Privacy Act Review: What’s proposed for Security, Data Breach Notification and Retention?

Deep Dive 1: Security, data breach notification and retention

In February 2023, after nearly three years of consideration, i the Australian Attorney-General released its Privacy Act Review Report 2022. The report contains 116 recommendations, based on 30 “key themes and proposals” collected during the course of the last three years, including some proposals no doubt linked to the massive data breaches impacting Australia in 2022.

We summarised the main recommended reforms as part of the Privacy Act Review in our earlier blog post here.

This is the first in our series of posts taking a closer look at some of the recommended reforms.

This post focuses on what’s proposed for the security of personal information. It covers the 12 proposed recommendations to reform which affect:

• Obligations to secure personal information (currently included in APP 11);
• Data breach notification provisions; and
• Data retention obligations.

Privacy Act Review: Security of Personal Data

Given the scale and impact of recent data breaches, the recommended changes regarding the obligation to ensure the security of personal information seem relatively minor.

Currently, APP 11 provides that organisations must: “take such steps as are reasonable in the circumstances to protect the information:

1. from misuse, interference and loss; and
2. from unauthorised access, modification or disclosure.”

The OAIC has published guidance as to what it expects organisations to do to meet their APP 11 obligations –releasing in 2018 its Guide to security personal information.

Five years is a long time in the information security world and both the risk landscape and business processes used have changed in many ways, which could AND SHOULD be reflected in updated and more specific and timely guidance.

In response to the 2022 Discussion Paper, we supported the proposed inclusion of the reference to ‘technical and organisational measures’ (which is one of the proposed reforms in the current report). However, we also suggested that the following would also be of value to the regulated community:

• More detailed and up to date guidance on the technical and organisational controls that could be implemented and ways of managing privacy risks; and
• Greater and more targeted enforcement of security issues, particularly those identified as systemic issues in different sectors; and
• Strengthened ties between the different arm of government working to improve the cyber security posture of Australian entities, particularly those that have direct responsibility for cyber security; and
• Development of skills within the OAIC to assist with investigations and guidance, particularly where they involve sophisticated cyber-attacks; and
• Development of a more skilled workforce, with skills specific to privacy enhancing solutions and technologies; and
• Greater collaboration with researchers and industry groups to develop effective responses to security issues in the Australian environment.

It is encouraging to see many of these suggestions taken up in the report including proposals for:

• The identification of a set of baseline privacy outcomes, based on consultation between industry and government and informed by the development of the 2023-2030 Australian Cyber Security Strategy
• Enhanced guidance on what is ‘reasonable steps.’

However, the development of skills both within the OAIC and the regulated community more broadly is an issue not properly canvassed in the review of the Privacy Act. This oversight is disappointing.

Our experience with cyber security skills would suggest that this is a problem waiting to unfold in the privacy sphere that we should be trying to address now.

APP 11 Security – Proposed Amendments

The following are the proposals from the AG’s report relevant to APP 11:

Proposal 21.1: Amend APP 11.1 to state that ‘reasonable steps’ include technical and organisational measures.

Proposal 21.2:Include a set of baseline privacy outcomes under APP 11 and consult further with industry and government to determine these outcomes, informed by the development of the Government’s 2023-2030 Australian Cyber Security Strategy.

Proposal 21.3: Enhance the OAIC guidance in relation to APP 11 on what reasonable steps are to secure personal information. The guidance that relates to cyber security could draw on technical advice from the Australian Cyber Security Centre.

Proposal 21.4: Amend APP 11.1 so that APP entities must also take reasonable steps to protect de-identified information

Privacy Act Review: Notifiable data breach (NDB) scheme

The existing NDB scheme requires entities to notify affected individuals and the Privacy Commissioner in the event of an ‘eligible data breach’.

A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates. Entities must conduct a prompt and reasonable assessment if they suspect that they may have experienced an eligible data breach.

Notification to Commissioner within 72 hours

The average time to notify has lengthened to more than 30 days. We previously covered the Commissioner’s reports on the NDB scheme including the reports released in July– December 2022 and January – June 2022. In those reports, the Commissioner has noted an increasing delay in organisations notifying of data breaches.

The purpose of the NDB Scheme is to give affected individuals the opportunity to mitigate potential harm.  To be able to do this effectively, those people must have the opportunity to react quickly, to take immediate action to minimise harm.  The proposed new data breach reporting obligations, including notifying the Commissioner within 72 hours of becoming aware of a data breach, would assist with this objective.

To help meet the 72-hour window, it is proposed that notice can be given in phases. This is also recognised as something that should be done when notifying affected people: notification should be made as soon as you are aware there are reasonable grounds to believe that there has been an eligible data breach, with further information to be provided in later phases.

Information to be provided

It is proposed that organisations must include in the notice of breach, details about the steps the entity has taken or intends to take in response to the breach, including, where appropriate, steps to reduce any adverse impacts on the individuals to whom the relevant information relates.

This is something that most organisations are already doing and would certainly act to alleviate some of the concerns and distress that are part of the impact of a data breach.

It is also recommend that further consideration be given to requiring organisations to take reasonable steps to prevent or reduce the harm that is likely to arise for individuals as a result of a data breach.  Again, mitigating the harm arising from a data breach is something that most organisations should be doing in any case. A clear, specific statement that that is required seems appropriate.

Multiple reporting obligations

One of the other issues in the current Australian NDB scheme is the confusion where there are multiple data breach reporting obligations – to different regulators. The Report recognises this issue and proposes further work to better facilitate reporting processes for entities with multiple reporting obligations. Simplification of reporting is beneficial for both regulated organisations and affected individuals.

Notifiable data breach proposals

The following are the proposals from the AG’s report relevant to the NDB Scheme:

Proposal 28.1Undertake further work to better facilitate the reporting processes for notifiable data breaches to assist both the OAIC and entities with multiple reporting obligations.

Proposal 28.2

(a) Amend paragraph 26WK(2)(b) to provide that if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity, the entity must give a copy of the statement to the Commissioner as soon as practicable and not later than 72 hours after the entity becomes so aware, with an allowance for further information to be provided to the OAIC if it is not available within the 72 hours.

(b) Amend subsection 26WL(3) to provide that if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of an entity the entity must notify the individuals to whom the information relates as soon as practicable and where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases as soon as practicable.

(c) Require entities to take reasonable steps to implement practices, procedures and systems to enable it to respond to a data breach.

Proposal 28.3

Amend subsections 26WK(3) and 26WR(4) to the effect that a statement about an eligible data breach must set out the steps the entity has taken or intends to take in response to the breach, including, where appropriate, steps to reduce any adverse impacts on the individuals to whom the relevant information relates.

However, this proposal would not require the entity to reveal personal information, or where the harm in providing this information would outweigh the benefit in providing this information.

Consider further a requirement that entities should take reasonable steps to prevent or reduce the harm that is likely to arise for individuals as a result of a data breach. 

Proposal 28.4 Introduce a provision in the Privacy Act to enable the Attorney-General to permit the sharing of information with appropriate entities to reduce the risk of harm in the event of an eligible data breach. The provision would contain safeguards to ensure that only limited information could be made available for designated purposes, and for a time limited duration.

Privacy Act Review: Data de-identification

APP 11 currently provides that, where an organisation no longer needs personal information for any purpose for which the information may be used or disclosed under the APPs, the organisation must take reasonable steps to destroy the information or ensure that it is de-identified (subject to exceptions).

As recommended for the first limb of APP 11, the Privacy Commissioner will be asked to provide additional guidance as to what is required to destroy or de-identify information.  Interestingly, data de-identification is an area where the Commissioner has been active, working with Data 61 to make available the following general guidance on de-identifying information here. Given the importance of de-identification as a risk mitigation it is not surprising that it is called out for further consideration.

Privacy Act Review: Data retention

The retention of personal information, and Australian organisations’ obligations to collect and retain information has been much discussed following recent data breaches.

Among the many questions raised by the Optus data leak in particular is why so much personal information was kept and for so long.

Optus argues that it had a legitimate need to collect that data – to verify customers were real people and potentially to recover any debts later. However, it is not clear that this was in fact required in the first place or that that information needed to be retained for more than six years, about both current and past customers. More about whether or not this is correct is available here.

Undoubtedly as a consequence of the recent data breaches, a couple of new proposals have been added specifically relating to the retention of personal information, including:

• More detailed guidance on what are ‘reasonable steps’ to destroy or de-identify personal information;
• Requirement for organisations to identify the maximum and minimum retention periods for the personal information they hold, which should be periodically reviewed;
• Retention periods to be included in every organisations’ Privacy Policy;
• A review of all legal retention requirements across Commonwealth and State entities (De-identification and the treatment of de-identified data will be covered in a separate post.)

No specific data minimisation principle

There has been discussion about the inclusion of a specific data minimisation principle in the Privacy Act.

The report recognises the importance of data minimisation.   It states that ‘the best way to protect personal information is for entities to minimise the amount of personal information they collect and retain.’[2]

However, there has been no move to introduce a specific data minimisation principle like that included in the GDPR. It is felt that the current limit on collection (in APP 3) and the requirement to destroy data (in APP 11) are sufficient without further more specific requirements.

This seems to be missed opportunity to reinforce what is becoming a key pillar of privacy and security practice.

Guidance on retention periods

We submitted in our response to the 2022 Discussion Paper that it would be useful if the Commissioner or other relevant regulators (perhaps working together?) issued additional guidance on retention periods for certain types of information, for example, financial records, email accounts or online account details which have been inactive for a certain period of time.

As consultants we often are asked by clients about their retention obligations.  Outside of specific government record and archiving responsibilities and obligations relating to retention of financial and tax records, and employment and workplace health and safe records, there is little available to guide organisations more specifically on how long they should keep data.

Some more specific guidance in this area would be possibly one of the most effective privacy risk mitigations steps that the government could take.

Data retention proposals

The following are the proposals from the AG’s report relevant to de-identification and retention:

Proposal 21.5 The OAIC guidance in relation to APP 11.2 should be enhanced to provide detailed guidance that more clearly articulates what reasonable steps may be undertaken to destroy or de-identify personal information.

Proposal 21.6 The Commonwealth should undertake a review of all legal provisions that require retention of personal information to determine if the provisions appropriately balance their intended policy objectives with the privacy and cyber security risks of entities holding significant volumes of personal information. This further work could also be considered by the proposed Commonwealth, state and territory working group at Proposal 29.3 as a key issue of concern where alignment would be beneficial. However, this review should not duplicate the recent independent review of the mandatory data retention regime under the Telecommunications (Interception and Access) Act 1979 and the independent reviews and holistic reform of electronic surveillance legislative powers.

Proposal 21.7 Amend APP 11 to require APP entities to establish their own maximum and minimum retention periods in relation to the personal information they hold which take into account the type, sensitivity and purpose of that information, as well as the entity’s organisational needs and any obligations they may have under other legal frameworks. APP 11 should specify that retention periods should be periodically reviewed. Entities would still need to destroy or de-identify information that they no longer need.

Proposal 21.8 Amend APP 1.4 to stipulate than an APP entity’s privacy policy must specify its personal information retention periods.

What should you be doing to prepare?

Some of the things you should be doing to prepare for the proposed changes to APP 11 if introduced:

• Review the data you are retaining and make sure you have a real reason to do so
• Identify retention periods for all your data holdings and make sure you comply with them
• Update your Privacy Policy to include retention periods
• Consider any de-identified data you hold and ensure it is covered by any new definition of ‘de-identified data’ and consider introducing a regular review to test the re-identifiability of that data
• Keep an eye on the Cyber Security Strategy and proposals from Department of Home Affairs on baseline cyber security controls
• Update your Data Breach Response plan to cover notifying the OAIC within 72 hours
• Also update your Data Breach Response plan to cover phased notification to both the OAIC and affected individuals

What do we think?

The proposed changes to APP 11 are a good start.

The inclusion of specific retention provisions is very timely however we would have liked to see a more specific recognition of an overriding data minimisation principle.

It is encouraging to see a clearer recognition of the role of different government agencies in the overlapping space of security and privacy.  Though time will tell if the government is able to produce a cyber security plan that substantially uplifts the security of the personal information of all Australians.

Again, one of the most effective ways of helping organisations understand their APP 11 obligations would be additional guidance, more enforcement, more Determinations and more published investigation reports … all of which require more resources to the OAIC. Let’s hope we see a continued uplift in support for the OAIC so it can discharge its regulatory duties in an effective, timely and consistent way.

[1] https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-securing-personal-information

[2] AG Report, 3.