Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Chapter 2: Data breach incidents and Commissioner initiated investigations

pdfPrintable version200.34 KB

Legislative framework

2.1 The Commissioner may commence an investigation without a complaint if the matter may involve an interference with the privacy of an individual and the Commissioner considers it desirable to investigate. Where the Commissioner investigates and is of the view that an interference with privacy has occurred, the Commissioner may take further privacy regulatory action.

2.2 The OAIC also administers a system of voluntary reporting of data breaches. Under the Privacy Act, there is no express mandatory requirement to report a data breach to the OAIC, except in relation to the Personally Controlled Electronic Health Records (PCEHR) system. However, APP 11 requires entities to take reasonable steps to protect personal information. In some cases, it may be a reasonable step for an entity to notify affected individuals and the OAIC of a data breach and provide information to those individuals and the OAIC about the breach.

2.3 The OAIC considers reports of data breach incidents with a view to providing best practice privacy advice to entities that have experienced a data breach. The OAIC also determines whether the incident may require further privacy regulatory action.

Response to data breaches

2.4 The OAIC’s response to data breach incidents is in accordance with the Commissioner’s general functions of:

  • promoting understanding and acceptance of the Australian Privacy Principles and the objects of those principles (s 28(1)(c)(i) of the Privacy Act)

  • providing advice to entities covered by the Privacy Act, including providing advice to a Minister, Norfolk Island Minister or entity about any matter relevant to the operation of the Privacy Act (s 28B(1) of the Privacy Act).

2.5 Section 42(2) of the Privacy Act gives the Commissioner the power to make preliminary inquiries about a data breach incident to determine whether a matter may be suitable for a Commissioner initiated investigation.

2.6 In addition, s 27(2) of the Privacy Act provides that ‘[t]he Commissioner has power to do all things necessary or convenient to be done for, or in connection with, the performance of the Commissioner’s functions’.

2.7 For data breaches relating to the PCEHR system, the Commissioner also has relevant functions and investigative powers under the PCEHR Act.

Voluntary notification of data breach incidents

2.8 Entities are required to take reasonable steps to protect the personal information they hold from misuse, interference and loss and from unauthorised access, modification or disclosure (APP 11). Implementing strategies to manage data breaches, which may include voluntary notification of the data breach, could be a reasonable step to protect personal information as required by APP 11.[1]

2.9 The OAIC has developed the document Data breach notification: A guide to handling personal information security breaches, which encourages voluntary notification of affected individuals by entities that have experienced a data breach, and provides guidance on how to notify the OAIC of the issue.[2]

Mandatory notification of data breach incidents

2.10 Under s 75 of the PCEHR Act, some entities have a mandatory obligation to provide notification of certain data breaches in connection with the PCEHR system. The mandatory notification obligation applies to entities that are, or have at any time been, the System Operator,[3] a registered repository operator or a registered portal operator (as defined in the PCEHR Act). Depending on the entity involved, notification must be made to either or both the OAIC and the System Operator.

2.11 A failure by a registered repository operator or portal operator to notify in accordance with s 75 is a breach of a civil penalty provision and may result in that entity being liable to pay a penalty.

2.12 The PCEHR Act also outlines in s 75(4) the steps an entity must take to contain and respond to the breach. The OAIC has developed the document Mandatory data breach notification in the eHealth record system to assist entities to comply with their mandatory data breach obligations.

Back to Contents

Purpose of responding to data breach incidents

2.13 The OAIC becomes aware of data breach incidents through a variety of channels, including voluntary data breach notifications, mandatory data breach notifications reported under the PCEHR Act, complaints by affected individuals, third party informants, media reports and assessments conducted by the OAIC.

2.14 Where the OAIC becomes aware of a data breach incident, the OAIC may make inquiries about the incident to determine whether:

  • the OAIC can provide advice or assistance to the affected entity, including best practice advice on data breach response and future prevention, and promote understanding of and compliance with the APPs and other relevant privacy provisions

  • further inquiries by the OAIC into the data breach may be in the public interest, for example, where the incident raises issues of public concern, or provides an opportunity for the OAIC to raise awareness about privacy issues

  • the data breach incident may warrant a Commissioner initiated investigation (CII) or other privacy regulatory action.

Back to Contents

Procedural steps in responding to a data breach incident

2.15 The OAIC will assess each data breach incident on its own merits having regard to the particular circumstances of the case, and will respond to each using a ‘triage’ approach.

Triaging a data breach incident

2.16 The OAIC will triage data breach incidents in order to prioritise its resources by assessing whether to handle the incident as a ‘low severity’, ‘medium severity’ or ‘high severity’ incident. The severity of an incident may be reassessed by the OAIC as more information becomes known. Factors used to assess the severity of a data breach incident include:

  • how the breach was able to occur

  • whether the breach is an isolated instance, or whether it indicates a potential systemic issue[4]

  • whether the breach is contained

  • the type of personal information involved in the breach, including whether the breach involved ‘sensitive information’, or other information of a sensitive nature

  • the number of individuals potentially affected

  • whether affected individuals have been notified

  • the adverse consequences caused or likely to be caused to one or more individuals arising from the breach

  • what steps affected individuals can take to minimise harm resulting from the breach and whether these steps have been communicated to them by the entity

  • what mitigation action the entity that experienced the breach has taken or plans to take

  • what remedial activity the entity will take to prevent future breaches

  • whether other regulators (at the state, national, or international level) are investigating the incident

  • the level of public interest or concern regarding the breach

  • what steps the entity took to keep the information secure.

2.17 A ‘low severity’ incident is one that appears to create a low-level or no risk of harm to affected individuals, or that appears to be a one-off incident that has been addressed by the relevant entity.

2.18 A low severity incident may involve an unintentional disclosure of personal information that is not of a sensitive nature about a small number of individuals. For example, an incident where a staff member accidentally ‘carbon copies’ a bulk email address to the intended recipients rather than sending ‘blind carbon copies’, inadvertently revealing the recipients’ email addresses to each other.

2.19 The OAIC will generally note a low severity incident, provide guidance where appropriate, but otherwise take no further action unless the incident points to wider or systemic issues.

2.20 A ‘medium severity’ incident is one that creates a real risk of serious harm to a limited number of individuals.

2.21 For example, a scenario in which an employee of an entity inadvertently lost a file containing personal information of a sensitive nature relating to one of the entity’s customers on public transport would generally be considered a medium severity incident.

2.22 The OAIC will typically gather information concerning a medium severity incident from the relevant entity to allow it to be satisfied that the entity is handling the breach appropriately and taking reasonable steps to prevent the recurrence of future breaches of a similar nature.

2.23 A ‘high severity’ incident is one that creates a real risk of serious harm to a large number of individuals.

2.24 For example, an unauthorised access to the financial information of thousands of people as a result of a malicious attack on an entity’s computer network, giving rise to a real risk of identity theft and fraud for the affected individuals, would be considered a high severity incident.

2.25 The OAIC will immediately engage with the entity involved to ensure that the entity is appropriately handling the breach. The OAIC will consider whether it is appropriate to commence a CII in relation to the incident.

OAIC response to low severity data breach incidents

2.26 The OAIC will generally manage low severity data breach incidents by noting the incident and taking no further action, unless the incident points to wider or systemic issues. The OAIC may contact the entity (respondent) by phone or email to:

OAIC response to medium severity data breach incidents

2.27 The OAIC will generally manage medium severity data breach incidents by using the following procedure:

  • The OAIC will make initial contact with the respondent to gather information about the breach, and establish a contact point.

  • If the respondent has not already provided a data breach notification, the OAIC will write to the respondent to seek written confirmation about the breach, and other required information.

  • The OAIC will provide preliminary advice about the OAIC’s expectations, including copies or links to relevant OAIC resources such as the Data breach notification: A guide to handling personal information security breaches and Guide to securing personal information.

  • The OAIC will correspond with the respondent via email or letter, as more information becomes available and the respondent moves through their data breach response process.

  • If the OAIC is satisfied that the respondent is appropriately handling the breach, the OAIC will close the matter.

  • In some circumstances the OAIC may issue a warning letter (explained below). Where a medium severity data breach incident points to widespread or systemic issues, the OAIC may also consider commencing a CII.

OAIC response to high severity data breach incidents

2.28 The OAIC will initially assess high severity matters to determine whether they warrant the commencement of a CII. The relevant considerations in deciding whether to open a CII are discussed below. However, the Commissioner will take the following matters into account when deciding whether it is necessary to open a CII into a data breach incident:

  • the entity has voluntarily and proactively notified the OAIC of a data breach incident, and

  • the entity responded (or is in the process of responding) appropriately to the breach, including by containing the breach, taking reasonable steps to mitigate harm to affected individuals, and taking steps to limit future breaches, and

  • the entity cooperates fully with the OAIC’s inquiries into the breach.

2.29 If a CII is not commenced, the OAIC will generally handle high severity matters in accordance with the processes set out for medium severity matters above.

Warning letters

2.30 At the conclusion of the OAIC’s inquiries into a data breach, the OAIC may send a warning letter to an entity. The warning letter sets out the OAIC’s awareness of acts or practices of the entity that may not be compliant with its privacy obligations, and warns the entity that the OAIC will take future privacy regulatory action if it does not improve its compliance.

2.31 The OAIC will generally send a warning letter to an entity where the OAIC:

  • considers that the acts or practices of an entity raise an apparent case of non-compliance with the APPs

  • considers that the breach warrants some regulatory response by the OAIC but the matter does not warrant the seeking of an enforceable undertaking or the commencement of a CII.

Responding to mandatory data breach notifications under the PCEHR Act

2.32 The OAIC will follow similar steps to the process outlined above when responding to mandatory data breach notifications under s 75 of the PCEHR Act. In assessing and responding to mandatory notifications, the OAIC will consider compliance with the PCEHR Act in addition to compliance with the APPs where relevant. The OAIC may also consider whether the breach was reported ‘as soon as practicable’, as required under s 75(2).

2.33 Section 75(4) of the PCEHR Act also requires entities to take certain steps in responding to a notifiable data breach, including containing the breach, evaluating the risks arising from the breach, notifying affected consumers or asking the System Operator to notify affected consumers, and taking steps to prevent or mitigate the effects of further breaches. The OAIC will consider these steps when assessing the severity of the breach and the entity’s response.

2.34 The Commissioner has investigative powers under s 73(3) of the PCEHR Act, and may use these powers instead of the investigative powers under the Privacy Act if an investigation is warranted following a mandatory notification. However, the Commissioner will generally conduct investigations under the Privacy Act rather than the PCEHR Act unless there is a reason to conduct the investigation under the latter Act.

2.35 When entities are required to notify both the OAIC and the PCEHR System Operator of data breaches, the OAIC may consult with the System Operator when responding to the notification, in line with the Agreement for information sharing and complaint referral relating to the personally controlled electronic health (eHealth) record system between the OAIC and the System Operator.

Back to Contents

Commissioner initiated investigations (CIIs)

2.36 Section 40 of the Privacy Act gives the Commissioner the power to conduct investigations. In particular, s 40(2) sets out that ‘[t]he Commissioner may, on the Commissioner’s own initiative, investigate an act or practice if:

  1. the act or practice may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1; and
  2. the Commissioner thinks it is desirable that the act or practice be investigated.’

2.37 Investigations conducted under s 40(2) are known as ‘Commissioner initiated investigations’ (CIIs).

2.38 Section 42(2) gives the Commissioner the power to make preliminary inquiries to determine whether a matter may be suitable for a CII. Once a CII has been commenced, the OAIC will conduct its investigation in accordance with the investigative provisions in Part V of the Privacy Act.

2.39 Section 30(1) provides that the Commissioner may report to the Minister about a CII, and shall do so:

  1. if so directed by the Minister; or
  2. if the Commissioner:
    1. thinks that the act or practice is an interference with the privacy of an individual; and
    2. does not consider that it is reasonably possible that the matter that gave rise to the investigation can be conciliated successfully or has attempted to conciliate the matter without success.

2.40 The Commissioner also has the option of conducting a CII into an alleged contravention of the PCEHR Act using section 73 of the PCEHR Act. However, the Commissioner will generally conduct a CII into an alleged contravention of the PCEHR Act using Part V of the Privacy Act unless there is a reason to conduct the investigation under the PCEHR Act.

Circumstances in which a CII may be considered

2.41 The OAIC becomes aware of matters that may warrant the commencement of a CII through a number of channels, including:

  • tip-offs from informants (directly to the OAIC, or by other mechanisms such as social media)
  • media reports
  • privacy assessments conducted by the OAIC
  • complaints by affected individuals that suggest a widespread, serious or systemic issue
  • reporting of serious and repeated interferences with privacy, and systemic issues from registered EDR schemes
  • data breach notifications.

2.42 The OAIC may conduct preliminary inquiries under s 42(2) of the Privacy Act to gather information to inform the Commissioner’s decision as to whether to commence a CII. The OAIC may gather information from a variety of sources, including the prospective CII respondent, data breach notifications, other regulators (Australian and international), affected individuals, informants, media reports, assessments conducted by the OAIC, complaints received by the OAIC, publicly available sources, and from independent experts or consultants.

2.43 If the Commissioner forms the view that a matter brought to the attention of the OAIC may involve an act or practice by the respondent that constitutes an interference with the privacy of an individual, or a breach of APP 1, the Commissioner may decide to open a CII into the matter.

Considerations in opening a CII

2.44 When deciding whether to commence a CII, the OAIC will consider the factors identified in paragraph 38 of the Privacy regulatory action policy. The OAIC will also consider:

  • whether it is necessary to commence a CII to obtain further information about a matter involving a potential interference with the privacy of an individual

  • whether there is a clear or apparent failure by the respondent to comply with relevant privacy provisions

  • whether there is a likelihood that a CII will reveal systemic privacy issues (either within the entity concerned or within an industry) or an increasing issue which may pose ongoing compliance or enforcement issues

  • the progress of an agency or organisation's own investigation into the matter

  • whether the matter might be better dealt with by another regulator, or body or under another law

  • whether the matter is already being investigated by another regulator or body under another law, and whether opening a CII would result in regulatory duplication

  • whether the matter is already being investigated by another national privacy regulator (including consideration of whether there is an opportunity to collaborate with other national regulators in the investigative process)

  • whether the entity is willing to give enforceable undertakings under s 33E of the Privacy Act that would address the OAIC’s concerns

  • whether the regulatory burden on the entity likely to arise from the OAIC conducting the CII is proportionate to the gravity of the suspected interference with privacy

  • whether the scenario presents an opportunity to provide guidance to industry, Government or the public on better privacy practice and minimum privacy standards

  • in the case of a data breach incident:

    • the severity of the incident

    • whether the entity that experienced the data breach has:

      • voluntarily and promptly notified the OAIC

      • taken appropriate steps to respond to the data breach, and

      • cooperated with the OAIC’s inquiries into the breach.

Back to Contents

Procedural steps in conducting a CII

2.45 Where the OAIC decides to commence a CII, the following steps will be taken:

  • The OAIC will notify the respondent in writing about its decision to commence a CII, and the basis for that decision.

  • After notifying the respondent of the investigation, the OAIC will typically place a notice on its website stating that it is commencing an investigation.

  • At any point during the investigation, the Commissioner may seek an enforceable undertaking from the respondent under s 33E of the Privacy Act. If the respondent agrees to give an undertaking that the Commissioner considers an adequate response to the data breach, the Commissioner may accept the undertaking and close the investigation.

  • Where the OAIC considers that there is a likelihood that the OAIC will decide to seek a civil penalty following the CII, the CII will be conducted with a view to ensuring that sufficient admissible evidence will be available to allow that case to be pursued in court if necessary.

  • The OAIC will correspond with the respondent to gather information. The OAIC will generally seek the cooperation of the respondent in the provision of necessary information. The OAIC may gather information from other sources as required.

  • The Commissioner may issue a notice under s 44 of the Privacy Act requiring a person to provide information or produce documents, or to give evidence to the Commissioner in person.

  • The Commissioner may also, under s 45, require a witness to attend and answer questions.

  • The OAIC may seek expert advice (for example, on technical matters).

  • The Commissioner or the OAIC may then take further regulatory action, including the following:

    • The Commissioner may seek an enforceable undertaking from the respondent under s33E of the Privacy Act. More information about enforceable undertakings is available in Chapter 3 of this guide.

    • The Commissioner may make a determination under s 52(1A) of the Privacy Act. The determination, including the Commissioner’s reasons for the determination, will be published on the OAIC’s website. More information about determinations is available in Chapter 4 of this guide.

    • Where a civil penalty provision has been breached, the Commissioner may apply to the court for a civil penalty order under s 80W of the Privacy Act. More information about civil penalties is available in Chapter 6 of this guide.

    • The Commissioner may report to the Minister about a CII under s 30 of the Privacy Act. In certain circumstances, the Commissioner is required to report to the Minister (see above).

      In deciding whether and what regulatory action will be taken in a particular case, the OAIC will use the factors identified in paragraph 38 of the Privacy regulatory action policy, and the factors identified in clauses 6.2-6.3 of the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 (as applicable).

  • At the conclusion of a CII, the OAIC will typically place a notice on its website advising of the conclusion of the investigation.

Back to Contents

Publication

2.46 The OAIC will make decisions about communications in connection with data breach notifications and CIIs in accordance with the considerations set out in the ‘Public communication as part of privacy regulatory action’ section of the Privacy regulatory action policy.

Back to Contents

Footnotes

[1] See Chapter 11 of the APP Guidelines, paragraph 11.8.

[2]Data breach notification — A guide to handling personal information security breaches <www.oaic.gov.au/privacy/privacy-resources/privacy-guides/data-breach-notification-a-guide-to-handling-personal-information-security-breaches>

[3] ‘System Operator’ is defined in s 14 of the PCEHR Act.

[4] See definition of systemic privacy issues in the Privacy regulatory action policy (paras 12-13).

Back to Contents