[EP 045] New Data Breach Laws – An Essential Legal Update for Business


CLICK HERE to download the transcript for this episode.

Episode Highlights:

  • The Privacy Act
  • What Type of Organisations Can Get Caught by the Privacy Act
  • The Criteria to be Considered an Eligible Data Breach
  • Requirements for Compliance with the Legislation
  • Options for Notifications

Hi, it’s Joanna Oakey here and welcome back to Talking Law. Today we have Grace Yi again from Aspect Legal who is the resident privacy expert at Aspect Legal.


The Privacy Act

And today we have her in because we’re specifically talking about new data breach notification laws that are about to hit. So if you’re listening to this after the new laws have come in to place, don’t worry we’ll talk about what you can do to go back and get compliant even though they’re in place. But just to be aware if you’re listening to this podcast as it’s released, the new scheme is due to come into force on the 22nd of February 2018. So if you’re listening to this after that point obviously, these new data laws are in force at the moment. Now the reason that we’re talking about this today is because all of the commentary that I’m seeing around at the moment is suggesting that Australia’s small businesses are just not prepared for the introduction of these new laws that connect to the Privacy Act. And we’ll talk with Grace about exactly what is required but just generally speaking so you understand where we’re going today, these new laws require organisations who are captured by the Privacy Act to publicly disclose if their customers’ data is breached by hackers or technology problems.

And the issue for businesses is that there are some serious penalties that individuals and businesses can face if they’re not compliant with this legislation. So these penalties can be up to $360,000 for individuals and $1.8 million for organisations. Although as Grace and I will talk about a bit later on, it’s perhaps important not to get too caught up in the big numbers,because the privacy commissioner will be treating any breaches with more of an educational role rather than probably heading straight in to these large penalties or fines,. at least in the first instance as businesses get on top of what this legislation mean. So anyway, Grace thank you for coming along today. Let’s get stuck in to some of the detail of this law so that our listeners can be educated and know what to do with their organisations to ensure that their organisations are in compliance with these new legislation. So Grace, let’s start off with, who needs to comply? Who does this new legislation relate to?

Grace: Yeah. So I guess we should take a step back and say that we’re talking about entities that are already caught by the Privacy Act. So we’re talking generally now about who is caught by the Privacy Act and the starting point is that all businesses that have an annual turnover of three million dollars or more, are automatically caught.

Joanna: Yep. Okay so I think that’s a really good point because there’s a lot of noise as I started out this podcast. By seeing there’s a lot of noise in the media at the moment about these new data breach notification laws but organisations need to understand, the new data breach legislation laws only apply to them if they’re already caught by the Privacy Act here and organisations are caught by the Privacy Act if they’ve got a turnover of three million or more. But there’s also a number of other organisations who even though they themselves may not have a turnover at three million or more might also be captured right, Grace?

Grace: That’s right. So we’re listing out the sorts of organisations that are caught but there are lots of other types of organisations that are caught and one of the things to bear in mind is that when we’re talking about this three million dollar figure, if one of your related entities is caught, then you’re caught as well.


What Type of Organisations Can Get Caught by the Privacy Act

Joanna: Okay, great. So organisations that have a parent company or some other related organisation that has a turnover of more than 3 million or is for some other reason might themselves be caught by the Privacy Act. Okay, that’s good to know. And then what other types of organisations might be caught by this legislation?

Grace: Yeah. So if you have a turnover of under three million dollars a year, then you’re considered to be a small business under the Privacy Act. And generally speaking small businesses are not caught. But then there are exceptions to that. So, we’ll go through some of the main exceptions but there are some other more very specific exceptions and I guess we won’t go through every single exception.

So the main point would be, if you’re a small business and you’re not sure if you’re caught, it’s best to check before you rule yourself out.

Joanna: This is where you need to seek legal advice.

Grace: That’s right.

Joanna: And we’ll talk later in the podcast for your interest. If you’re one of our clients at the moment, you’ll know if you’re caught or not. Call us if you’re not sure. If you’re not a client at the moment, then we’re happy to talk to organisations and you’ll find information in the show notes about how you do that. Okay so let’s get back to some of the main business areas that are captured where even though they’re small businesses.

Grace: So the first one to mention is if you are in the business of providing a health service, so all small private health service providers are caught under the Privacy Act. The definition of what is considered to be a health service is very broad. So I guess if you’re not sure, it’s best to check because it can be as encompassing as capturing child care centres.

And that is a specific example in the guidelines provided by the Privacy Commissioner. So if you are in the business of providing a health service, then you’re caught. And that’s one of the main exceptions to the Small Business definition.

Joanna: So here we have GPs, medical practitioners, a dentist, as Grace said child care centres, all these sorts of organisations are captured. And if you’re not sure once again, ask, find out.

Grace: And then another exception is if you are in the business of trading in personal information, then you’re caught as well.

Joanna: Yeah. And so that can be organisations that have compiled, say for example, member lists and personal information. Bearing in mind personal information is information that relates to an individual. We’re not here talking about information that is say business names for example or company names. So it’s relating to an individual even though you might be retaining information where individuals are part of organisations that you deal with, so if for example you’re collecting information about individuals and then you’re selling it or licensing that to others then maybe that’s considered to be trading in personal information.

Grace: So if you are an operator of a residential tenancy database, then the commissioner has deemed that this is one of those exceptions to a small business.

Joanna: And another one which I think is interesting that we should probably throw in there, is if you have a contract with the Commonwealth Government Department, then you’re also considered to have to comply with privacy act. So that’s an interesting one there. If you’re serving in Commonwealth Government Departments, then that’s something to consider. And I think that’s probably the main areas as I said before, there’s a number of other specific sort of areas so if you’re not sure then you really need to check with someone who understands this area in relation to your specific business.

Okay. So they’re the people who are captured by this new legislation because they’re the organisations that are also captured by the Privacy Act.

Grace: Yes.

Joanna: What does this new legislation say about them? So we know it relates to data breaches. What’s an example of a data breach that might be caught under this legislation?


The Criteria to be Considered an Eligible Data Breach

Grace: So this new scheme that’s come into effect, it stems off one of the obligations of entities that are caught by the Privacy Act, and we call them APP entities. It’s APP 11 that addresses the obligation to keep personal information that you’ve collected secure. So when you have collected personal information you must under the Privacy Act keep it secure. And so this scheme is addressing the expectation that individuals would be told if there was a breach of that. So, we’re talking here about what they call an eligible data breach and what is considered to be an eligible data breach must meet three criteria.

So the first criteria is that there must be an unauthorized access or unauthorized disclosure of personal information. So what we’re talking about here is if someone has somehow gotten into your databases or if you’ve lost something that contains personal information on it. So as an example, if you were to lose a device or a database and the personal information on it was encrypted then it might be the case that it doesn’t meet this first criteria because the information on it isn’t necessarily accessible by whoever might get their hands on it. So that’s the first criteria. Did you want to say anything about that?

Joanna: Yes. So I guess being clear here, so an unauthorized access we’re saying here occurs if you’re caught by this act and there’s unauthorized access, so people have seen in some way the personal information that you’re holding about others. And I guess examples of this and obvious ways around at the moment relates to the risk of hacking. And some sort of technology problem that allows disclosure. And certainly we’ve seen examples recently of some large organisations that have accidentally allowed public access to databases that they hold. So this is another way that it might be considered that there’s unauthorized access.

And of course it doesn’t just have to be related to technology. It might relate to one of your employees or staff members doing something inappropriate with data. So this is something to bear in mind as well.

Grace: Yes. An example that comes to my mind is if for example one of your employees accidentally emails someone the personal information that you hold,  like your client list or something like that.

Joanna: Yeah. And I guess technically, we’ve all seen this before where people have forgotten to use email addresses as a BCC rather than a CC where you got a whole lot of people so, I guess this is one possible example.

Grace: Yeah.

Joanna: All right. Okay. So we’re talking about unauthorized access but it’s not any old unauthorized access, right? There’s other requirements as well that make this data breach something that’s an eligible data breach under this legislation.

Grace: That’s right. So the second element is that the data breach has to be likely to cause serious harm to one or more individuals. And so we’ve got to talk about this, we’ve got to unpack what this really means because the harm that we’re talking about is not defined in the Act. So it can be any harm. It can be psychological, emotional, physical, reputational, or any other type of harm, even financial harm. And it’s an objective test. So it’s what would a reasonable person think is harmful to somebody.

It's best practice to be aware of what the Privacy Laws say, and align your business with those rules. #BusinessDataBreach #PrivacyAct Click To Tweet

Joanna: Okay. All right. So that’s an interesting one and I think that will be really interesting for us to follow along over time to see what we’re seeing. How that concept of serious harm is really being teased out because back in the example I made before about accidentally including a whole heap of email addresses in a ‘to’ rather than a CC where you might say well perhaps there’s no serious harm from that or maybe there is if now someone’s got a hold of a whole heap of email addresses and they can do stuff with. So I guess it depends on the situation.

Grace: That’s right. And we’ll keep talking about this as we go along but really with all of these concepts and this area of the law, there’s no black and whites, there’s no absolutes. Every situation will be different because in each case the information that’s been leaked, who you think might have access to it, the types of individuals that are being affected by the information, it will always differ. And it really does require an evaluation in each context.

And so there are no black and whites, or absolutes and I guess you can err on the side of caution, but it’s a decision that you’re going to have to make in your individual situation to work out whether you’re caught, whether it is an eligible data breach and then you have to comply with the Act or whether you’re going to decide not to.

Joanna: Yeah. And I guess what you’re sort of alluding to here getting practical about it all is, an organisation is aware that something has happened with data within their organization. So they’ve identified either some hacking incident or cyber crime or they’ve identified some issue that has allowed databases or other personal information that they hold to be made public in some way. They’ve now got to consider whether or not they think that would have been likely to cause serious harm.

Grace: That’s right.


Australia Privacy Act, New Data Breach Law, Talking Law, Information Security


Requirements for Compliance with the Legislation

Joanna: And let’s perhaps talk now about what the requirements are to comply with the legislation. If indeed it’s unauthorized access that has potentially caused serious harm.

Grace: Yes. So the first thing you would need to do is take some remedial action. You have to take some steps, if you’ve decided that you think there’s likely to be serious harm. So we’re not talking about trivial or minor harm but serious harm to somebody, to one or more individuals. So notice here that it can even just be harm to one person. It doesn’t have to be a lot of people. Even if it’s just one person and it’s serious to that one individual, you need to take steps to try and remedy or reduce the risk of harm. And if you take that remedial action and this step that you take reduces that risk of harm, so that now, the harm is no longer serious, then now you’re outside of the realm of being an eligible data breach so you might not need to take the steps of having to notify. But let’s just assume that it is an eligible data breach. What do you have to do next?

So you need to take this remedial action in a timely manner. And then after you’ve done that, you need to notify. So you need to notify the person who is likely to suffer that harm. And you also need to notify the Privacy Commissioner.

Joanna: Right. Okay. And I think this is really super important then for organisations to understand effectively what this legislation now means if you’re captured. So if you’ve undergone an event that relates to unauthorized access or unauthorized disclosure of personal information held by your organization, and it might cause serious harm to one or more individuals, you now have to notify the people whose information it relates to. And you also have to notify the Information Commissioner. Because I think sometimes organisations would prefer to just take remedial action – do what they can to deal with the issue without actually notifying the individual and certainly without notifying the Information Commissioner.

But now even if you take remedial action, if the situation still results in the fact that there might be potential serious harm then you are required by the legislation to take these steps of notifying individuals and notifying the Information Commissioner. So I think that’s the crux of it.

Grace: Yes, that’s right. So we’ll go further now in a minute into the details of how you notify the individual, how you notify the Privacy Commissioner. If you’re in that boat of having an eligible data breach but say you’ve got this situation and you don’t think you’ve actually got enough there to have an eligible data breach, but you have a lower level of certainty, you might have just some grounds to suspect you’ve had a data breach. In that situation, the Act requires you to conduct an assessment of the suspected data breach. So this is when you’ve had a breach of personal information but it’s not serious enough or it doesn’t meet those criteria we talked about, to fall within the category of an eligible data breach that requires notification. So if you’re not in that situation but you have had some sort of breach of personal information, you have to do this assessment of suspected data breach. And the Act doesn’t really go into a lot of detail of exactly how to do the assessment, but it is very clear about what the purpose of doing this is. And the purpose of it is, to get a picture of whether there’s been an eligible data breach and you have to do it expeditiously and it does say you have to do it within 30 days. So you’ve got these two levels of what you’re required to do. One is notify, and if it’s not serious enough to be that data breach, you’ve got to do this assessment. And the Privacy Commissioner has put up a three-stage guideline as to what to do when you’re doing that assessment.

Take reasonable steps as quickly as possible. #BusinessDataBreach #PrivacyAct Click To Tweet

Joanna: So look, I think the most important thing is that organisations are aware of the fact that they need to do something, they need to do something quickly if they have had a suspected data breach. So I think at that point it’s about consulting the experts so come and talk to your lawyer or talk to someone else who is specifically trained in this area. So we can help guide you as to what to do if a data breach has occurred.

Grace: Yes.

Joanna: Well let’s talk a little bit more then, just about the penalties that organisations and individuals potentially face. So as I said before, if you fail to report, you can face penalties of up to $360,000 for individuals, and $1.8 million for organisations. What is the Information Commissioner saying at the moment Grace, about the likelihood of them imposing these sorts of penalties straight up?

Grace: So the Privacy Commissioners told us that in the first 12 months after this scheme comes into place, they’ll be taking more of an educational role in helping businesses work out how to be compliant rather than taking a hard line enforcement type of role. Except in the case of very serious, consistent breaches of this scheme.

And that’s good news, because it means that there’ll be a bit of a grace period as we get used to this new scheme of working out exactly what to do and making sure that we do comply. Because it will take a bit of time for organisations to get used to this process obviously, some preparation now needs to take place because now you need to think internally as a business – What processes do I need to have in place? How will I even know if a data breach has happened? How will it be brought to my attention and what will I do if I find out that we’ve had a data breach? What we do straight away? What will be the first thing that we do? So these are the sorts of questions that might be going through your mind right now.

Joanna: Okay. And look if you’re an organisation that has had data breaches in the past, you know perhaps you just need to think about the implications moving forward for you not having fixed some of the systems that have led to data breaches. Because this is the sort of thing that the Information Commissioner can get really stroppy about. If a data breach were to occur and someone was able to show that in fact this is not a one off and it relates to some systems that you’ve just not fixed up. So I think it’s just being aware and making sure that you’ve got systems and processes, to deal with any issues as quickly as possible because you want to make sure you’re complying in time.

Grace: That’s right.

Joanna: And let’s talk about organisations that aren’t covered by the Privacy Act. Are they getting off scott free? Should they not care about the legislation? No, because I think our perspective is generally that even organisations that aren’t caught by the Privacy Act should be aware of what the Privacy Act says and there might be some reasons why they might want to set up systems within their organization just as though they’re caught by the Privacy Act. Maybe you can talk to us a bit more about that Grace.

Grace: Yes, absolutely. I think people are aware now of the issues with privacy especially in our Internet age. And really, it would break trust with a business if you were doing business with your customers and you were not careful with the information that they’re giving you. So it’s best practice to be aware of what the Privacy Laws say and aligning your business with those rules because they’re there to help individuals know what an organisation is doing with their personal information and to feel secure that the information that they’re providing to a business is going to be handled appropriately. So there’s a real reputation issue there.

If there's been an eligible data breach, then you'll have to alert the Australian Information Commissioner and the people whose data has been compromised.. #BusinessDataBreach #PrivacyAct Click To Tweet

Joanna: Yeah. And part of the requirements if you’re caught by the Privacy Act, are the requirements to have a specific collection statement that you provide to individuals upon them providing information to your organization and certain things reflected in your privacy policy as well as certain systems and processes within your organization.

But the interesting thing is even though your organization may not be over 3 million today, it doesn’t mean that in three or four years time it might not be. And of course if you become caught by the Privacy Act in the future but you’ve not provided this sort of disclosure upon collection of the personal information right now when you’re collecting it, then you might find later you’ve got a whole heap of issues in terms of going back and dealing with that data that you had collected in the past. So it’s really important to be aware of the possibility that even if you’re not captured today, you might be captured in the future.

Grace: Absolutely. Yes, that’s important to know and to think about. And one of the situations I can think of off the top of my head is when you go to sell your business. And as part of that business sale you might, or not necessarily when the whole business changes hands but say if you’re selling a part of the business, or if you’re selling your client list, there might be situations where you’re having to now suddenly think about the privacy obligations in relation to that information you’ve collected over time.

Joanna: Yeah, absolutely. I think what often people think of when we talk about that sort of situation is when Dick Smith went into liquidation and Kogan bought the rights to the client database.

Grace: That’s right.

Joanna: You know there was this whole notification requirement and so I guess it’s just being aware of what might happen in your organisation’s future.

All right well before we round up then Grace, maybe let’s just run very quickly through organisations if they’re listening to this. They know they’ve captured by the Privacy Act, they’ve had a data breach that they think probably qualifies as an eligible data breach, what do they have to do?

Grace: Yeah. Okay. So what you need to do is, you need to notify the Information Commissioner. They’ve let us know that they’re in the process right now of creating an electronic form on their website that they would like used for this purpose. The notification will be in the form of a statement as a minimum, and the things that you’ll need to let the commissioner know are what your identity is, your contact details, a description of the eligible data breach, the kinds of information that were involved, and the types of steps that you would recommend that the individuals take in response to this breach. So practical steps that are easy for them to take.


Australia Privacy Act, New Legislation, Eligible Data Breach, Compromised Information


Options for Notifications

GraceSo a little example might be if their passwords were compromised, you’d ask them to change their password. And this isn’t an obligation under the Act but your notification could also include an apology, and the steps that you’re doing to ensure that it doesn’t happen again. And then all of this content, the exact same content should be communicated to the individuals that are affected by this breach. So in terms of notifying the affected individuals, the Act provides three options. So the first option is to notify all individuals whose personal information was involved in the data breach. The second option is to notify only the individuals who are at likely risk of serious harm. So if you are able to work out who those specific individuals are. So there might be a subset. If you’ve had a whole breach of data information but of those individuals that are affected, only a subset are likely to experience serious harm or are at risk of serious harm, you can notify just those individuals. And one of the benefits that the commissioner has mentioned of this is that it reduces what they call notification fatigue where individuals are receiving notifications every day and they become fatigued of being notified.

Joanna: I love it that they’ve got a name for this. So I’m waiting to see once this 22nd of February hits, am I going to start receiving daily notifications?

Grace: That’s right.

Joanna: Anyway. Let’s see. Whether we’ll all receive fatigue from privacy breach notifications.

Grace: Yeah. So if those first two options aren’t really suitable for you, then the third option is to publish your notifications. You can only take this third option if one and two aren’t practicable. And so what this means is that you publicize the information with the aim of bringing it to the attention of the individuals that are likely at risk of serious harm.

So you would take the sort of method of communication that you normally take in your business, so say for example if your business doesn’t really use a website and your customers are more likely to not use websites or the Internet themselves, so if you really do have customers only coming to your premises, then it might be more suitable for you to have a sign up that has the information  or you could do it through social media or publishing print media. It really depends on what your usual mode of communication here is. You just have to take reasonable steps to notify and there’s some flexibility there about the way you notify.

Joanna: Great! Okay. All right. Well thank you so much for coming along Grace and talking to us all.

Just as a recap, in this episode, we’ve been talking about this new legislation, this new legislation is due to hit on the 22nd of February 2018. So if you’re listening to this podcast after that date then the legislation is already in force in Australia. The legislation relates to organisations that are captured by the Privacy Act and it relates to any instances where there has been an eligible data breach. And if there’s been an eligible data breach, then you’ll have to alert the Australian Information Commissioner and the people whose data has been compromised. Otherwise you might risk coming under the attention of the Australian Information commissioner who has at their disposal, a whole range of fines.

All right. So if you’d like more information about this topic, head over to our website at Talking Law dot com dot au and you can get a free download of all of the things that we’ve talked about today. Through that Website, you’ll also be able to contact the fabulous Grace Yi and our other lawyers at Aspect Legal who’ll be able to assist you with any issues that you have within your organisation in terms of understanding whether or not you are captured by the Privacy Act, or if you know you are captured, or you think maybe you’re captured and you have events within your organization that have led to some possible data breaches, then you can get advice about what you need to do in that instance. But of course as we said in this podcast, one of the most important elements is about jumping on it quickly because the quicker you get on to it, the more likelihood you have of number one maybe even reducing the severity and therefore keeping this out of the realms of a data breach that is like likely to have caused serious harm and even if it is potentially something that would have caused harm, then you obviously need to take other steps now in terms of notification.

Great. All right. Well hopefully you enjoyed what you heard today. And if you did, I’d love it if you could possibly pop over to iTunes and leave us a review.

That’s it for this episode but we’ll be back with the next episode of Talking Law in around about a week’s time so hopefully we will see you then. Thanks again for listening in. You’ve been listening to Talking Law, produced by Aspect Legal. See you next time.