Discussion Paper: Australian Privacy Breach Notification
Submission to Attorney General's Department
Comments on the Discussion Paper
Question 1: Should Australia introduce a mandatory data breach notification law?
Question 2: Which breaches should be reported? Triggers for notification
Question 3: Who should decide on whether to notify?
Question 4: What should be reported (content and method of notification) and in what time frame?
Question 5: What should be the penalty for failing to notify when required to do so?
Question 6: Who should be subject to a mandatory data breach notification law?
Question 7: Should there be an exception for law enforcement activities?
The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to make a submission to the Attorney-General’s Department on the Discussion Paper: Australian Privacy Breach Notification (Discussion Paper).
In formulating this submission, the OAIC has drawn on its previous public submissions, and submissions of the former Office of the Privacy Commissioner, to inquiries relating to privacy law reform, including:
- Review of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, submission to the House of Representatives Standing Committee on Social Policy and Legal Affairs, July 2012
- Review of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, submission to the Senate Standing Committee on Legal and Constitutional Affairs, July 2012
- Review of Privacy - Discussion Paper 72, submission to the Australian Law Reform Commission, December 2007
- Review of Privacy - Issues Paper 31, submission to the Australian Law Reform Commission, February 2007.
The OAIC supports the Government’s commitment to ensuring that privacy laws continue to protect the personal information of Australians in the digital era. The Discussion Paper is an opportunity for public debate on an issue of significant concern to the Australian community.In this submission, the OAIC makes the following comments:
- The OAIC supports the introduction of mandatory data breach notification legislation, as current voluntary data breach notification arrangements are insufficient. Such legislation should take the form of an amendment to the Privacy Act 1988 (Cth) (Privacy Act).
- The OAIC considers that:
- the appropriate test to determine the trigger for notification is whether a breach gives rise to a ‘real risk of serious harm’ to an individual
- there should be a catch-all test that is able to apply to a range of circumstances, rather than a prescriptive test, and
- the specific elements that should be included in the notification trigger include the type of personal information involved in the breach, the context of the affected information and the breach, the cause and extent of the breach and the risk of harm to the affected individuals.
- Both the OAIC and, where appropriate to the circumstances, the affected individuals should be notified about a breach; the decision as to whether to notify should be made by the entity concerned, but the Commissioners of the OAIC should have the power to compel notification.
- Data breach notifications should be provided directly where possible (for example, by mail, email, phone or in person); the notification should be made as soon as is reasonably practicable; the notification should include an incident description, the type of personal information involved, the organisation or agency’s response to the breach, assistance that the organisation or agency is offering to affected individuals, other information sources, organisation or agency contact details, legal implications, the fact that the OAIC has been notified and information about whether any other parties have been notified.
- The appropriate penalty for failure to comply with mandatory reporting notification should be a civil one; the penalty regime needs to be flexible and scalable enough to provide an effective deterrent to the full spectrum of entities.
- The mandatory data breach notification law should apply to all entities subject to the jurisdiction of the Privacy Act.
- Law enforcement activities do not require a specific exception as they are covered by the public interest exception proposed by the Australian Law Reform Commission (ALRC).
The Office of the Australian Information Commissioner (OAIC) was established by the Australian Information Commissioner Act 2010 (Cth)(AIC Act) and commenced operation on 1 November 2010.
The OAIC is an independent statutory agency headed by the Australian Information Commissioner. The Information Commissioner is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner.
The former Office of the Privacy Commissioner was integrated into the OAIC on 1 November 2010.
The OAIC brings together the functions of information policy and independent oversight of privacy protection and freedom of information (FOI) in one agency, to advance the development of consistent workable information policy across all Australian government agencies.
The Commissioners of the OAIC share two broad functions:
- the FOI functions, set out in s 8 of the AIC Act — providing access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth), and
- the privacy functions, set out in s 9 of the AIC Act — protecting the privacy of individuals in accordance with the Privacy Act and other legislation.
The Information Commissioner also has the information commissioner functions, set out in s 7 of the AIC Act. Those comprise strategic functions relating to information management by the Australian Government.
1.1: Are the current voluntary data breach notification arrangements sufficient?
1.2: Should the Government introduce a mandatory data breach notification law?
The OAIC is of the view that:
- the current voluntary data breach notification arrangements are not sufficient
- mandatory data breach notification will help achieve organisational cultures that value and respect privacy, and
- it is only through notifications becoming mandatory that mitigation, deterrent and information objectives will be achieved.
The OAIC notes that, under the National Privacy Principles (NPPs) and Information Privacy Principles (IPPs), notification may be a reasonable step where a data breach has occurred. Specifically, NPP 4 and IPP 4 require reasonable steps to be taken to protect personal information from misuse, loss and unauthorised access, modification or disclosure. However, an express mandatory data breach notification law would provide agencies and organisations with greater clarity and certainty regarding their obligation to notify, and the circumstances in which notification should be made.
As outlined in the Discussion Paper, there are four objectives to be achieved by a mandatory data breach notification regime:
- Deterrence objective
- Mitigation objective
- Informational objective, and
- Public Confidence objective.
This submission will focus on the Deterrence, Mitigation and Informational objectives.
The current arrangements do not appear to provide organisations with a sufficiently powerful market incentive to adequately secure databases and information repositories in order to avoid the potential reputational damage arising from negative publicity associated with a data breach (referred to in the Discussion Paper as the ‘deterrent objective’).
The past year has seen a number of high-profile data breaches and subsequent own motion investigations initiated by the Privacy Commissioner. Research suggests that the frequency of data breaches in Australia has continued to grow over the past three years (and this does not include the major data breaches that have attracted much media attention). According to an international study which included Australian data, ‘2011 boasts the second-highest data loss total since [the researchers] started keeping track in 2004’.
Despite the apparent upward trend in the occurrence of data breaches, the OAIC only received 46 data breach notifications in the 2011-12 financial year, an 18% decrease from the number of notifications received in 2010-11. The OAIC is concerned that it is only being notified of a small percentage of serious data breaches that are occurring, and that many critical incidents may be going unreported and consumers may be unaware when their personal information may be compromised.
Without notification, individuals affected by serious data breaches are unable to take mitigating steps – steps which only they may be able to take, for example cancelling credit cards or requesting a new Medicare number – to protect their personal information.
In addition, the OAIC considers mandatory notification will lead to better public understanding of the scope and frequency of data breaches, and encourage greater privacy awareness. This would help achieve the informational objective.
The OAIC strongly supports recommendation 51-1 of the ALRC Report 108, For Your Information; Australian Privacy Law and Practice (ALRC Report 108) that the Government introduce mandatory data breach notification legislation. The OAIC considers that, in order to streamline the regulatory process, such legislation should take the form of an amendment to the Privacy Act, rather than a separate act.
The OAIC notes that, under the Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR Act), certain participants in the personally controlled electronic health (eHealth) record system are already subject to mandatory data breach notification obligations. These obligations are set out in the draft OAIC document Mandatory data breach notification in the eHealth record system.
The potential need for mandatory data breach notification also arises in the context of the proposed amendment of the Telecommunications (Interception and Access) Act 1979 (Cth)(TIA Act) to require the retention of communications data.
In its submission to the Joint Parliamentary Committee on Intelligence and Security regarding the Inquiry into potential reforms of National Security Legislation, the OAIC considered the proposed retention of communications data for periods of up to two years.
Specifically, the OAIC stated that any data retention regime should be accompanied by a regulatory framework that provides the necessary level of transparency and accountability and is consistent with contemporary community expectations. Relevantly, the OAIC suggested that the steps for ensuring that there is a clear accountability framework in place for protecting the large volumes of personal information that would be required to be stored should include, amongst other things:
Introducing a mandatory data breach notification scheme to ensure that [telecommunications carriers and carriage service providers] are … accountable for the information they hold under the proposed communications data retention scheme.
In the event that the proposed data retention policy is implemented, the OAIC reiterates its view that a mandatory data breach notification scheme should be implemented as part of the measures to protect the large volumes of personal information that would be required to be stored by telecommunications carriers and carriage service providers.
2.1 What should be the appropriate test to determine the trigger for notification?
2.2 Should it be based on a catch all test, or based on more specific triggers, or another test?
2.3 What specific elements should be included in the notification trigger?
The OAIC considers that notification should be limited to circumstances where a breach is assessed as giving rise to ‘a real risk of serious harm’ to an individual. This threshold test, proposed in Recommendation 51-1 of ALRC Report 108,would not require entities to notify less serious privacy breaches to affected individuals or the OAIC. Use of this test, relative to other approaches, would reduce the compliance burden on entities and minimise the risk of ‘notification fatigue’ on the part of individuals. It would also direct the OAIC’s limited resources to the most serious matters.
The OAIC agrees with the ALRC’s approach to triggers as requiring analysis of risk depending on circumstances. In the experience of the OAIC, each breach is different in terms of numbers of people affected, how they might conceivably be affected, and possible mitigating steps. For example, the question of whether personal information was encrypted adequately in a particular incident of data breach will depend not only on the encryption method and strength, but also on the type and sensitivity of the personal information breached, the possibility of whether the information was stolen rather than lost, and whether the information has been recovered or not. A prescriptive approach (specifying a mandatory minimum encryption key-size, for example) would not assist in such an analysis. A principle-based approach is consistent with the approach of the Privacy Act, and would permit flexibility to ensure the application of the Privacy Act over time in changing privacy and technological environments.
The OAIC’s approach to notification triggers is reflected in our document Data breach notification: A guide to handling personal information security breaches (Voluntary Guidelines). Although the Voluntary Guidelines are not mandatory, the OAIC encourages their use by entities covered by the Privacy Act, and they may also be helpful in outlining good privacy practice for those entities not covered by the Privacy Act.
The Voluntary Guidelines recommend notification to affected individuals if the data breach has created a ‘real risk of serious harm to that individual’. Such an approach would also be appropriate in the case of mandatory notification. The risk of serious harm can be evaluated by assessing the following:
- the type of personal information involved in the breach
- the context of the affected information and the breach
- the cause and extent of the breach
- the risk of harm to the individual/s, including:
- the recipient/s of the information (for example, whether the disclosure was to a known, trusted entity; to a party suspected of involvement of criminal activity; to a colleague)
- the possible harms that could result (for example, identity theft; financial loss; threat to physical safety or emotional wellbeing; loss of business or employment opportunities; humiliation; damage to reputation or relationships; workplace or social bullying or marginalisation).
3.1 Who should be notified about the breach?
3.2 Who should decide whether to notify?
The OAIC considers that, subject to the above conditions having been met, an entity should be required to notify both the OAIC and affected individuals.
There may be circumstances where it may be inappropriate to notify affected individuals, such as when it is more appropriate to notify a carer or authorised representative, or when there is evidence that notification may exacerbate health conditions, such as acute paranoia (see also our response to Question 4, below). However, that should not prevent notification to the OAIC.
Similarly, where it is not immediately apparent whom the affected individuals are, or where an investigation needs to be conducted to determine the affected individuals and that investigation has not yet been completed, that should not prevent notification to the OAIC.
If a mandatory notification requirement is introduced, then whether to notify will become a question of compliance for entities. Accordingly, the OAIC would favour the approach that, in the first instance and in the usual circumstances entities, relying on legal advice if necessary, should decide whether notification is required as a matter of compliance.
The OAIC currently provides guidance and policy advice to entities on data breach matters. The OAIC’s advice is provided on the basis that it does not fetter the discretion of the Commissioner in the event that a complaint about the breach is made to the OAIC. In the event that a mandatory scheme was introduced, the OAIC could continue to provide general guidance to entities on the factors entities must consider.
The OAIC would support the Commissioner having the power to compel notification to affected individuals. However, this power would likely only be used in extreme circumstances, and subject to clearly documented and transparent policies
4.1 What should be the form or medium in which the data breach notification is provided?
4.2 Should there be a set time limit for notification or a test based on notifying as soon as is practicable or reasonable?
4.3 What should be the content of the notification?
The OAIC’s guidance on how data breach notification should be effected is set out in detail in the Voluntary Guidelines. The OAIC considers that the approach suggested in the Voluntary Guidelines would still be appropriate with respect to a mandatory breach notification scheme.
The OAIC recommends that the method of notification to affected individuals be direct – by phone, letter, email or in person. However, entities should consider whether the method and content of notification might increase the risk of harm, such as by alerting a person who stole a laptop of the value of the information on the laptop, if it would not otherwise be apparent.
Indirect notification – by website information, posted notices or social or mass media – should generally only occur where direct notification:
- could cause further harm to the individual/s
- is cost-prohibitive, or
- the contact information for affected individuals is unknown.
In certain cases, it may be appropriate to use multiple methods of notification.
Ideally, notification should be ‘standalone' and should not be ‘bundled' with other material unrelated to the breach, as it may confuse recipients and affect the impact of the breach notification. In addition, notifications should be made in formats which are accessible to individuals with disability.
Should there be a set time limit for notification or a test based on notifying as soon as is practicable or reasonable?
All breaches are different; accordingly, the OAIC considers that it would be inappropriate to be prescriptive about timeframes for breach notification. Rather, individuals affected by the breach, and the OAIC, should be notified as soon as reasonably possible.
The timeframe defined by ‘reasonably possible’ will differ from breach to breach. For example, a delay to disclose to affected individuals would be acceptable if:
- law enforcement authorities are involved, and require that the notification be delayed to avoid compromising an investigation, or
- repair and/or testing of systems is required in order to contain the breach.
However, these issues would not and should not prevent timely notification to the OAIC.
The OAIC’s guidance on the content of data breach notifications is set out in detail in the Voluntary Guidelines. The OAIC considers that the approach suggested in the Voluntary Guidelines would still be appropriate with respect to a mandatory breach notification scheme.
As stated in the Voluntary Guidelines, any breach notification should include:
- an incident description
- information about the type of personal information involved
- information about the entity’s response to the breach
- information about assistance that the entity is offering to affected individuals
- other information sources, such as the OAIC or Attorney-General’s Department
- the contact details of the notifying entity
- information about legal implications, and
- how affected individuals can lodge a complaint.
Breach notifications should also include:
- the fact that the OAIC has been notified (if that is the case), and
- information about whether any other parties, such as the police, insurers, financial institutions, regulatory bodies or other entities have been notified.
Email notifications may require special care. To avoid being confused with ‘phishing' emails, email notifications may need to communicate only basic information about the breach, leaving more detailed advice to other forms of communication.
5.1 Should there be a penalty or sanction for failing to comply with a legislative requirement to notify?
5.2 If so, what should be the penalty or sanction, and the appropriate level of that penalty or sanction?
Should there be a penalty or sanction for failing to comply with a legislative requirement to notify?
Should data breach notification become mandatory, then it is essential that there be a penalty or sanction for failing to comply. The absence of a penalty would undercut the incentive for entities to comply with the legislative requirement (ie the deterrent objective). The OAIC is of the view that:
- the appropriate penalty for failure to comply with mandatory notification obligations should be a civil one, and
- the penalty regime should be flexible and scalable enough to provide an effective deterrent to the full spectrum of entities.
In the experience of the OAIC, the entities that suffer data breaches, and the scale of those breaches, can vary widely. A penalty that acts as an effective deterrent for a comparatively small organisation will not be an effective deterrent for a large multi-national company. Accordingly, it may be desirable for any penalty mechanism to include sufficient flexibility to impose penalties that are appropriate having regard to the specifics of the case.
The OAIC considers that any penalty imposed should be for the failure to notify the OAIC and affected individuals of a breach, rather than for any harm suffered by individuals as a result of the breach. Harm to individuals can be dealt with under the Commissioner’s powers to investigate, make determinations, award compensation or seek the application of a civil penalty under Part V of the Privacy Act as it is proposed to be amended by the Privacy Amendment (Enhancing Privacy Protection) Bill.
If so, what should be the penalty or sanction, and the appropriate level of that penalty or sanction?
The OAIC considers that any implementation of a civil penalty for a failure to comply with a mandatory data breach notification obligation should be consistent with the PCEHR Act (although not necessarily with respect to the size of the maximum penalty allowed by that Act).
As noted in our response to Question 1, certain participants in the eHealth record system have mandatory obligations to notify the system operator or the OAIC of data breaches under the PCEHR Act. Further, for some of these participants, a failure to comply with this obligation may result in the Commissioner applying to a court for the application of a civil penalty. Subsection 75(2) of the PCEHR Act provides for the imposition of a penalty of 100 penalty units, with one penalty unit currently worth $110.
The OAIC considers that it would be consistent to amend the Privacy Act to insert a civil penalty provision for the failure to comply with notification obligations. Consistent with the PCEHR Act and the civil penalty provisions proposed by the Privacy Amendment (Enhancing Privacy Protection) Bill, the OAIC would then need to apply to the Federal Court or Federal Magistrates Court for a civil penalty order under the proposed s 80W. The appropriate penalty would then be a matter for the Court’s discretion.
Further, the OAIC considers that there must be clarity that the imposition of a penalty for failure to notify does not mean that separate penalties for other breaches of the Privacy Act cannot or will not be imposed. For example, should the failure to notify a breach be considered an ‘interference with the privacy of an individual’ under s 13 or 13A of the Privacy Act (as proposed to be amended by item 42 of Schedule 4 of the Privacy Amendment (Enhancing Privacy Protection) Bill), then other penalties may also be enforceable. An entity that interferes with the privacy of an individual may, for example and depending on the circumstances, be liable to do an act or practice to redress any loss or damage suffered by the individual, pay compensation to the individual or pay a civil penalty. Again, the OAIC notes that, in each instance, the appropriate remedy or penalty awarded by the Court is discretionary.
6.1 Who should be subject to a mandatory data breach notification law?
6.2 Should the scope of a mandatory data breach notification law be the same as the existing scope of the Privacy Act?
The OAIC agrees with the ALRC view that the mandatory data breach notification law should apply to all entities regulated by the Privacy Act, regardless of industry or whether the entity is an agency or an organisation. Data collection and use are now ubiquitous in Australian business, government and communities, across industries and sectors. Any alternative approach, under which such legislation only applies to particular sectors or industries, would be contrary to community expectations of security and privacy.
The OAIC notes that some entities will be subject to data breach notification obligations under both the Privacy Act and the PCEHR Act (for example, the Department of Health and Ageing, the Department of Human Services, and repository and portal operators of the PCEHR System). It is desirable to minimise the administrative burden on such entities. This could be done by ensuring that the amendments to the Privacy Act, where possible, complement or reflect the requirements of the PCEHR Act.
7.1 Should there be an exception for law enforcement activities?
7.2 Would such an exception add anything to the ALRC’s proposed public interest exception?
ALRC Recommendation 51-1(d) proposes that an entity should not be ‘required to notify an affected individual where the Privacy Commissioner considers that notification would not be in the public interest or in the interests of the affected individual’.
The OAIC considers that it may be desirable to have the flexibility to delay or decline to notify affected individuals (but not the OAIC) in circumstances where such notification would compromise law enforcement activities relating to the investigation of the breach.
However, this does not mean that law enforcement activities require a specific exception; the public interest exception proposed in Recommendation 51-1(d) obviates the need for a more specific law enforcement exemption. The Commissioner is the appropriate authority to decide whether a notification should be delayed (see response to Question 4) or declined on a public interest basis.
 Office of the Australian Information Commissioner, Information Sheet (Private Sector) 1A: National Privacy Principles, www.privacy.gov.au/materials/types/infosheets/view/6583
 Office of the Australian Information Commissioner, Information Sheet (Public Sector) 1 - Information Privacy Principles under the Privacy Act 1988, www.privacy.gov.au/materials/types/infosheets/view/6541
 Information Sheet (Private Sector) 1A: National Privacy Principles, www.privacy.gov.au/materials/types/infosheets/view/6583#npp4
 Information Sheet (Public Sector) 1 – Information Privacy Principles under the Privacy Act 1988, www.privacy.gov.au/materials/types/infosheets/view/6541#d
 In 2011-2012, the OAIC opened 37 own motion investigations and received 46 voluntary data breach notifications. However, by comparison, in 2010-11, the OAIC opened 59 own motion investigations and received 56 voluntary data breach notifications. www.oaic.gov.au/publications/reports/annual-report_11-12/index.html
 See for example Asher Moses, ‘Telstra’s 743,000 account privacy blunder breached multiple laws: regulator’, (29 June 2012), The Age, www.theage.com.au/it-pro/security-it/telstras-734000-account-privacy-blunder-breached-multiple-laws-regulators-20120629-2165z.html and Asher Moses, ‘Super sloppy: First State customers kept in the dark’, (19 October 2011), The Sydney Morning Herald, www.smh.com.au/it-pro/security-it/super-sloppy-first-state-customers-kept-in-the-dark-20111019-1m7g6.html
 Verizon RISK Team, 2012 Data Breach Investigations Report, www.verizonbusiness.com/about/events/2012dbir/index.xml
 Media release: Privacy Commissioner supports the release of mandatory data breach notification Discussion Paper; 17 October 2012, www.oaic.gov.au/news/media_releases/media_release_121017_mdbn_paper.html
 See for example the assertion of a privacy consultant that ‘ …unreported breaches would easily number in the "thousands" each year’, in Asher Moses, ‘Thousands of privacy breaches going unreported, (July 27 2011), The Sydney Morning Herald, www.smh.com.au/technology/technology-news/thousands-of-privacy-breaches-going-unreported-20110727-1hzes.html
 Media release: Privacy Commissioner supports the release of mandatory data breach notification Discussion Paper; 17 October 2012.
 In draft form as at September 2012, www.oaic.gov.au/news/consultations/eHealth/mandatory_data_breach_notification_guide_draft_September2012.html
 See Attorney-General's Department 2012, Discussion Paper – Equipping Australia against Emerging and Evolving Threats, Term of Reference 3(a), p 13, www.aph.gov.au/Parliamentary_Business/Committees/House_of_Representatives_Committees?url=pjcis/nsl2012/index.htm
 Crimes Act 1914 s 4AA, www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s4aa.html
 See clause 52(1A)(1A)(c) in Schedule 4 of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012.
 See clause 52(1A)(1A)(d) in Schedule 4 of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012.
 See clause 80W in Schedule 4 of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012.
 See clause 80W in Schedule 4 of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012.