Earlier this year the Federal Government indicated it would introduce a mandatory data breach notification scheme. An exposure draft of the proposed legislation has now been released. The proposed legislation would require companies to notify the Office of the Australian Information Commission (OAIC) and affected individuals of serious data breaches. We explore the impact of the proposed laws on brand owners.
For the first time in Australia, there will be an obligation on brand owners to notify both the OAIC and the affected individuals of a serious data breach of personal information the brand holds. The UK and some US states already have express notification requirements. This will require a timely assessment of whether a data breach has occurred and whether the criteria for notification have been met.
A ‘serious data breach’ is defined as being:
- an unauthorised access to, or unauthorised disclosure of, information which ‘will result in a real risk of serious harm’ to any of the affected individuals;
- a loss of information which is ‘likely’ to result in unauthorised access or unauthorised disclosure of the information; or
- a loss of information which ‘may’ result in unauthorised access or disclosure of the information for specified particularly sensitive information.
What constitutes ‘harm’ is broadly defined to include psychological, emotional, physical and financial harm. Brand owners will need to assess whether there is a ‘real risk of serious harm to an individual’, taking into account factors such as:
- the kind of information and its sensitivity;
- whether the information is, or could be converted to be, in an intelligible form;
- whether the information is protected by security measures and the likelihood those measures could be overcome;
- the nature of the harm; and
- any action a brand owner may have taken to mitigate against harm.
Where there is a real risk of serious harm, the company will have an obligation to notify the OAIC as well as the affected individuals. The notification must be given ‘as soon as practicable’ after either the company becomes, or ought reasonably to have become, aware of the breach, with a maximum time of 30 days. Given that the timing requirement potentially relates to when a brand owner should have become aware of a breach, a greater emphasis on the detection of unauthorised access to data may be required for some organisations.
In terms of data that is sent overseas for processing by third party providers, Australian brand owners must ensure they know when a data breach occurs with respect to the information that it has disclosed to the overseas provider. This may require local brands to reassess their contracts to ensure these obligations are met.
A failure to give notification is taken in and of itself to be a breach of the Privacy Act an interference with the privacy of an individual. The costs associated with complying with this proposed legislation may be significant both in terms of monitoring and compliance, and the potential indirect costs of negative publicity following a data breach.
The exposure draft is open for public comment until 4 March 2016. It’s expected the Bill will be introduced into Parliament in 2016 and the notification requirements would become effective within 12 months.
_________________________________________________________________________________
You can find more information about the AANA codes of conduct for advertising along with an overview of advertising regulation here https://aana.com.au/advertising-regulatory-guide/