Most licensees have Incident and breach management policies and most licensees (with a few exceptions) can identify, escalate and report breaches of the financial services laws. Fewer licensees understand their obligation to report data breaches.
The Privacy Act applies to private sector organisations, including not-for-profits, with annual (group) turnover of more than $3 million. It also includes small businesses that may be earning $3 million or less where they are health service providers involved in trading in personal information, contractors that provide services under a Commonwealth contract or credit reporting bodies, amongst others.
Your obligation to report
You are not obliged to report to the OIAC all breaches, but you are required to report all eligible data breaches. It’s an important qualification to understand.
First, an eligible data breach occurs if:
(a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by you; and
(b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates; and
(c) you haven’t been able to prevent the likely risk of serious harm with remedial action.
Second, it’s critically important to appreciate that all ‘eligible data breaches’ – likely to result in serious harm – need to be reported as soon as practicable to both to the OAIC and to those individuals (potentially) affected by a data breach.
While you may think ‘eligible data breaches’ are the province of Russian Hackers, the reality is that even simple, everyday errors can trigger the obligation. For example, an eligible data breach can occur if you mistakenly provide a client’s personal information to the wrong person.
Exceptions to reporting
If you’re a business that quickly identifies and remediates incidents, you’ll be pleased to know that the threshold conditions for mandatory breach reporting provide you with a degree of flexibility:
- First, an assessment of serious harm requires an objective and reasonable assessment made from your perspective. It does not require you to make a subjective assessment of the likely harm based on the affected individual’s relevant personal circumstances. Act reasonably and prudently but appreciate the broader implications of the breach and your reaction.
- Second, You don’t need to report data breaches that you’ve quickly remediated or have started to remediate. We’ve addressed effective remediation previously and we remind you that effective remediation needs to be reasonable, prompt, effective and appropriate. Your remediation and consequence management policy should provide you with the framework and guidance you need to satisfy this requirement but contact us if you need assistance.
The requirement to consider the impact and likely consequences of a data breach – serious harm – introduce a materiality assessment that’s both clear and intuitive. Advisers, and advice businesses, routinely collect, retain and use personal information from their clients. So it’s not hard to identify the information that, if lost or released, could cause serious harm. For simplicity consider
- taxation information such as returns or TFN;
- Credit reporting data;
- Personally identifiable information.
- ‘sensitive information’, such as information about an individual’s health
- documents commonly used for identity fraud (including Medicare card, driver licence, and passport details)
- financial information
- a combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals the information is about.
If you haven’t already updated your Remediation and Consequence Management Policy, and refined your Incident/Breach Management Policy, you should do so now.
You should also prepare a data breach response plan.
Computerworld noted that an appropriate breach response plan should have an aggressive timeline and should explain how you:
1. identify and close security holes,
2. notify government agencies and impacted individuals, and
3. train staff to prevent recurrences.
In addition, we recommend that you review your Complaints Policy to ensure you’ve addressed the additional reporting requirements.
We’d also recommend that undertake a data audit – investigate what data you hold, who can access it and consider whether your existing data privacy and security policies are adequate. Review your IT infrastructure.
Look at your outsourcing contracts to confirm that these third-parties understand what is expected of them.
Things may quickly get more complicated for you. The Treasury Laws Amendment (Consumer Data Right) Bill 2019 will, if enacted, modify the Privacy Act, create additional complexity and impose more restrictions. We’ll address CDR in subsequent articles, but this overview might help you understand what might change.
Download OAIC’s Data Breach Flowchart
If you need additional documents, rather than our help, start by reviewing the OAIC’s Data breach notification — A guide to handling personal information security breaches and their Guide to developing a data breach response plan.
Don’t forget to train your staff about these obligations because significant or recurring failures can attract civil penalties of up to $2.1 million.
That’s a significant penalty but in our view, the damage to your reputation may be far greater than any financial penalties imposed.
Target to pay $18.5M for 2013 data breach that affected 41 million consumers, USA Today, 23 May 2017
Data breach hits Department of Social Services credit card system, The Guardian, 24 November 2017
50 percent of adults have not checked their credit since the Equifax breach, CNBC, 26 February 2018