Pages

Thursday, June 06, 2013

Australia's first shot at mandatory data breach notification

The Privacy Amendment (Privacy Alerts) Bill 2013 reached the second reading stage when introduced in Parliament last week but still has a way to go to get through the House and Senate. It has taken five and a bit years to get to this stage since legislation was recommended by the Australian Law Reform Commission. Hopefully the looming end of this parliament will be the prompt to passage not the cause of further delay. If passed the legislation will commence along with the broader reforms to the Privacy Act on 12 March 2014.

(Update: the bill passed second and third stages in the House on 6 June and is now before the Senate Legal and Constitutional Affairs Committee. In the second reading, Opposition front bencher Michael Keenan expressed support, reserving on amendments in the Senate and raised concerns about resources at the OAIC and the March 2014 start date for the reform package.)

The Attorney General in the second reading speech gave this broad overview:
The bill provides that when an agency or organisation has suffered a serious data breach, it must notify the affected individuals and the Australian Privacy Commissioner. Prompt notifications will allow individuals to take action to protect their personal information. Individuals will be able to reset passwords, cancel credit cards, improve their online security settings, and take other measures as they see fit. The notification requirement will provide an incentive to businesses to store information securely. No business wants a reputation for not keeping its customers' personal information safe.
Agencies and organisations will only have to provide notification of serious data breaches. A requirement to provide notification of all data breaches would impose an undue regulatory burden on businesses, and it would unnecessarily alarm many customers. The notification must include information such as a description of the breach, the kinds of information concerned, recommendations about steps that individuals should take, and contact details of the entity.
The bill provides that the commissioner may direct an agency or organisation to provide affected individuals with notification of a data breach. This is a necessary measure in cases where an agency or organisation is recalcitrant or has simply made the wrong decision.
The bill also contains public interest and law enforcement exceptions. These are necessary where there are countervailing interests that outweigh the need to inform individuals about the data breach.
Where there is a failure to comply with a notification requirement, all the commissioner's enforcement powers to investigate and make determinations will be available. This could result in personal and private apologies, compensation payments and enforceable undertakings.
In the case of serious or repeated noncompliance with notification requirements, this could lead to a civil penalty being imposed by a court.
I haven't seen anything from the Opposition, independents or The Greens. The Australian Privacy Commissioner welcomed the legislation. Publicly at least, responses from business have been hard to spot.  (Update: in the continuation of the second reading Labor backbencher Michelle Rowland said the bill had been "subject to consultation in a discussion paper in October 2012 with a number of key stakeholders" so don't know who that involved. Attorney General Dreyfus in summing up said the bill had the support of Microsoft, OzHub, the OAIC, Electronic Frontiers Australia and Choice, leaving unspoken the very big end of town.)

The bill doesn't measure up in a number of respects to what the Australian Privacy Foundation(pdf) advocates.

From a closer look at the bill:

Who is covered?
The notification requirement is imposed on an APP entity - a Federal government agency or private sector body (turnover of $3m plus) covered by the Privacy Act- that is required under section 15 of the Privacy Act not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1. And credit reporting bodies and credit providers.

APP 11 provides that an entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.

There are plenty of bodies not covered by the Privacy Act, for example small business operators, registered political parties, intelligence agencies, media organisations in the conduct of journalism. And separate state laws apply to state government agencies, none of which include mandatory data breach notification.

The bill provides for other exceptions including where the Information Commissioner issues a notice that exempts an entity from the notification requirement in the "public interest." A law enforcement body is also not required to comply where it believes on reasonable grounds that compliance would be likely to prejudice one or more enforcement related activities.

A hole of unknown proportions is the exception where notification would be inconsistent with secrecy provisions in other Commonwealth laws. 

The ALRC in  a 2009 report identified 506 secrecy provisions in 176 pieces of legislation, including 358 distinct criminal offences, and recommended action to repeal, rationalise and replace many such laws. No one in government seems to have said a word in response to that report since. Those secrecy provisions are relevant not only in the context of breach notification but also for whistleblower protection, the subject of other bills currently before the parliament. (I recently lodged this FOI application seeking to ascertain where work on the government response has reached.)

What is covered
This isn't every point of detail, and leaves aside the credit provider/reporter issues but the main features of the notification requirement revolve around a serious data breach, defined as follows:
  • where there is unauthorised access to, or unauthorised disclosure of, the personal information and the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the personal information relates, or
  • where the personal information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the personal information may occur; and were this to occur, the access or disclosure will result in a real risk of serious harm to any of the individuals to whom the personal information relates, or
  •  in the case where the personal information is of a kind specified in the regulations, the person is taken to be significantly affected by the serious data breach.
Harm "includes:
 (a)  harm to reputation; and
 (b)  economic harm; and
 (c)  financial harm."

Real risk means "a risk that is not a remote risk." 

Hmm, plenty of room for arguing the toss there.

No comments:

Post a Comment