Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Draft: Exceptions to notification obligations

pdfPrintable version439.38 KB

The Office of the Australian Information Commissioner (OAIC) published this resource as an exposure draft on 27 September 2017. Comments are now closed.

September 2017

Key points

  • The Notifiable Data Breaches (NDB) scheme requires regulated entities (entities) to notify individuals and the Australian Information Commissioner (Commissioner) of ‘eligible data breaches’. A data breach is an ‘eligible data breach’ if an individual is likely to experience serious harm (see Identifying eligible data breaches and Notifying individuals about an eligible data breach).
  • There are some exceptions to the notification requirements, which relate to:
    • eligible data breaches of other entities
    • enforcement related activities
    • inconsistency with secrecy provisions
    • declarations by the Australian Information Commissioner.

Back to Contents

Eligible data breach of other entities

Two or more entities may hold the same personal information in a number of circumstances, including through outsourcing arrangements or a joint venture[1]. If an eligible data breach involves personal information held by more than one entity, only one of the entities needs to notify the Commissioner and individuals (s 26WM).

The NDB scheme does not specify which entity must notify, in order to allow entities flexibility in making arrangements appropriate for their business and their customers.

Entities should consider making arrangements regarding compliance with NDB scheme requirements, including notification to individuals at risk of serious harm, such as in service agreements or other relevant contractual arrangements, as a matter of course when entering into such agreements.

The Commissioner suggests that, in general, the entity with the most direct relationship with the individuals at risk of serious harm should notify. This will allow individuals to better understand the notification, and how the eligible data breach might affect them.

If none of the entities notifies, then all of the entities may be found to have breached the notification requirements of the NDB scheme (s 26WL). It is the responsibility of each entity involved in an eligible data breach to be sure that the requirements of the NDB scheme are being met.

Back to Contents

An enforcement body does not need to notify individuals about an eligible data breach if its chief executive officer (CEO) believes on reasonable grounds that notifying individuals would be likely to prejudice an enforcement related activity conducted by, or on behalf, of the enforcement body (s 26WN).

‘Believes on reasonable grounds’ means the CEO must have a basis for the belief. It is the responsibility of the enforcement body to be able to justify the reasonable grounds for this belief, and the decision should be documented. ‘Reasonable belief’ is discussed further in the OAIC’s APP Guidelines.

The enforcement body must still provide a statement about the eligible data breach to the Australian Information Commissioner (see What to include in an eligible data breach statement). However, this statement does not have to include the steps recommended for individuals to take in response to the data breach, because individuals are not being notified (s 26WN).

If this exception applies, and the eligible data breach involves other entities, these other entities are not required to notify individuals (s 26WN(e)). Further, these other entities are not required to provide a statement about the eligible data breach to the Commissioner if the enforcement body has done so (s 26WM). To rely on this exception, other entities would usually need a written statement regarding the eligible data breach, dated and signed by the CEO of the enforcement body.

This exception does not apply if an eligible data breach is unrelated to an enforcement activity. For example, the exception may not apply to an eligible data breach involving employees’ personal information, which is unrelated to an investigation.

Back to Contents

Inconsistency with secrecy provisions

Exceptions to notifying the Commissioner or individuals may apply where a Commonwealth law prohibits or regulates the use or disclosure of information (a secrecy provision). In particular:

  • the requirement to provide a statement to the Commissioner about the eligible data breach does not apply to the extent that this requirement is inconsistent with a secrecy provision (s 26WP(2))
  • the requirement to notify individuals about an eligible data breach does not apply to the extent that providing this notice is inconsistent with a secrecy provision (s 26WP(3)).

The exceptions in s 26WP are intended to preserve the operation of specific secrecy provisions in other legislation. A common purpose of secrecy provisions is to prohibit the unauthorised disclosure of client information. Most secrecy provisions allow the disclosure of information in certain circumstances, such as with an individual’s consent where the information relates to them, or where the disclosure of information relates to an officer’s duties, or the exercise of their powers or functions.

If an eligible data breach occurs, agencies should apply the exceptions under s 26WP only to the extent necessary to avoid inconsistency with a secrecy provision.

For example, if providing a statement about an eligible data breach to the Commissioner (s 26WK) would not be inconsistent with a secrecy provision, but notifying individuals (s 26WL) would be, the entity would only be required to notify the Commissioner.

The following is relevant in assessing whether a secrecy provision is inconsistent with the requirements of the NDB scheme:

  • if a secrecy provision permits the disclosure of information that is required or authorised by another law (such as the Privacy Act), there would not be an inconsistency between the secrecy provision and the NDB scheme notification requirements
  • if a secrecy provision does not allow the disclosure of information, even if the disclosure is required or authorised by another law (such as the Privacy Act), there may be inconsistency between the secrecy provision and the NDB scheme notification requirements
  • if a secrecy provision permits the disclosure of information in the course of an officer’s duties, there would not be inconsistency between the secrecy provision and the NDB scheme notification requirements, as complying with the notification requirements is the responsibility of the agency through its officers.

Back to Contents

Declarations by the Australian Information Commissioner

In some circumstances, the Commissioner may declare by written notice that an entity does not need to comply with the NDB scheme notification requirements (s 26WQ). The purpose of the declaration by the Commissioner is to provide an exception where compliance with the NDB notification requirements would conflict with the public interest.

The Commissioner may declare that an entity is not required to provide a statement to the Commissioner or to notify particular individuals (s 26WQ(1)(c)), or that notification to individuals is delayed for a specified period (s 26WQ(1)(d)).

The Commissioner cannot make a declaration under s 26WQ unless satisfied that it is reasonable in the circumstances to do so, having regard to the public interest, relevant advice received from an enforcement body or the Australian Signals Directorate, and any other relevant matter. While the Commissioner is empowered to make a declaration if it is ‘reasonable in the circumstances to do so’, the Commissioner still has discretion about whether to make a declaration, and on what terms.

In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objectives of the Privacy Act and other relevant matters. The Commissioner will consider whether the risks associated with notifying of a particular eligible data breach outweigh the benefits of notification to individuals at risk of serious harm.

Given the clear objective of the scheme to promote notification of eligible data breaches, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will only be made in exceptional cases and only after a compelling case has been put forward by the entity seeking the declaration.

The procedure for applying for a declaration, and factors the Commissioner may consider, are outlined in the OAIC’s Regulatory Action Guide.

Back to Contents

Footnotes

[1] The term ‘holds’ under the Privacy Act extends beyond physical possession of a record to include a record that an entity has a right or power to deal with (even if it does not physically possess the record or own the medium on which it is stored) (see s 6(1) of the Privacy Act). This means that one entity can physically possess personal information that another entity controls. For more information, see the discussion of ‘holds’ in Chapter B of the Australian Privacy Principles guidelines (APP Guidelines).

Back to Contents