'Commencement of the Notifiable Data Breaches scheme', Optus Information Security Event

22 February 2018
Tags: privacy Australian Privacy Principles data breaches General Data Protection Regulation (GDPR) Timothy Pilgrim

Keynote address by Australian Information Commissioner and Privacy Commissioner, Timothy Pilgrim, at the Optus Information Security event in Sydney

Good afternoon,

Firstly, I would like to acknowledge the traditional custodians of the land on which we are gathered and pay my respects to their Elders both past and present. I would like to extend that respect to all Aboriginal and Torres Strait Islander people here today.

And thank you to Optus for hosting this event — where we mark the introduction of the Notifiable Data Breaches scheme and mandatory data breach reporting requirements in Australia.

As of this morning, the various organisations and government agencies required to secure personal information under the Australian Privacy Act are obligated to notify individuals at likely risk of serious harm as a result of a data breach.

This represents a significant boost to privacy governance in Australia.

And it is one that is mirrored in privacy regulation across the world. The European Union’s General Data Protection Regulation, which commences in May this year, is one significant example that I am sure many of you are aware of.

The introduction of mandatory data breach notification schemes across regulatory jurisdictions reflects a shift in the way privacy is thought about by communities around the world, including here in Australia.

A few decades ago, only a few futurists may have predicted that by the early 2000’s millions of people would download mobile applications or wear digital devices to monitor their health or sleeping habits.

Or, that social media applications, online shopping and dating profiles would become as ubiquitous as they are today.

The proliferation of digital platforms and technologies that utilise user data has reshaped our daily experiences and our expectations when it comes to interacting with each other, with government, and with business.

Generally speaking, Australians appear open to sharing their personal information in order to access a personalised product or service. Often, these digital platforms offer greater immediacy and enable greater efficiency in the various aspects of our lives.

At the same time, we are becoming more keenly aware of the value of data analysis as fuel for innovation, which can benefit the community in unprecedented ways. It can help us identify gaps in government services, and reveal needs for new or different products.

In this environment, the success of an organisation that handles personal information, or a project that involves personal information, depends on trust. People have to trust that their privacy is protected, and be confident that personal information will be handled in line with their expectations.

As a result, privacy today is really about transparency and accountability.

Transparency safeguards individual’s choices about how their personal information is managed, and by whom.

Transparency also provides assurance that agencies and businesses are meeting their obligations as data custodians. This is integral to building and maintaining consumer trust, and community trust more broadly.

As we’ve found in our long-running national community attitudes to privacy surveys, people do consider privacy when choosing products and services. In the 2017 survey, 58 per cent of Australians said they had avoided an organisation due to privacy concerns. 44 per cent said the same thing about mobile applications.

In short, if an organisation does not demonstrate their commitment to privacy, people will look for alternative suppliers, products, and services. 

We have also seen people’s privacy concerns reflected in the number of privacy complaints our office receives. In the last financial year, we received 2,494 privacy complaints, which is a 17 per cent increase from the previous financial year.

Further, our 2017 Australian Community Attitudes to Privacy Survey found that 83 per cent of Australians said they thought online environments are inherently more risky than offline ones; demonstrating a general lack of confidence in privacy protection across digital platforms.

One of the biggest risks organisations face in this environment is a data breach.

A data breach involving personal information can put affected individuals at risk of serious harm. For example, it might put someone at risk of financial loss or identity fraud. A data breach can also negatively affect an individual’s emotional well-being by causing emotional distress.

One of the potential consequence of this harm to individuals is a serious risk to an organisation’s reputation. It opens up an agency or business to being criticised for not taking the trust held in them to protect personal information seriously.

And, it is important to note that data breaches can result in the deterioration of people’s trust in data handling across the public and private sector.

It can prompt people to doubt the standards in place across an industry to secure personal information and data generally. This, in turn, can reduce support for new products and services. It can hinder an organisation’s ability to develop a social licence for innovative uses of data, and undercut efforts to improve data mobility and analysis — two key ingredients to unlocking the public benefits of data I mentioned previously. Realising the value of data depends largely on being able to have data shared and analysed by people with the right expertise.

However, it is important to recognise that trust in an organisation is not necessarily extinguished immediately after a data breach is discovered. After all, history has shown us that even organisations with great information security can fall victim to a data breach, due to the rapid evolution of data security threats and the difficulty of removing the risk of human error in large and complex organisations.

When a data breach occurs, a quick and effective response can have a positive impact on people’s perceptions of an organisation’s trustworthiness.

And by an ‘effective’ response, I mean one that successfully reduces or removes the risk of harm to individuals, and which aligns with community expectations.

As I stated earlier, the communities’ expectations for personal information management are primarily based on the principles of transparency and accountability.

In our 2017 Australian Community Attitudes to Privacy Survey, 94 per cent of people stated they should be told if a business loses their personal information. That figure goes up to 95 per cent in relation to government agencies.

This shows close to unanimous support for the NDB scheme – and goes some way to explain the public vitriol that organisations can, and have previously experienced when there is the perception that a serious data breach was concealed.

Consequently, notifying affected individuals is a key component to an effective data breach response strategy – and has been a part of many organisation’s response plans before this year. The potential reputational impact of appearing to hide a serious data breach is also likely behind the upwards trend in the number of data breaches reported to my Office on a voluntary basis over the past few years.

In addition to demonstrating that an organisation does not take their responsibility to protect personal information lightly — there is a practical benefit afforded to data breach notification. It provides individuals with an opportunity to take steps to reduce their chance of experiencing harm.

For example, taking the relatively simple step of changing a password to a compromised online account can mitigate the risk of serious harm in some circumstances.

By prompting individuals to take action, notification can reduce the likelihood of potential harm eventuating, and lessen the impact of a data breach on both individuals and an organisation overall.

Over time, the standard of transparency provided by the NDB scheme also supports the realisation of a broader benefit — greater public trust in data management across industries.

The regulatory framework of the scheme serves to build confidence that organisations will be held accountable for personal information security.

Further, the scheme has, and will continue to encourage reaching for a higher standard of privacy capability across industries — so that personal information security risks are proactively managed.

While eliminating the risk of a breach entirely may not be possible — regulations such as the NDB scheme and the mandatory reporting requirements of the GDPR — make reducing and managing privacy risks a higher priority.

Over the past 12 months, my Office has worked extensively with representatives across industries in the development of guidance for the NDB scheme.

This includes guidance for individuals who may receive a data breach notification, on the practical steps they can take to reduce their risk of serious harm, and how the NDB scheme will affect them.

We have also developed extensive guidance for regulated entities about the requirements of the scheme, which is available on our website. I expect many of you would have utilised this guidance in preparing for the scheme last year – and I encourage you to continue to refer to the guidance to clarify the requirements of the scheme.

One area of particular interest, for both regulated entities and those that may receive data breach notifications, is understanding when a data breach is an ‘eligible data breach’; that is, when a data breach meets the threshold of ‘likely to result in serious harm’.

The requirement to notify does not apply to every data breach – it wouldn’t be in the interest of individuals, regulators, or organisations for that to be the case.

This is because receiving an email, phone call, or text message about data breaches that pose little or no risk of harm is likely to cause unnecessary stress in the short term, and potentially ‘notification fatigue’ in the longer term. Over notifying can overwhelm individuals, and make it more difficult for someone to distinguish between the notifications that represents little risk, and those that will really matter to them.

The threshold of ‘likely to result in serious harm’ is in place to reduce the likelihood of notification fatigue, as well as avoid overburdening organisations with compliance obligations where there is little benefit to be derived.

It requires organisations to consider a data breach in context – including the types of personal information that has been affected, who has access to it, and a variety of other factors.

I would also expect that organisations immediately endeavour to reduce any risk of harm to individuals when a data breach is first suspected. In various instances, this remedial action can result in a data breach no longer presenting a likely risk of serious harm – which will mean that the notification requirements of the NDB scheme do not apply.

Individuals must be notified promptly about eligible data breaches under the scheme. You may believe a data breach is likely to result in serious harm shortly after becoming aware of it. For example, if you became aware that an attacker had stolen personal information in order to carry out financial fraud and there is no action that can be taken to successfully mitigate this risk, it may be immediately clear that notification is required.

In other circumstances, it may not be clear whether there is a risk of serious harm, or whether this harm is likely to occur. In these situations, the assessment obligations of the NDB scheme will apply.

An assessment of a suspected data breach must be ‘reasonable and expeditious’. Generally, it must be completed in a maximum of 30 calendar days. Organisations required to comply with the NDB scheme should already have processes and systems in place to quickly detect potential data security issues, in line with the existing security obligations of Australian Privacy Principle 11.

If, at any point, it is believed that a breach is likely to result in serious harm, organisations must notify affected individuals – regardless of whether an assessment has formally concluded.

After all, the overarching aim of the NDB scheme is to ensure that individuals are informed of a data breach so that they can reduce their risk of harm. The more time that elapses between a data breach and notification can increase the risk of harm to individuals.

The NDB scheme requirements are not prescriptive in the practices and processes used to notify individuals, or to assess a suspected data breach.

The processes that are most effective in these areas will differ between industry sectors and different organisations. And they may change as expectations around what constitutes best practice evolves.

What will continue to be important is that your organisation demonstrates that reasonable and expeditious action is taken following a breach in order to protect the personal information you hold.

Achieving the expectations formalised by the NDB scheme requires the consideration of both technical measures and governance processes. Organisations are also likely to have other obligations in relation to data breaches affecting personal information, including the security requirements of Australian Privacy Principle 11 under the Privacy Act, or the requirements of other regulatory jurisdictions.

All of these components should be reflected in a data breach response strategy — which outlines the roles of staff and the actions they must take when a data breach occurs or is suspected.

To assist organisations in maintaining an effective data breach response strategy, my Office has released an update of our Data breach notification guide.

The new guide is titled ‘Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988’. The information consolidates the guidance we have published in recent years on data breach notification and developing a data breach response plan, as well as our guidance on the Notifiable Data Breaches scheme.

This is now available on the OAIC’s website, and provides a valuable resource for any staff member involved in compliance and risk management.

We will continue to provide information about how the NDB scheme is operating moving forward.

It is only the first day of implementation — so I don’t have any statistics to share with you yet; but we are expecting to receive a significant increase in the number of notifications we currently receive. We will see over the next few months whether that number mirrors the experience of the Dutch Data Protection Authority, which implemented mandatory data breach notification requirements in January 2016. In the first 100 days of their scheme, the Dutch DPA dealt with over 1,000 notifications.

The requirements of the NDB scheme are neither exceptional nor unexpected. After all, the scheme formalises a long-held expectation of consumers and the Australian community broadly; and is reflected in similar notification schemes in other regulatory jurisdictions.

This highlights how privacy has changed — today, privacy emphasises transparency and accountability. Meeting privacy obligations, and the expectations of the community, continue to be essential. Only by demonstrating a commitment to privacy can an organisation build and maintain people’s trust, and a social licence for innovative uses of data.

Thank you. I am happy to take any questions.