Australian companies, individuals and Australian government agencies will soon have new responsibilities for data breaches occurring anywhere in the world. The new laws will impact directly on Australian organisations involved in the collection and use of personal data, and indirectly on overseas businesses offering cloud services and data storage for Australian organisations.
If an organisation suspects that personal information under its control has been accessed in such a way that it is likely to cause serious harm to the people to whom the information relates, it must formally investigate the issue and notify the Office of the Australian Information Commissioner (“OAIC”). OAIC has the right to apply to the Federal Court for action against serious or repeated data losses.
The requirement of OAIC notification has been drafted widely. A so-called “eligible data breach” occurs where two conditions are met:
- unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- a reasonable person would conclude that the access, disclosure or loss is likely to “result in serious harm to any of the individuals to whom the information relates”.
Importantly, any circumstance where an “entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach” will also give rise to a requirement to provide a notification to OIAC.
The new laws indicate that the kind of information, the persons who receive it, its intelligibility and the nature of the suggested harm are all factors that need to be evaluated in deciding whether the requisite “seriousness” of the breach has been met.
Australian privacy principles require that accountability for the security of any personal information remain with the Australian organisations concerned with its collection or control. The organisation having effective control of personal information – not third party “clouds” or secondary information service providers – continues to have the obligation to notify of any suspected or actual data breach. The fact that it was a third party server that was hacked, or that inadvertently published the data, does not exculpate the Australian organisation that was responsible for the security of the data in the first place.
Regardless of where the information is, or who “allowed” the unauthorised disclosure to occur, the originating entity in Australia must provide notification to OIAC. This adds to the insistence under the Privacy Act 1988 (Cth) that Australian organisations must take reasonable steps to ensure that overseas data recipients will handle personal information in accordance with the privacy principles prescribed under Australian law.
These new laws have been passed and will come into effect sometime in the next 12 months. Organisations that collect and store personal information should:
- assess existing information security measures;
- educate information officers and institute internal checks and reporting protocols;
- verify the security measures employed by third party data service providers;
- negotiate stronger contractual mechanisms for notification and protections against breach;
- seek indemnities, even if limited; and
- improve contract precedents.