protected is substituted with a token that is meaningless to unauthorised parties. The phrasing of subparagraph 26WG(h)(i) also means that the security technology or methodology does not need to have been used in relation to the information by the entity itself: it could, for example, have been used by some other entity, including another entity which simultaneously holds the information, such as a cloud storage provider.
74. Subparagraph 26WG(h)(ii) applies where the security technology or methodology referred to in subparagraph 26WG(h)(i) above was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information. The reference to the 'design' of the security technology or methodology reflects that the subparagraph is concerned with the intended operation of the security technology or methodology rather than its effectiveness, which is dealt with under subparagraphs 26WG(h)(iii) and (iv) below. The inclusion of both 'unintelligible' and 'meaningless' in subparagraph 26WG(h)(ii) is intended to recognise that, in some cases, information falling under paragraph 26WG(h) may be wholly unintelligible to unauthorised parties, for example, if the information is contained in an encrypted file. In other cases, the information may be intelligible to an unauthorised party, but not in a way that holds any meaning as personal information, credit reporting information, credit eligibility information or tax file number information: for example, in the case of tokenised information, if the unauthorised party would be able to determine that the same token links different records in a file of information, but would not be able to link the token to a particular identified or reasonably identifiable individual.
75. Subparagraphs 26WG(h)(iii) and (iv), read as part of the paragraph as a whole, go to the likelihood of whether the person, or kinds of persons, who have obtained, or could obtain, the information, have, or are likely to have, the intent of causing harm to any of the individuals to whom the information compromised in a data breach relates.
76. Subparagraph 26WG(h)(iii) requires entities to consider the persons, or kinds of persons, who have obtained, or who could obtain, the information. The considerations falling under this subparagraph are likely to be similar, if not identical in some cases, to those falling under paragraph 26WG(g) above. Particularly if the information has been published online, the entity might need to consider the likelihood of the persons, or kinds of persons, who could obtain the information at the time of the access or disclosure or at a later time.
77. Subparagraph 26WG(h)(iv) requires entities to consider whether the persons, or kinds of persons, referred to in subparagraph 26WG(h)(iii) above, have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates. Again, the considerations falling under this subparagraph are likely to be similar or identical to those falling under paragraph 26WG(g) above. The inclusion of subparagraph 26WG(h)(iv) means that paragraph 24WG(h) does not require entities to have regard to the ability of entities with advanced knowledge or resources (such as large technology firms) to circumvent the technology or methodology, if those entities are not likely to do so with the intention of causing harm to any of the individuals to whom the information relates.
78. After considering the matters in subparagraphs 26WG(h)(i)-(iv), entities are required to have regard to the likelihood that the person or kind of person referred to in subparagraph 26WG(h)(iii), with the intention to cause harm referred to in subparagraph 26WG(h)(iv), has obtained, or is likely to have obtained, information or knowledge required to circumvent the security technology or methodology referred to in subparagraphs 26WG(h)(i) and 26WG(h)(ii).
79. The reference to 'information or knowledge' in paragraph 26WG(h) is intended to reflect the different means by which a security technology or methodology falling under paragraph 26WG(h) could be circumvented. For example, 'information' in this context (as indicated in the note following the section, discussed below) could include an encryption key that could be used to decrypt information that was subject to unauthorised access or unauthorised disclosure: if the encryption key was also accessed or disclosed, or was obtained at a later time, the entity may have a strong indication that the encryption could be circumvented.
80. The reference to 'knowledge' in paragraph 26WG(h) is intended to include knowledge about a particular kind of security technique or methodology that could be used to circumvent the technology or methodology, and that might be available at the time of the data breach or that might become available at a later time (noting that such a consideration would be subject to the 'likelihood' element of paragraph 26WG(h)). For example, entities may need to consider the likelihood that knowledge about how to circumvent a particular encryption algorithm which is fit for purpose by current standards may become available in future as computing power and mathematical knowledge increase.
81. Where entities have regard to the likelihood of circumvention at a later time, it is intended that they should do so with the intent of determining whether a reasonable person would conclude that an access or disclosure would be likely or would not be likely to result in serious harm at that time to any of the individuals to whom the information relates. In this situation the 'remedial action' exceptions in section 26WF above may also be relevant if an entity takes action to remediate the risk of serious harm to individuals before the security technology or methodology is likely to have been circumvented (for example, by taking action to prevent harm from arising from an unauthorised disclosure of information that was encrypted using an algorithm that was out-dated or otherwise not fit for purpose, and could be circumvented in a relatively short period of time).
82. The 'reasonable person' element of section 26WG ensures that regard must be had to the matter in paragraph 26WG(h) (as with all other matters in section 26WG) from the perspective of how the matter would influence the conclusion of a reasonable person about whether an access or disclosure would be likely or would not be likely to result in serious harm to any of the individuals to whom the information relates. Paragraph 26WG(h) is intended to require regard to had to the paragraph based on the information that would be known to a reasonable person in the entity's position or available to such a person following reasonable inquiries, rather than reflecting an expectation that it will be possible to assess the matters covered in the paragraph with absolute certainty.
83. Paragraph 26WG(i) provides that the nature of the harm that may occur as a result of a data breach is a relevant matter under section 26WG.
84. Paragraph 26WG(j) provides that any other relevant matter is also a relevant matter under section 26WG. The nature of other matters that may be relevant will vary depending on the circumstances of the entity and the data breach. The Commissioner may choose to issue guidance material to assist entities to identify other relevant matters that might fall under paragraph 26WG(j).
85. This item also inserts a Note following paragraph 26WG(j) and before Division 3-Notification of eligible data breaches below. The Note explains that, if the security technology or methodology mentioned in paragraph 26WG(h) is encryption, an encryption key is the an example of information required to circumvent the security technology or methodology (as discussed above).
Division 3-Notification of eligible data breaches
Subdivision A-Suspected eligible data breaches
Section 26WH Assessment of suspected eligible data breach
86. This section sets out the circumstances in which an entity must carry out an assessment of whether an eligible data breach of the entity has occurred.
Scope
87. Subsection 26WH(1), which is titled 'Scope', provides that section 26WH applies where an entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity, but does not have reasonable grounds to believe that an eligible data breach of the entity has occurred. The intended relationship between section 26WH and section 26WK below is as follows:
- •
- if an entity is aware that there are reasonable grounds to suspect there may have been an eligible data breach of the entity, but does not know if there are reasonable grounds to believe that there has been an eligible breach, the entity must carry out an assessment under section 26WH.
- •
- if, on the other hand, an entity is aware that there are reasonable grounds to believe there has been an eligible data breach of the entity (after completing an assessment under section 26WH or otherwise), then the entity must prepare a statement under section 26WK.
88. This section is intended to apply where an entity becomes aware of circumstances that may constitute an eligible data breach, but needs to undertake a further assessment to determine whether an eligible data breach has occurred. For example, section 26WH might apply where a complaint from an individual leads an entity to suspect that there may have been an eligible data breach of the entity, but does not in itself provide sufficient information to give the entity reasonable grounds to believe that an eligible data breach has occurred.
89. Section 26WH is also intended to discourage entities from acting out of an abundance of caution to notify a data breach incident where, following a reasonable assessment, the entity would have determined that there are not reasonable grounds to believe that an eligible data breach has occurred. Specifically, the reference to an entity that 'is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity' in subsection 26WH(1) is intended to make clear that entities are only required to carry out an assessment where some event or other circumstances has led the entity to become so aware.
90. The assessment process is therefore intended to provide certainty and reduce the cost of compliance for entities and reduce the risk of individuals experiencing 'notification fatigue' due to receiving large numbers of notifications for non-serious breaches.
91. The nature of an assessment under section 26WH will vary depending on the circumstances of the suspected eligible data breach. For example, in some cases the entity may need to assess whether unauthorised access to or unauthorised disclosure of information has occurred, or (in the case of loss of information) is likely to occur, and if so, whether this provides reasonable grounds to believe there has been an eligible data breach of the entity. On the other hand, if the entity has reasonable grounds to suspect that unauthorised access or unauthorised disclosure has occurred or is likely to have occurred, the assessment may focus solely on the potential harm to individuals (in which case the matters listed in section 26WG above could assist entities in undertaking the assessment). Whether the entity has undertaken or could potentially undertake remedial action under section 26WF above may also influence the nature or scope of an assessment under section 26WH.
92. Where an entity fails to become aware that there are reasonable grounds to suspect there has been an eligible data breach of the entity, or fails to adequately undertake an assessment under new section 26WH, the Commissioner may be able to direct the entity to notify the serious data breach under section 26WR below.
93. The scope of section 26WH should be considered alongside existing APP 11.1 of the Privacy Act, which requires entities to take reasonable steps to secure personal information they hold from (among other things) unauthorised access, unauthorised disclosure and loss, all of which are included in the meaning of the term 'eligible data breach' as defined in Division 2. Existing section 20Q and subsection 21S(1) of the Privacy Act, as well as the current tax file number rules issued under existing section 17 of the Privacy Act, impose equivalent obligations in relation to credit reporting information, credit eligibility information and tax file number information respectively, and are all also mentioned in the definition of the term 'eligible data breach' in Division 2. Though an entity that fails to become aware that there are reasonable grounds to suspect an eligible data breach of the entity has occurred will not necessarily breach the applicable existing security requirement that applies to the information concerned, the various requirements for the entity to have taken 'reasonable steps' to secure personal information are expected to assist in placing entities in a position where they are able to become so aware where it would be reasonable for them to do so.
Assessment
94. Subsection 26WH(2), which is titled 'Assessment', provides in paragraph 26WH(2)(a) that, where subsection 26WH applies, the entity must carry out a reasonable and expeditious assessment of whether the relevant circumstances constitute an eligible data breach of the entity.
95. The reference to a 'reasonable and expeditious' assessment reflects an intention that an assessment should be limited to matters that are reasonably likely to be relevant in the circumstances, and should be conducted as promptly and efficiently as practicable in the circumstances. An assessment which considers a range of matters which could not reasonably be considered relevant in the circumstances, or that is not conducted as promptly or efficiently as possible in the circumstances, would not fall within the scope of paragraph 26WH(2)(a).
96. The phrase 'reasonable and expeditious' in paragraph 26WH(2)(a) is not intended to create a direct relationship in all circumstances between the time required to undertake a reasonable and expeditious assessment and the size of a potential eligible data breach (either in terms of the volume of information potentially involved, or the number of individuals potentially affected). For example, depending on the circumstances, the time taken to undertake a reasonable and expeditious assessment of an eligible data breach affecting a large number of individuals may take the same amount of time as an assessment of an eligible data breach affecting fewer individuals.
97. The phrase 'reasonable and expeditious' in paragraph 26WH(2)(a) is not intended to discourage entities from undertaking, or attempting to undertake, action to remediate the risk of harm under section 26WF above in favour of undertaking an assessment under section 26WH. It is intended that an 'expeditious' assessment could still occur where an entity which suspects an eligible data breach has occurred takes time to undertake or attempt to undertake such remedial action, so long as they can justify their actions as 'expeditious' in all the circumstances should notification prove to be required following the assessment.
98. Paragraph 26WH(2)(b) provides that entities must take all reasonable steps to ensure that the reasonable and expeditious assessment referred to in paragraph 26WH(2)(a) is completed within 30 days after the entity becomes aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity. Paragraph 26WH(2)(b) reflects the view that 30 days is a preferable timeframe in which an assessment should be undertaken wherever possible, though importantly it does not require entities to complete an assessment within 30 days. Imposing a hard 30 day deadline to undertake assessments would not be appropriate, given that in the case of large or complex eligible data breaches 30 days may not be sufficient time to undertake a reasonable assessment. However, the intention of paragraph 26WH(2)(b) is to require entities to take all steps that are reasonable in the circumstances to attempt to complete the assessment within 30 days, so as to hasten notification to individuals if the assessment determines that an eligible data breach has occurred.
99. An entity which takes all reasonable steps to ensure that the assessment is completed within 30 days but is not able to complete the assessment in this time, for example because of the complexity of the suspected eligible data breach, will not be taken to have breached paragraph 26WH(2)(b). What constitutes 'all reasonable steps' in this context will vary depending on all the circumstances, including the circumstances of the entity and the suspected eligible data breach.
100. Regardless of the length of an assessment under subsection 26WH(2), the assessment (as per paragraph 26WH(1)(a)) must still be 'reasonable' in scope and completed within a timeframe that is 'expeditious' in the circumstances. This timeframe might be shorter or longer than 30 days depending on the circumstances.
101. This item also inserts a Note following subsection 26WH(2) and before section 26WK below. The Note explains that section 26WK applies where an entity has reasonable grounds to believe there has been an eligible data breach of the entity. This reflects that, in some cases, section 26WH will not apply in the event of an eligible data breach if it is clear to the relevant entity from the outset that the particular circumstances provide reasonable grounds to believe, as opposed to reasonable grounds to suspect, that there has been an eligible data breach of the entity.
Section 26WJ Exception-eligible data breaches of other entities
102. This section provides that:
- •
- where one entity complies with new section 26WH above in relation to an eligible data breach (paragraph 26WJ(a)),
- •
- and the applicable access, disclosure or loss, as the case may be, is also an eligible data breach of one or more other entities (paragraph 26WJ(b)),
- •
- then section 26WH does not apply to that other entity or those other entities.
103. Section 26WJ is intended to apply in cases where more than one entity jointly and simultaneously holds the same particular record of personal information, for example, due to outsourcing, joint venture or shared services arrangements between entities. A specific example would be where an Australian Government agency stores personal information about employees in an electronic human resources system provided by another Australian Government agency, in circumstances where both agencies could be said to simultaneously 'hold' the personal information the first agency has stored in the system (according to the definition of 'hold' in existing subsection 6(1) of the Privacy Act).
104. The intended effect of section 26WJ is that only one assessment under section 26WH needs to be undertaken into a single eligible data breach, regardless of how many entities hold the record of information which was subject to unauthorised access, unauthorised disclosure or loss, as the case may be. Section 26WH is not intended to require each of the entities to separately undertake an assessment in this scenario. However, if none of the applicable entities undertakes such an assessment, each of the entities may be found to have breached section 26WJ, depending on the circumstances.
105. Section 26WJ is silent on which entity must complete the assessment under section 26WH where section 26WJ applies. The section does not, however, prevent the entity which undertakes the assessment under section 26WH above from making inquiries and seeking assistance from any of the other entities as required, or otherwise working with those entities, to complete the assessment.
Subdivision B-General notification obligations
Section 26WK Statement about eligible data breach
106. This section sets out the circumstances in which an entity must prepare a statement about an eligible data breach and provide that statement to the Commissioner.
Scope
107. Subsection 26WK(1), which is titled 'Scope', provides that section 26WK applies where an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity (as defined in Division 2 above). An entity might form such awareness following an assessment that is required to be undertaken under section 26WJ above or otherwise.
108. The inclusion of the phrase 'reasonable grounds' in subsection 26WK(1) should be read alongside the requirement in section 26WH above to undertake an assessment where the entity merely has reason to suspect that an eligible data breach of the entity has occurred. Subsection 26WK(1) is intended to ensure that notification is required both in cases where an entity is aware that an eligible data breach has occurred and where the evidence is not definitive but would nonetheless suggest (after an assessment has been completed under section 26WH or otherwise) that there are reasonable grounds to believe that an eligible data breach has occurred. What constitutes 'reasonable grounds' will vary depending on the circumstances. For example, a pattern of complaints may provide the entity reasonable grounds to believe that an eligible data breach of the entity has occurred. On the other hand, if the complaints merely provide the entity with reason to suspect that there has been an eligible data breach of the entity, the assessment requirement under section 26WH will apply.
Statement
109. Subsection 26WK(2), which is titled 'Statement', provides that, where section 26WK applies, the entity must:
- •
- prepare a statement that complies with subsection 26WK(3) (subparagraph 26WK(2)(a)(i)) ( a subparagraph 26WK(2)(a)(i) statement )
- •
- give a copy of the subparagraph 26WK(2)(a)(i) statement to the Commissioner (subparagraph 26WK(2)(a)(ii)), and
- •
- do both of the above things as soon as practicable after the entity becomes aware that there are reasonable grounds to believe there has been an eligible data breach of the entity (paragraph 26WK(2)(b)).
110. The Commissioner may choose to publish guidance to assist entities to comply with the requirement to give a copy of the subparagraph 26WK(2)(a)(i) statement to the Commissioner. For example, the guidance material could ask entities to send a copy of the subparagraph 26WK(2)(a)(i) statement to a particular email address, or include details about additional information the Commissioner may ask entities to provide about an eligible data breach if the Commissioner considers that the information is required to undertake his or her functions under the Privacy Act.
111. What constitutes a 'practicable' timeframe for the purposes of paragraph 26WK(2)(b) to prepare a subparagraph 26WK(2)(a)(i) statement and give a copy of the statement to the Commissioner will vary depending on the time, effort or cost required to comply with paragraph 26WK(2)(b), when considered in all the circumstances of the entity and the data breach.
112. Subsection 26WK(3) outlines the information that must be set out in a subparagraph 26WK(2)(a)(i) statement. The required information is:
- •
- the identity and contact details of the entity (paragraph 26WK(3)(a))
- •
- a description of the eligible data breach that the entity has reasonable grounds to believe has happened (paragraph 26WK(3)(b))
- •
- the kind or kinds of information concerned (paragraph 26WK(3)(c)), and
- •
- recommendations about the steps that individuals should take in response to the serious data breach that the entity has reasonable grounds to believe has happened (paragraph 26WK(3)(d)).
113. The recommendations that must be included in the subparagraph 26WK(2)(a)(i) statement under paragraph 26WK(3)(d) are intended to provide individuals whose information has been compromised in an eligible data breach with general advice about steps they should take to mitigate the harm that may arise to them as a result. Examples could include recommending that individuals request a copy of their credit report if an eligible data breach might result in credit fraud. While entities are expected to make reasonable efforts to identify and include recommendations that are relevant in the circumstances and would hold utility for individuals whose information was compromised in an eligible data breach, they are not expected to identify or include every possible recommendation that could be included following an eligible data breach. Guidance material from the Commissioner may assist entities in identifying the kinds of recommendations that entities could include under paragraph 26WK(3)(d).
114. The list of matters in subsection 26WK(3) that the subparagraph 26WK(2)(a)(i) statement must include does not prevent entities from providing individuals with other information about the eligible data breach in addition to the statement. For example, when providing the statement to affected individuals, entities might wish to additionally offer an apology to those individuals. Guidance material from the Commissioner may identify other kinds of information that entities may wish to consider including in addition to a subparagraph 26WK(2)(a)(i) statement.
115. The effect of subsection 26WK(4) is that, where an entity is preparing a subparagraph 26WK(2)(a)(i) statement for an eligible data breach which is also an eligible data breach of one or more other entities, the statement may also set out the identity and contact details of the other entities. This is intended to apply in cases where more than one entity jointly and simultaneously holds the same particular record of personal information, for example, due to outsourcing, joint venture or shared services arrangements between entities. Inclusion of this information is optional rather than mandatory to reflect that in some cases the information may not be of relevance to individuals receiving the notification. For example, if an individual has a customer relationship with the entity providing the subparagraph 26WK(2)(a)(i) statement, but is not likely to be aware of an outsourced service provider who also experienced an eligible data breach due to the same access, disclosure or loss, as the case may be, providing contact details for the latter entity may not serve any utility. Depending on the circumstances, it may be more appropriate to instead simply describe the outsourced service provider's role in the description of the eligible data breach under paragraph 26WK(3)(b) rather than providing the entity's contact details as per subsection 26WK(4).
Section 26WL Entity must notify eligible data breach
116. This section sets out how an entity must notify an eligible data breach after preparing a statement falling under section 26WK above.
Scope
117. Subsection 26WL(1), which is titled 'Scope', provides that section 26WL applies where an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity (paragraph 26WL(1)(a)), and the entity has prepared a statement that complies with subsection 26WK(3) above (subparagraph 26WL(1)(b)(i)) and relates to the eligible data breach that the entity has reasonable grounds to believe has happened (subparagraph 26WL(1)(b)(ii)).
Notification
118. Subsection 26WL(2), which is titled 'Notification', sets out three possible options for notifying the subparagraph 26WK(2)(a)(i) statement. In short, an entity must either:
- •
- if it is practicable to do so, take such steps as are reasonable in the circumstances to notify each of the individuals to whom the relevant information compromised in an eligible data breach relates (paragraph 26WL(2)(a)), or
- •
- if it is practicable to do so, take such steps as are reasonable in the circumstances to notify those individuals who are considered to be 'at risk' from the eligible data breach, as defined in paragraph 26WE(2)(d) above (paragraph 26WL(2)(b)), or
- •
- if it is not practicable to notify via either of the above two methods, notify the subparagraph 26WK(2)(a)(i) statement by publishing the statement on the entity's website (if any) (subparagraph 26WL(2)(c)(i)), and taking reasonable steps to publicise the statement (subparagraph 26WL(2)(c)(ii)).
119. These options are described in detail below. 'Practicability' in the context of paragraphs 26WL(2)(a)-(c) is intended to involve considerations about whether the time, effort or cost of a particular form of notification, when considered in all the circumstances of the entity and the data breach, would render such notification impracticable. Where an entity considers that it would not be practicable to comply with either paragraph 26WL(2)(a) or 26WL(2)(b), an entity must notify under paragraph 26WL(2)(c) (though other exceptions in Part IIIC may still apply, including an exception that applies because the entity applied to the Commissioner under section 26WQ below).
120. The concept of 'taking such steps as are reasonable in the circumstances' in paragraphs 26WL(2)(a) and 26WL(2)(b) is used elsewhere in the Privacy Act. As noted in the Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, the phrase 'reasonable in the circumstances' is an objective test that ensures that the specific circumstances of each case have to be considered when determining the reasonableness of the steps in question.
121. Under paragraph 26WL(2)(a), if it is practicable to do so, an entity can take such steps as are reasonable in the circumstances to notify the contents of a subparagraph 26WK(2)(a)(i) statement to each of the individuals to whom the relevant information which has been or is assumed to have been subject to unauthorised access or unauthorised disclosure in an eligible data breach relates.
122. An entity might choose to notify a subparagraph 26WK(2)(a)(i) statement under this method, where it is practicable to do so, if it would require an unreasonable volume of resources for the entity to assess which affected individuals are 'at risk' from an eligible data breach and which are not. An example might be an eligible data breach involving unauthorised access to a customer database containing varying amounts of personal information about a large number of individuals, where only some of those individuals might be 'at risk' due to the eligible data breach. Notification to the entire 'cohort' of individuals in this scenario may reduce the cost of compliance for the entity, and would also allow each individual who is notified of the contents of the subparagraph 26WK(2)(a)(i) statement to consider whether they need to take any action in response to the eligible data breach. It would also still ensure that all individuals who are 'at risk' receive notification.
123. Under subparagraph 26WL(2)(b), if it is practicable to do so, an entity can take such steps as are reasonable in the circumstances to notify the contents of a subparagraph 26WK(2)(a)(i) statement to those individuals who are 'at risk' from the eligible data breach.
124. An entity might choose to notify a subparagraph 26WK(2)(a)(i) statement under this method when the entity is able to ascertain with a high degree of confidence that only some particular individuals whose information has been or is assumed to have been subject to unauthorised access or unauthorised disclosure in an eligible data breach are 'at risk' from the eligible data breach. Returning to the customer database example above, if the entity was able to determine that the only likely result of serious harm from the eligible data breach would involve payment information stored in relation to a specific subset of the broader 'cohort' of individuals, meaning that only that subset is 'at risk' from the eligible data breach, the entity might choose to notify the contents of the paragraph 26WK(2)(a)(i) statement under paragraph 26WE(2)(b). As the entity could be confident that the remaining individuals would not be 'at risk' from the eligible data breach, notifying those individuals would serve no utility in the sense that they would not need to take any action to protect themselves from serious harm as a result of the eligible data breach.
125. In cases where all individuals whose information has been, or is assumed to have been, subject to unauthorised access or unauthorised disclosure in an eligible data breach are 'at risk' from the eligible data breach, there will be no practical difference between notifying the subparagraph 26WK(2)(a)(i) statement under paragraph 26WL(2)(a) or 26WL(2)(b).
126. Paragraph 26WL(2)(c) applies where neither paragraph 26WL(2)(a) nor 26WL(2)(b) applies - that is, where it is not practicable for an entity to notify the contents of a subparagraph 26WK(2)(a)(i) statement under either paragraph 26WL(2)(a) or 26WL(2)(b). In this situation, publishing a copy of the subparagraph 26WK(2)(a)(i) statement on the entity's website (if the entity has a website) is a suitable substitute notification method (subparagraph 26WL(2)(c)(i)), so long as the entity also takes reasonable steps to publicise the contents of the statement (subparagraph 26WK(2)(c)(ii)).
127. Subparagraph 26WL(2)(c)(i) does not prescribe precisely how entities must publish a statement on their website. It is intended that the statement will be published on the entity's website in a way that is reasonable in the circumstances.
128. The intended purpose of taking reasonable steps to publicise the contents of the subparagraph 26WK(2)(a)(i) statement under subparagraph 26WL(2)(c)(ii) is to increase the likelihood that the eligible data breach described in the statement comes to the attention of affected individuals. The subparagraph is phrased in technology neutral terms to allow entities to choose the publication channels most likely in the circumstances to be effective in bringing an eligible data breach to the attention of affected individuals. A simple step that would ordinarily be expected to be reasonable in the context of online publication would be ensuring that the subparagraph 26WK(2)(a)(i) statement can be indexed by online search engines. Other examples that may be reasonable depending on the circumstances include taking out a print or online advertisement in a publication or on a website the entity considers reasonably likely to reach affected individuals, or publishing an announcement on the entity's social media channels.
129. In some cases (such as an eligible data breach that involves a particularly serious form of harm, or that affects a large number of individuals), it might be reasonable to take more than one step to publicise the contents of the subparagraph 26WK(2)(a)(i) statement under subparagraph 26WL(2)(c)(ii). For example, if it is reasonable to do so, an entity could take out multiple print or online advertisements (which could include paid advertisements on social media channels), publish posts on multiple social media channels, or use both traditional media and online channels.
130. Possible approaches to publicising the contents of the subparagraph 26WK(2)(a)(i) statement as required under subparagraph 26WK(2)(c)(ii) are likely to vary depending on the particular channel or channels chosen to do so. For example, where space and cost allows, the entity may choose to simply republish the entirety of the information required to be included in the subparagraph 26WK(2)(a)(i) statement. Another option, if the available space is limited, or the cost of republishing the entire statement would not be reasonable in all the circumstances, would be to summarise the information required to be included in the statement and provide a hyperlink to the copy of the statement published on the entity's website under subparagraph 26WL(2)(c)(i) (bearing in mind that the ability and likelihood of affected individuals being able to access the statement online may determine the appropriateness of relying solely on such an approach). Entities may also choose to adopt both approaches if they are taking multiple reasonable steps under subparagraph 26WL(2)(c)(ii), and the capabilities or requirements of the chosen channels vary.
131. Where an entity considers that compliance with paragraph 26WL(2)(a), 26WL(2)(b) or 26WL(2)(c) would not be reasonable in the circumstances, the entity may apply to the Commissioner for an exemption from the notification requirement (see section 26WQ below).
132. This item also inserts a Note following subsection 26WL(2) and before subsection 26WL(3) below. The Note directs readers to see also subsections 26WF(2) and 26WF(5), which deal with remedial action. As explained above, the effect of subsection 26WF(2) and 26WF(5) is that, if an eligible data breach occurs and the entity concerned is able to remediate the harm in relation to particular individuals among a group of individuals whose information was subject to unauthorised access, unauthorised disclosure or loss in the eligible data breach, the entity is not required to notify those particular individuals.
133. Subsection 26WL(3) provides that entities must comply with subsection 26WL(2) as soon as practicable after preparing the subparagraph 26WK(2)(a)(i) statement. Similar to paragraphs 26WL(2)(a)-(c) above, 'practicability' in the context of subsection 26WL(3) is intended to capture considerations about whether the time, effort or cost of complying with subsection 26WL(2), when considered in all the circumstances of the entity and the data breach, would render such notification impracticable.
Method of providing the statement to an individual
134. Without limiting paragraph 26WL(2)(a) or 26WL(2)(b), subsection 26WL(4), which is titled 'Method of providing the statement to an individual', provides that where an entity normally communicates with an individual using a particular method, any notifications provided to the individual under paragraph 26WL(2)(a) or 26WL(2)(b) may use that method. This is intended to reduce the cost of compliance for entities but also to ensure that individuals receive notifications through communication channels that they expect relevant entities to use, presented in ways they would expect from the relevant entity. Where there is no normal mode of communication with the particular individual the entity must take reasonable steps to communicate with him or her. Reasonable steps could include contact by email, telephone or post.
Section 26WM Exception-eligible data breaches of other entities
135. This section provides that:
- •
- where one entity complies with sections 26WK and 26WL above in relation to an eligible data breach (paragraph 26WM(a)),
- •
- and the applicable access, disclosure or loss, as the case may be, is also an eligible data breach of one or more other entities (paragraph 26WM(b)),
- •
- then sections 26WK or 26WL do not apply in relation to the eligible data breach of that other entity or those other entities.
136. This section is intended to apply in cases where more than one entity jointly and simultaneously holds the same particular record of personal information, for example, due to outsourcing, joint venture or shared services arrangements between entities. It is intended to work in the same way as other sections dealing with such scenarios, and in particular section 26WJ above, with the effect that only one subparagraph 26WK(2)(a)(i) statement must be prepared under section 26WK and notified under section 26WL for a single eligible data breach, regardless of how many entities hold the record of information that was compromised in the eligible data breach.
Section 26WN Exception-enforcement related activities
137. This section applies if:
- •
- the relevant entity is an enforcement body (paragraph 26WN(a))
- •
- the chief executive officer of the enforcement body believes on reasonable grounds that there has been an eligible data breach of the enforcement body (paragraph 26WN(b)), and
- •
- the chief executive officer believes that compliance section 26WL would be likely to prejudice one or more enforcement-related activities conducted by, or on behalf of, the enforcement body (paragraph 26WN(c)).
138. In these circumstances, paragraphs 26WK(3)(d) and section 26WL do not apply in relation to:
- •
- the eligible data breach of the enforcement body (paragraph 26WN(d)), and
- •
- if the eligible data breach was also an eligible data breach of one or more other entities - those entities (paragraph 26WN(e)).
139. 'Enforcement body' and 'enforcement related activities' are defined in existing subsection 6(1) of the Privacy Act. The effect of this provision is that an enforcement body is not required to notify affected individuals of the contents of the subparagraph 26WK(2)(a)(i) statement, either individually or in compliance with paragraph 26WL(2)(c) above. However, with the exception of paragraph 26WK(3)(d), the entity must still comply with subparagraphs 26WK(2)(a)(i) (i.e., the entity must prepare a statement that complies with paragraphs 26WK(3)(a), 26WK(3)(b) and 26WK(3)(c)) and subparagraph 26WK(2)(a)(ii) (i.e. the entity must give a copy of that statement to the Commissioner).
140. The rationale for not requiring an entity in these circumstances to prepare a statement that complies with paragraph 26WK(3)(d), which deals with recommendations about steps individuals should take in response to an eligible data breach, is that providing these recommendations to the Commissioner will serve no utility if affected individuals are not being notified of the eligible data breach.
141. This exception is intended to ensure that the legitimate activities of enforcement bodies are not disrupted or affected by the notification requirement. However, it does not extend to eligible data breaches that are not related to enforcement activities such as the inadvertent disclosure of personal information unrelated to investigations or intelligence gathering. It also ensures that notification to the Commissioner is still required, so that the Commissioner can advise and assist enforcement bodies in responding to data breaches, and can continue to collect important information about data breaches to assist in combating or addressing them into the future.
142. Paragraph 26WN(e) is intended to deal with similar circumstances to sections 26WJ and 26WM above, that is, where an enforcement body and one or more other entities (who may or may not also be enforcement bodies) jointly and simultaneously hold the same particular record of personal information that has been subject to an eligible data breach. Paragraph 26WN(e) ensures that the effect of this section is not undermined by requiring those other entities to notify the eligible data breach, where notification would prejudice one or more enforcement related activities undertaken by, or on behalf of, the enforcement body.
Section 26WP Exception-inconsistency with secrecy provisions
143. This section makes clear how the requirements in sections 26WK(2) and 26WL interact with secrecy provisions in other legislation. Different rules apply to particular secrecy provisions that have been prescribed in regulations under the Privacy Act for the purposes of this section.
Secrecy provisions
144. The effect of subsection 26WP(1), which is titled 'Secrecy provisions', is that for the purpose of this section a 'secrecy provision' is a provision of the law of the Commonwealth (other than the Privacy Act) that prohibits or regulates the use or disclosure of information.
145. Subsections 26WP(2) provides that, if compliance with the requirement in subparagraph 26WK(2)(a)(ii) to give the Commissioner a copy of a statement about an eligible data breach the entity has reasonable grounds to believe has happened would, to any extent, be inconsistent with a secrecy provision (other than a secrecy provision prescribed for the purposes of this section), subsection 26WK(2) does not apply to the entity to the extent of the inconsistency. (The reference to subsection 26WK(2) is intended to operate so that, where an entity is not required to provide a subparagraph 26WK(2)(a)(i) statement to the Commissioner because of subsection 26WP(2), the entity will not be required to nonetheless prepare such a statement under subparagraph 26WK(2)(a)(i).)
146. Subsection 26WP(3) applies in equivalent terms to subsection 26WP(2) in relation to the requirement under section 26WL to notify a subparagraph 26WK(2)(a)(i) statement to affected individuals.
147. In terms of assessing whether a secrecy provision is to 'any extent inconsistent' with subparagraph 26WK(2)(a)(ii) or section 26WL, subsections 26WP(2) and 26WP(3) are intended to operate so that:
- •
- if a secrecy provision does not apply or otherwise does not prohibit a disclosure of information that is required or authorised by or under another law (such as subparagraph 26WK(2)(a)(ii) or section 26WL), inconsistency would not arise between the secrecy provision and subparagraph 26WK(2)(a)(ii) or section 26WL
- •
- on the other hand, if a secrecy provision does apply, and does not provide an allowance for an entity to disclose information where required or authorised by or under another law, then inconsistency may arise between the secrecy provision and subparagraph 26WK(2)(a)(ii) or section 26WL, and
- •
- if a secrecy provision provides a decision maker with discretion to disclose information or not, that discretion would remain in place (as a provision regulating the use or disclosure of information) in relation to the decision about whether to comply with subparagraph 26WK(2)(a)(ii) or section 26WL, so as to avoid inconsistency between subparagraph 26WK(2)(a)(ii) or section 26WL and the terms of the secrecy provision.
148. Subsections 26WP(2) and 26WP(3) also both require entities to comply with subparagraph 26WK(2)(a)(ii) or section 26WL except 'to the extent of the inconsistency' with a secrecy provision. This is intended to operate so that, if complying with those provisions in relation to only some of the information compromised in an eligible data breach would be inconsistent to any extent with a secrecy provision, the entity would still be required to comply in relation to any remaining information, if doing so would not be inconsistent to any extent with the secrecy provision in question (and if no other exceptions applied). In some cases it may also be possible for an entity to avoid inconsistency by complying with the notification requirements in a manner which does not disclose information that would give rise to inconsistency, for example, by preparing a subparagraph 26WK(2)(a)(i) statement which provides only very general information about an eligible data breach.
149. Another effect of subsections 26WP(2) and 26WP(3) is that entities can consider separately whether compliance would be inconsistent to any extent to the requirements contained in subparagraph 26WK(2)(a)(ii) and section 26WL. For example, it may be possible that notifying the Commissioner under subparagraph 26WK(2)(a)(ii) would not be inconsistent with a secrecy provision, but notifying individuals under section 26WL would be, in which case the entity would be required to notify only the Commissioner.
Prescribed secrecy provisions
150. Subsection 26WP(4), which is titled 'Prescribed secrecy provisions', provides that for the purposes of this section a 'prescribed secrecy provision' is a secrecy provision (as per the meaning in subsection 26WP(1)) prescribed in regulations under the Privacy Act.
151. The regulation-making power in subsection 26WP(4) will work in a similar way to the regulation-making power in existing paragraph 80P(7)(e) of the Privacy Act. The intention of including the regulation-making power is to ensure adequate flexibility in the event that it becomes apparent that it would be in the public interest for a new or existing secrecy provision in other Commonwealth legislation to prevail over the requirements contained in subparagraph 26WK(2)(a)(ii) or section 26WL, even if inconsistency would not otherwise exist between subparagraph 26WK(2)(a)(ii) or section 26WL and the prescribed secrecy provision. Consequently, the effect of subsection 26WP(5) is that a prescribed secrecy provision could be deemed to be inconsistent with subparagraph 26WK(2)(a)(ii) and section 26WL even if the prescribed secrecy provision allows an entity to disclose information where authorised or required by or under other laws.
152. Subsections 26WP(6) and 26WP(7) are intended to operate in a similar way to subsections 26WP(2) and 26WP(3) above. An important difference, however, is that subsections 26WP(6) and 26WP(7) lack the requirement that entities only need not comply 'to the extent of the inconsistency' between a secrecy provision and the requirements in subparagraph 26WK(2)(a)(ii) and section 26WL. This means that, if complying with subparagraph 26WK(2)(a)(ii) and section 26WL would to any extent be inconsistent with a prescribed secrecy provision, compliance is not required, even if compliance might have been required to some extent under subsections 26WP(2) and 26WP(3) if the secrecy provision had not been a prescribed secrecy provision.
153. It is intended that, before a secrecy provision is prescribed under this section, consideration would be given to whether existing exceptions in the new Part IIIC (such as the exception for enforcement related activities in section 26WN above, or the Commissioner's declaration power in section 26WQ below) are sufficient to avoid the kind of harm prescription in the regulations would be intended to avoid. It is also intended that consultation undertaken in accordance with section 17 of the Legislation Act 2003 before prescribing a secrecy provision in regulations would include consultation with the Commissioner.
Section 26WQ Exception-declaration by Commissioner
154. This section provides that the Commissioner may, by written notice given to an entity, declare that the requirements to prepare a subparagraph 26WK(2)(a)(i) statement under section 26WK and notify that statement under section 26WL do not apply to the entity, or that the entity has until the end of specified period of time to comply with subsection 26WL(2) above ( a subsection 26WQ(1) declaration ).
155. The effect of paragraphs 26WQ(1)(a) and (b) is that the Commissioner can only give a subsection 26WQ(1) declaration to an entity where the Commissioner is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity, or is informed by an entity that the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity.
156. The effect of paragraph 26WQ(1)(b) is that an entity is only entitled to apply to the Commissioner under paragraph 26WQ(5)(b) below if the entity is aware that there are reasonable grounds to believe that an eligible data breach of the entity has occurred. This provision is intended to discourage entities from making an application if they do not have reasonable grounds to believe an eligible data breach has occurred, and should in that way allow entities to avoid any costs which might have been incurred in unnecessarily lodging an application.
157. Where an entity is only aware that there are reasonable grounds to suspect there may have been an eligible data breach of the entity, the requirement to undertake an assessment of the relevant circumstances under section 26WH above will apply. If, after undertaking such an assessment, the entity forms the view that there are reasonable grounds to believe that an eligible data breach has occurred, the entity would be entitled to apply to the Commissioner under paragraph 26WQ(5)(b). Entities applying to the Commissioner under paragraph 26WQ(5)(b) would be required to do so as soon as practicable after the entity becomes aware of reasonable grounds to believe an eligible data breach of the entity has occurred. This is consistent with the notification timeframes in paragraph 26WK(2)(b) and subsection 26WL(3) above.
158. Where paragraph 26WQ(1)(a) or 26WQ(1)(b) apply, the Commissioner may give a subsection 26WQ(1) declaration to the entity stating:
- •
- that sections 26WK and 26WL do not apply to the entity (subparagraph 26WQ(1)(c)(i)), or
- •
- that the entity must comply with subsection 26WL(3), which requires entities to notify a subparagraph 26WK(2)(a)(i) statement under subsection 26WL(2) as soon as practicable after preparing that statement, as though subsection 26WL(3) instead required the entity to notify the statement under subsection 26WL(2) before the end of a period specified in the subsection 26WQ(1) declaration (paragraph 26WQ(1)(d)).
159. The effect of subparagraphs 26WQ(c)(ii) and 26WQ(d)(ii) is that, if the Commissioner gives a subsection 26WQ(1) declaration to an entity in relation to an eligible data breach that is also an eligible data breach of one or more other entities, the subsection 26WQ(1) declaration also applies to those entities. This is intended to operate in a similar way to sections 26WJ, 26WM and paragraph 26WN(e) above, in situations where one or more entities jointly and simultaneously hold the same particular record of personal information that has been subject to an eligible data breach. These subparagraphs should be read alongside subsection 26WQ(10) below, which deals with the ability of each entity in such a situation to apply to the Commissioner under paragraph 26WB(5)(b) separately in these circumstances. The subparagraphs should also be read alongside Item 4 and Item 5 below, which may provide review rights for each entity in some circumstances.
160. Subsection 26WQ(2) provides that a subsection 26WQ(1) declaration under paragraph 26WQ(1)(d) can only extend the period of time the entity has to comply with subsection 26WL(2) to the end of a period that the Commissioner is satisfied in reasonable in the circumstances. For example, if complying with subsection 26WL(2) would prejudice a law enforcement investigation into the circumstances of the eligible data breach (and the exception in section 26WN above would not apply), the Commissioner could give the entity a subsection 26WQ(1) declaration exempting the entity from complying with subsection 26WL(2) until a point in time when the Commissioner is reasonably satisfied that such prejudice will no longer occur.
161. Subsection 26WQ(3) provides that the Commissioner must not give an entity a subsection 26WQ(1) declaration unless the Commissioner is satisfied that it is reasonable in the circumstances to do so, having regard to:
- •
- the public interest (paragraph 26WQ(3)(a))
- •
- any 'relevant advice' given to the Commissioner by an enforcement body or the Australian Signals Directorate ( ASD ) of the Defence Department (subparagraphs 26WQ(3)(b)(i) and 26WQ(3)(b)(ii)), and
- •
- such other matters (if any) as the Commissioner considers relevant (paragraph 26WQ(3)(c)).
162. For the purposes of subsection 26WQ(3), it is expected that the Commissioner will develop guidance in consultation with all relevant stakeholders on what factors will need to be taken into account in determining whether giving a subsection 26WQ(1) declaration would be reasonable in the circumstances.
163. In terms of a mechanism to grant exemptions in the public interest, the ALRC commented that such a provision could cover situations, for example, where there is a law enforcement investigation being undertaken into a data breach and notification would impede that investigation, or where the information concerned matters of national security. This provision is intended to include cases of that nature (where these activities, or the information concerned, are not already exempt from the scheme), particularly where a private sector organisation suffers the data breach and is responsible for reporting. In those situations, it is expected that a private sector organisation or Commonwealth agency would seek or have otherwise already received advice from an enforcement body or ASD before applying to the Commissioner for a subsection 26WQ(1) declaration.
164. Advice is intended to be 'relevant advice' for the purposes of paragraph 26WQ(3)(b) when it is relevant to the Commissioner's decision to give a subsection 26WQ(1) declaration in relation to a particular eligible data breach. The 'relevant advice' could be given to the Commissioner either at the initiative of either an enforcement body or ASD, or on request from the Commissioner to those entities. It is also possible that an entity could provide a copy of such advice with appropriate bona fides when applying to the Commissioner for a subsection 26WQ(1) declaration under paragraph 26WQ(5)(b).
165. Subparagraph 26WQ(3)(b)(i) is intended to ensure that enforcement bodies can give advice about whether giving a subsection 26WQ(1) declaration to an entity is necessary to avoid prejudicing an enforcement related activity of the enforcement body (or another enforcement body). This subparagraph could apply to any entity included in the definition of 'enforcement body' in existing subsection 6(1) of the Privacy Act.
166. Subparagraph 26WQ(3)(b)(ii) applies to relevant advice from ASD because of ASD's cyber-security expertise and role in providing advice and assistance on information and communications security (including through the Australian Cyber Security Centre). For example, ASD might wish to give the Commissioner relevant advice that notifying an eligible data breach involving a cyber intrusion into an entity's IT systems before any relevant vulnerabilities have been addressed may result in further eligible data breaches of the entity, or raise other concerns.
167. The effect of subsection 26WQ(4) is that the 'relevant advice' provisions in paragraph 26WQ(3)(b) do not prevent the Commissioner from considering advice received or sought from other sources when deciding whether to give an entity a subsection 26WQ(1) declaration. The Commissioner could potentially consider advice of this kind under the requirement in paragraph 26WQ(3)(c) for the Commissioner to consider 'such other matters (if any) as the Commissioner considers relevant'. For example, if an entity applying for a declaration provided the Commissioner with a copy of advice about the eligible data breach received from CERT Australia - part of the Attorney-General's Department which provides assistance to Australian businesses about cyber security issues -the Commissioner would be required to consider such advice if he or she considered it relevant.
168. New subsection 26WQ(5) provides that the Commissioner may issue a subsection 26WQ(1) declaration either on the Commissioner's own initiative (paragraph 26WQ(5)(a)) or on application made by the entity (paragraph 26WQ(5)(b)). A decision by the Commissioner to refuse to give a subsection 26WQ(1) declaration on application by the entity, or a refusal to grant the entity the full extended period of time requested by the entity to comply with subsection 26WL(2), will be reviewable by the Administrative Appeals Tribunal (see Item 4 and Item 5 below).
Applications
169. Subsection 26WQ(6), which is titled 'Applications', provides that an entity can apply to the Commissioner under paragraph 26WQ(5)(b) for:
- •
- a paragraph 26WQ(1)(c) declaration: that is, a declaration that an entity does not need to comply with sections 26WK and 26WL in relation to an eligible data breach (paragraph 26WQ(6)(a))
- •
- a paragraph 26WQ(1)(d) declaration: that is, a declaration that an entity has an extended period of time to notify an eligible data breach under section 26WL(2) (paragraph 26WQ(6)(b)), or
- •
- a paragraph 26WQ(1)(c) declaration, or if the Commissioner is not disposed to make such a declaration, a paragraph 26WQ(1)(d) declaration: which is intended to recognise that in some cases where the Commissioner is not disposed to grant a paragraph 26WQ(1)(c) declaration, he or she may be willing to grant a paragraph 26WQ(1)(d) declaration, and should have discretion to do so in the interests of flexibility (paragraph 26WQ(6)(c)).
170. Subsection 26WQ(7) provides that, where the Commissioner refuses an application made by an entity under paragraph 26WQ(5)(b) for a subsection 26WQ(1) declaration, the Commissioner must give written notice of the refusal.
171. Subsection 26WQ(8) provides that:
- •
- where an entity applies to the Commissioner for a paragraph 26WQ(1)(d) declaration nominating a particular specified time - that is, a declaration that the entity has until the end of the period of time the entity has nominated to comply with subsection 26WL(2) above, and
- •
- the Commissioner decides to gives a paragraph 26WQ(1)(d) declaration for a different period of time
then the Commissioner's decision is taken not to be a refusal for the purposes of subsection 26WQ(7).
172. Subsection 26WQ(8) and Item 4 and Item 5 below together operate so that entities can nonetheless seek AAT review in the event that the Commissioner is willing to grant a subsection 26WQ(1) declaration, but not for the period of time for which the entity nominated in its application. Subsection 26WQ(8) is necessary for technical reasons to distinguish such a decision from a refusal by the Commissioner to grant a paragraph 26WQ(1)(d) declaration for any period of time, which is also a reviewable decision at the AAT under Item 4 and Item 5.
173. Subsection 26WQ(9) provides that, where an entity makes an application under paragraph 26WQ(5)(b) that, to any extent, relates to an eligible data breach of the entity, sections 26WK and 26WL above do not apply to:
- •
- the eligible data breach (paragraph 26WQ(9)(a))
- •
- if the access, disclosure or loss that constituted the eligible data breach is also an eligible data of one or more other entities-those other entities (paragraph 26WQ(9)(b))
until the Commissioner makes a decision on the application.
174. Subsection 26WQ(9) is intended to have similar effect to provisions in Part IIIC such as sections 26WJ, 26WM, paragraph 26WN(e) and in particular subparagraph 26WQ(1)(c)(ii) and subparagraph 26WQ(1)(d)(ii) above, in situations where one or more entities jointly and simultaneously hold the same particular record of personal information that has been subject to an eligible data breach. Subsection 26WQ(9) will ensure that, in these situations, where one entity applies to the Commissioner under paragraph 26WQ(5)(b), the timeframes for notification under sections 26WK and 26WL cease to apply to each of the entities until the Commissioner makes a decision on the application. This avoids complex compliance issues which could arise if the clock stopped for only some of the entities concerned, and is consistent with the provision in subparagraph 26WQ(1)(c)(ii) and subparagraph 26WQ(1)(d)(ii) that, in these situations, a subsection 26WQ(1) declaration applies to each of the entities concerned.
175. Subsection 26WQ(10) provides that an entity cannot apply to the Commissioner under paragraph 26WQ(5)(b) in relation to an eligible data breach where the access, disclosure or loss in question was also an eligible data breach of another entity that has already applied to the Commissioner under paragraph 26WQ(5)(b). This provision is included for efficiency reasons to ensure that the Commissioner does not receive multiple applications from different entities in relation to the same eligible data breach.
176. An entity who cannot apply to the Commissioner because of subsection 26WQ(10) will still be excused from complying with the timeframes for notification under sections 26WK and 26WL while the Commissioner makes a decision on the application (due to subsection 26WQ(9) above). If the Commissioner gives a subsection 26WQ(1) declaration in response to an application from one of the other entities who experienced the eligible data breach, an entity which could not apply to the Commissioner because of subsection 26WQ(10) will also be excused from complying with sections 26WK and 26WL in the same way as the entity which applied to the Commissioner. Finally, if the Commissioner refuses to give a subsection 26WQ(1) direction to an entity, another entity who was prohibited from applying to the Commissioner in relation to the same eligible data breach because of subsection 26WQ(10) may be able to seek review of the Commissioner's decision under Item 4 and Item 5 below.
Extension of specified period
177. Subsection 26WQ(11), which is titled 'Extension for specified period', can apply where the Commissioner has given a paragraph 26WQ(1)(d) declaration to the effect that an entity has until the end of a period of time nominated in the paragraph 26WQ(1)(d) declaration to comply with subsection 26WL(2) above. Subsection 26WQ(11) provides that the Commissioner can subsequently give the entity concerned a written notice extending the period of time specified in the declaration. The decision to grant such an extension will be at the Commissioner's discretion.
Subdivision C Commissioner may direct entity to notify eligible data breach
Section 26WR Commissioner may direct entity to notify serious data breach
178. This section provides the Commissioner with the power to direct an entity to provide notification of an eligible data breach. It is envisaged that this provision may be enlivened in circumstances such as where an eligible data breach comes to the attention of the Commissioner but has not come to the attention of an entity.
179. Subsection 26WR(1) provides that if the Commissioner is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity, the Commissioner may, by written notice given to the entity, direct the entity to:
- •
- prepare a statement that complies with subsection 26WR(4) below (paragraph 26WR(1)(a)) ( a paragraph 26WR(1)(a) statement ), and
- •
- give a copy of the paragraph 26WR(1)(a) statement to the Commissioner (paragraph 26WR(1)(b)).
180. Before giving a direction under subsection 26WR(1) ( a subsection 26WR(1) direction ), the Commissioner must be aware that there are 'reasonable grounds' to believe that an eligible data breach of the entity has occurred. For example, a complaint or series of similar complaints from individuals about an entity might lead the Commissioner to become aware that there are reasonable grounds to believe that the entity has experienced an eligible data breach.
181. Subsection 26WR(2) provides that a subsection 26WR(1) direction must require entities to:
- •
- if it is practicable to do so, take such steps as are reasonable in the circumstances to notify each of the individuals to whom the relevant information compromised in an eligible data breach relates (paragraph 26WR(2)(a)), or
- •
- if it is practicable to do so, take such steps as are reasonable in the circumstances to notify those individuals who are considered to be 'at risk' from the eligible data breach, as defined in paragraph 26WE(2)(d) (paragraph 26WR(2)(b)), or
- •
- if it is not practicable to notify via either of the above two methods, notify the paragraph 26WR(1)(a) statement by publishing the statement on the entity's website (if any) (subparagraph 26WR(2)(c)(i)), and taking reasonable steps to publicise the statement (subparagraph 26WR(2)(c)(ii)).
182. These requirements are based on actions that an entity must take when notifying a subparagraph 26WK(2)(a)(i) statement under subsection 26WL(2) above.
183. This item also inserts a Note following subsection 26WR(2) and before subsection 26WR(3) below. The Note directs readers to see also subsections 26WF(2) and 26WF(5), which deal with remedial action. As explained above, the effect of subsections 26WF(2) and 26WF(5) is that, if an eligible data breach occurs and the entity concerned is able to remediate the harm in relation to particular individuals among a group of individuals whose information was subject to unauthorised access, unauthorised disclosure or loss in the eligible data breach, the entity is not required to notify those particular individuals.
184. Subsection 26WR(3) provides that, before giving an entity a subsection 26WR(1) direction, the Commissioner must invite the entity to make a submission in relation to the direction the Commissioner is deciding whether to give under section 26WR within a period specified in the invitation (subsection 26WR(3)).
185. Subsection 26WR(3) is intended to ensure that entities have a right of reply before the Commissioner gives the entity a subsection 26WR(1) direction. For example, the entity might respond to the invitation by providing evidence to the Commissioner demonstrating that an eligible data breach has not occurred. On the other hand, an entity might decide to voluntarily notify the eligible data breach after receiving the Commissioner's invitation, rather than waiting for the Commissioner to give a subsection 26WR(1) direction. The form of the invitation, and the period of time specified in the invitation for the entity to respond, will be for the Commissioner to determine depending on the particular circumstances. In deciding the form and period of time to respond specified in an invitation, it is intended that the Commissioner would have regard to the impact on the entity and the nature and imminence of the risk of harm to individuals who would receive notification of the eligible data breach the Commissioner has reasonable grounds to believe has happened.
186. Subsection 26WR(4) sets out the contents of the paragraph 26WR(1)(a) statement that an entity must prepare to give notice of an eligible data breach. These are based on the matters that must be included when an entity has an obligation to prepare a subparagraph 26WK(2)(a)(i) statement (see subsection 26WK(3) above). The statement must include:
- •
- the identity and contact details of the entity (paragraph 26WR(4)(a))
- •
- a description of the serious data breach that the Commissioner has reasonable grounds to believe has happened (paragraph 26WR(4)(b))
- •
- the kinds of information concerned (paragraph 26WR(4)(c)), and
- •
- recommendations about the steps that individuals should take in response to the data breach that the Commissioner has reasonable grounds to believe has happened (paragraph 26WR(4)(d)).
187. Subsection 26WR(5) provides that the Commissioner, in issuing a subsection 26WR(1) direction, may also require that the paragraph 26WR(1)(a) statement set out specified information that relates to the eligible data breach that the Commissioner has reasonable grounds to believe has happened. This provision is intended to operate in cases where the Commissioner considers that it is reasonable and appropriate for individuals to be provided with additional information about the data breach, for example, where the impact of an eligible data breach on individuals is particularly high, such as if individuals are at increased risk due to the time that has elapsed since the eligible data breach occurred. The specified information that relates to an eligible data breach is intended to be information that the Commissioner considers would assist individuals to take appropriate action in response to the eligible data breach. Examples could include:
- •
- information about the risk of harm to individuals that the Commissioner considers exists as a result of the eligible data breach
- •
- recommendations about steps the Commissioner considers individuals should take in response to the eligible data breach
- •
- information about complaint mechanisms available under the Privacy Act to individuals affected by the eligible data breach, or
- •
- other specified information relating to the eligible data breach that the Commissioner considers reasonable and appropriate in the circumstances to include in the paragraph 26WR(1)(a) statement.
188. The Commissioner would not be required to specify additional information that must be set out in a paragraph 26WR(1)(a) statement under subsection 26WR(5). A decision by the Commissioner to require the inclusion of specified information relating to the eligible data breach in the paragraph 26WR(1)(a) statement would be reviewable by the Administrative Appeals Tribunal as part of the general ability to seek review of a direction to notify an eligible data breach (see new Item 4 and Item 5 below).
189. Subsection 26WR(6) sets out the matters to which the Commissioner must have regard before giving a section 26WR(1) direction, which are:
- •
- any 'relevant advice' given to the Commissioner by an enforcement body (subparagraph 26WR(6)(a)(i) or ASD (subparagraph 26WR(6)(a)(ii))
- •
- any 'relevant submission' made by an entity in response to an invitation under subsection 26WR(3) (subparagraph 26WR(6)(b)(i)), received by the Commissioner within the period specified in the invitation (subparagraph 26WR(6)(b)(ii)), and
- •
- such other matters (if any) as the Commissioner considers relevant (paragraph 26WR(6)(c)).
190. These matters are based on the matters that the Commissioner must have regard to before giving a subsection 26WQ(1) declaration.
191. The effect of subsection 26WR(7) is that the 'relevant advice' provisions in paragraph 26WR(6)(a) do not prevent the Commissioner from considering advice received or sought from other sources when deciding whether to give an entity a subsection 26WR(1) direction. Subsection 26WQ(7) is based on the equivalent provision in subsection 26WQ(4) above.
192. Subsection 26WR(8) provides that, if the eligible data breach which is subject to a subsection 26WQ(1) direction is also an eligible data breach of one or more entities, the subsection 26WQ(1) direction may require the entity which receives the direction to include in the resulting subparagraph 26WR(1)(a) statement information about the identity and contact details of those other entities. This provision is based on subsection 26WK(4) above, which provides that entities can include such information when preparing a subparagraph 26WK(2)(a)(i) statement. In the same way as subsection 26WK(4) applies to entities, subsection 26WR(8) is an optional matter for the Commissioner to consider when giving a subsection 26WR(1) direction rather than a mandatory requirement, reflecting that the information may not hold utility to individuals receiving the notification in all cases.
Method of providing the statement to an individual
193. Without limiting paragraph 26WR(2)(a) or 26WR(2)(b), subsection 26WR(9), which is titled 'Method of providing the statement to an individual', provides that where an entity normally communicates with an individual using a particular method, any notifications provided to the individual under paragraph 26WR(2)(a) or 26WR(2)(b) may use that method. This provision is based on subsection 26WL(4) above.
Compliance with direction
194. Subsection 26WR(10), which is titled 'Compliance with direction', provides that an entity must comply with a subsection 26WR(1) direction as soon as practicable after the direction is given. This provision is intended to have the same effect as paragraph 26WK(2)(b) and subsection 26WL(3) above.
Section 26WS Exception-enforcement related activities
195. Section 26WS, which is titled 'Exception-enforcement related activities', provides an exception for law enforcement bodies from complying with a subsection 26WR(1) direction in some circumstances. The exception is based on the exception that applies under subsections 26WN(a), 26WN(b) and 26WN(c) above where an enforcement body is not required to notify eligible data breaches in some circumstances.
196. The key difference between section 26WS and subsections 26WN(a), 26WN(b) and 26WN(c), however, is that the enforcement body does not have to provide notification to the Commissioner after the Commissioner gives the enforcement body a subsection 26WR(1) direction. This reflects an expectation that, where this exception applies, the circumstances of the eligible data breach will be such that there would be reasonable grounds to believe that even notifying the Commissioner would prejudice an enforcement related activity conducted by or on behalf of the entity. However, it is expected that the Commissioner may in any case have some awareness of the details of the eligible data breach in question if the enforcement body provides a submission to the Commissioner under subsection 26WR(3) before the Commissioner gives the enforcement body a subsection 26WR(1) direction.
197. It is also expected that, where the Commissioner intends to issue a subsection 26WR(1) direction to an enforcement body, the consultation process under subsection 26WR(3) would ensure that the Commissioner is able to consider before issuing a subsection 26WR(1) direction whether the exception in new section 26WS is likely to apply.
Section 26WT Exception-inconsistency with prescribed secrecy provisions
198. This section makes clear how the requirement to comply with a subsection 26WR(1) direction interacts with secrecy provisions in other legislation. Different rules apply to particular secrecy provisions that have been prescribed in regulations under the Privacy Act for the purposes of this section.
199. This section is based on the exception in section 26WP above. It is expected that similar matters discussed in relation to section 26WP will be taken into account before prescribing secrecy provisions in regulations for the purposes of section 26WT.
Item 4 After paragraph 96(1)(b)
200. Item 4 of Schedule 1 inserts new paragraphs 96(1)(ba), 96(1)(bb) and 96(1)(bc) into subsection 96(1) of the Privacy Act, after existing paragraph 96(1)(b). The effect of this insertion is that paragraphs 96(1)(ba), 96(1)(bb) and 96(1)(bc) respectively provide that a decision by the Commissioner:
- •
- under subsection 26WQ(7) above to refuse to give a subsection 26WQ(1) declaration on application by an entity that the entity is exempt from an obligation to notify an eligible data breach (which could include a decision refusing to grant declarations of a kind covered by paragraphs 26WQ(1)(c) or 26WQ(1)(d))
- •
- under paragraph 26WQ(1)(d) above to give a declaration (which in practice would allow an entity to seek review where an entity nominates a particular period of time in an application for the Commissioner to make a declaration under paragraph 26WQ(1)(d), but the Commissioner makes a declaration for a shorter period of time), and
- •
- under section 26WR above to give a subsection 26WR(1) direction to an entity to notify an eligible data breach
will be subject to review by the Administrative Appeals Tribunal.
Item 5 After subsection 96(2)
201. Item 5 of Schedule 1 inserts new subsections 96(2A), 96(2B), 96(2C) and 96(2D) into section 96 of the Privacy Act, after existing subsection 96(2).
202. The effect of subsections 96(2A), 96(2B) and 96(2C) is that paragraphs 96(1)(ba), 96(1)(bb) and 96(1)(bc) which are inserted by Item 4 above respectively provide that the only entity that can apply for review of the kind of a kind mentioned in those subsections is, for a decision falling under:
- •
- paragraph 96(1)(ba), the entity who applied for the declaration that the Commissioner refused to grant under new subsection 26WQ(7), or another entity whose compliance with subsection 26WL(2) above is affected by the declaration (which is expected to operate where the eligible data breach to which the declaration relates is also an eligible data breach of another entity)
- •
- paragraph 96(1)(bb), the entity to whom the declaration under paragraph 26WQ(1)(d) was given, or another entity whose compliance with subsection 26WL(2) is affected by the declaration (which is expected to operate where the eligible data breach to which the declaration relates is also an eligible data breach of another entity)
- •
- paragraph 96(1)(bc), the entity to whom the subsection 26WR(1) direction was given.
203. Subsections 96(2A) and 96(2B) are primarily intended to operate so that, where an eligible data breach is an eligible data breach of one or more entities, each entity concerned is able to apply for AAT review of a decision by the Commissioner affecting their compliance with Part IIIC. Subsections 96(2A), 96(2B) and 96(2C) also prevent other individuals or parties from applying for AAT review of decisions falling under the new provisions inserted by Item 4 above: the intention is that, in terms of individuals whose information was subject to unauthorised access, unauthorised disclosure or loss in an eligible data breach, a complaint to the Commissioner under the Privacy Act about the eligible data breach, where grounds exist to make such a complaint, would be more appropriate than seeking AAT review of one of the above decisions.
204. Subsection 96(2D) provides that, for the purposes of subsections 96(2A), 96(2B) and 96(2C), 'entity' has the same meaning as in Part IIIC, which is defined in section 26WB above.
Item 6 Application of amendments-serious data breaches
205. Item 6 of Schedule 1 provides that Part IIIC to be inserted by this Bill applies to an access, disclosure, or loss that occurs after the commencement of Item 6. That is, none of the provisions in the Bill will operate retrospectively. Eligible data breaches that occur after the commencement date will be subject to the requirements of Part IIIC.