The Office of the Australian Information Commissioner (OAIC) recently released its Notifiable Data Breaches Report: January – June 2021 (the Report). Data breach notifications became mandatory for organisations covered by the Privacy Act in May 2018. Since then, the OAIC has released quarterly and now six-monthly reports with aggregated information from reported data breaches.
Access the OAIC Notifiable Data Breach Reports here.
Notwithstanding the drop in reported breaches, data breaches are increasingly impacting Australian organisations. It is important for all organisations covered by the Privacy Act 1988 to continue to meet their data breach notification obligations.
The Data Breach Notification Scheme in Australia requires organisations covered by the Privacy Act 1988 to notify affected individuals and the OAIC “when a data breach involving personal information is likely to result in serious harm” and where the organisation hasn’t been able to prevent or mitigate the likely risk of serious harm with remedial action.
Here is an overview of the who, when, how and why of data breach notifications in Australia:
The requirement to notify affected people about data breaches is intended to give individuals an opportunity to try and reduce any potential harm from the data breach. Affected individuals can do this, for example, by changing passwords, closing accounts or being more alert to unexpected activity on their credit cards and bank accounts.
An organisation’s obligation to notify is part of its transparency and accountability obligations (two principles that have been at the heart of privacy regulation from its earliest inception). By providing information about that has happened, impacted people can make better informed decisions about how best to protect themselves.
Although not primarily intended to penalise or embarrass organisations who have had a breach, this has been one of the outcomes. Many reported data breaches have gained significant media attention, leading to embarrassment and possible reputation damage. In some instances, the Privacy Commissioner has also decided to investigate more closely the circumstances leading to the data breach to determine whether or not there may have been an interference with any of the privacy principles (particularly APP 11, the obligation to take reasonable steps to secure personal data). So, care should always be taken when notifying of a data breach.
From a business perspective, the data breach notification process is not just about compliance with legal requirements but also is critical in financial risk management and reputation management.
However, the overriding interest should always be to make sure that impacted individuals are provided with any information that might help them reduce any potential harm as expeditiously as possible. In many cases, people will expect to be notified if their personal information is accessed or disclosed to unauthorised individuals in a way that poses them significant risk of harm – regardless of whether the organisation is legally required to disclose the breach under Australian law, or the laws of other jurisdictions around the globe.
As such, businesses might consider looking beyond their legal obligations when it comes to data breach notifications. There will be circumstances where notification is something that businesses should do as part of risk management, even if there is no legal requirement to notify.
You should notify any individuals whose personal information was accessed, disclosed or lost (affected individuals) as a result of the breach, as well as the OAIC.
This is a different obligation to that in other jurisdictions where there are separate requirements for reporting to the regulator versus reporting to impacted individuals. Notice in Australia should be given to both at the same time, based on the same criteria of whether or not there has been an eligible data breach (discussed further below).
Your organisation should be prepared to notify the OAIC and any affected individuals about:
To help with this, you should prepare draft communications as part of your data breach preparedness plan. These drafts can act as templates for the actual notification. They can significantly reduce time taken in sorting out wording if there is an approved pre-existing template that can be used.
The most difficult steps in preparing the notice will often be describing the data breach. The investigation of the data breach is often happening in parallel with the notification process, with new details about the breach becoming apparent as the investigation continues.
Organisations will have to decide what information to provide about the data breach, remembering that you can update the details when more information is available. The priority should be ensuring the protection of impacted individuals rather than whether or not the detailed investigation into the data breach has concluded.
If you know that you have had a reportable data breach, then it should be reported as soon as reasonably practicable.
There were concerns prior to the passing of the notifiable data breach provisions about what to do in cases where there may be an incident but where it may not be clear that there had been a data breach (in terms of the unauthorised access, disclosure or loss of personal information).
In both these cases, at the time of becoming aware of the incident, there is no actual evidence that that database or laptop has been accessed but they could have been. To address these concerns, a 30-day window was introduced for ‘suspected’ data breach. The Privacy Act 1988 allows organisations to take all reasonable steps to conduct an assessment of a suspected data breach for up to 30 days of becoming aware of it. It is important to remember that this is a 30-day window for suspected data breaches only and should not be taken as general permission to not report for 30 days.The Commissioner expects organisations will treat the 30-day timeframe as a maximum time limit, suggesting that they should complete the assessment earlier wherever possible. (Read more)
Once the assessment is completed, it is expected that the organisation will prepare a statement about the breach. A copy of the statement should be provided to the Commissioner and affected individuals should be informed about its contents as early as practicable.
In practice, the OAIC uses the 30-day time limit as a metric for comparison when it comes to notifications. In the Report, the OAIC notes that 72% of organisations notified the OAIC about a data breach within 30 days of it occurring, in the January to June 2021 period.
Remember, the primary driver of data breach notification laws is to mitigate harm to impact people and this should always be the principal consideration in determining when to notify.
The OAIC has an online form for organisations to complete following a data breach. You can find it here.
Notification of affected individuals following a breach is more complicated.
As we have discussed, effective data breach notifications reduce or eliminate harm to the affected individuals and/or provide them with the chance to protect themselves. This means that notices should be informative, without causing undue stress to the affected person. They should include enough information about the data breach so people can make informed decisions about any action that they should take. Notices should also themselves include recommendations on any mitigation actions that people could consider.
There are some great resources available to support individuals impacted by data breaches including the following:
https://www.oaic.gov.au/privacy/data-breaches/identity-fraud
Privacy 108 has extensive experience navigating and advising on data breach notifications.
We advise organisations on the applicability of data breach notification schemes in any relevant jurisdictions. From there, we provide proactive planning for data breach management and business continuity. This planning contemplates privacy governance to minimise privacy risk, as well as cybersecurity best practices and in-house education that minimises risk posed by your greatest privacy threat: your staff.
Where a data breach has already occurred, we provide responsive data breach crisis management services that minimise reputational, financial, and legal risk.
If your organisation is uncertain about its data breach notification obligations in Australia, you will benefit from Privacy 108’s data breach notification training. See more about Privacy 108’s Training here or get in touch for more information:
"*" indicates required fields
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
