Don't fall into a privacy breach

The ins and outs of Australian privacy laws — how they practically affect businesses and what to look out for.

In an increasingly digital age, more and more businesses are collecting, using, storing and transferring data critical to their operations than ever before. On the face of it, Australian privacy laws that govern these very functions appear dense, overly prescriptive and practically burdensome. This article navigates the ins and outs of these laws so far as they practically impact upon the privacy, data protection and cybersecurity capabilities of businesses, including a snapshot of Australia’s upcoming mandatory data breach notification scheme.

Australian Privacy Principles

The key obligations under Australian privacy law are set out in the Australian Privacy Principles (APPs) which are contained within the Privacy Act 1988 (Cth) (Privacy Act). The APPs regulate the use, management and disclosure of:

• Personal information, common examples of which include an individual’s name, address, signature, telephone number, date of birth and bank account details; and
• Sensitive information, which attracts a higher degree of regulation, including information about an individual’s racial or ethnic origin, political opinions, membership of a political, professional or trade association, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, health information, genetic information or biometric information.

The APPs apply to “APP entities”, namely public entities and private organisations (and their related bodies corporate, including those outside of Australia) with an Australian connection and a total annual turnover of more than $3 million (APP Entities).

The key APPs

Below is a summary of the key APPs and some practical tips for compliance by APP Entities. In addition to the APPs, there are numerous other Australian privacy related laws (not considered here), including data retention by telecommunication service providers and collection of health records by health service providers.

Privacy policy. APP Entities must create and maintain an up-to-date privacy policy (APP 1.3). This is the starting point for individuals to understand (and, where relevant, consent to) matters regarding the management of their personal information. A privacy policy must contain, at a minimum, those matters set out in APP 1.4.

Collection of personal information. The key APPs regarding the collection of personal information are:

1. An APP Entity must only collect personal information if it reasonably needs that information for its business (APP 3.2).
2. An APP Entity must obtain an individual’s consent to collect sensitive information (APP 3.3).
3. An APP Entity must notify an individual when personal information is collected, including describing the purpose for which the information is collected (APP 5).
4. An APP Entity must only use or disclose personal information for the purpose for which it was collected (APP 6.1). Personal information can also be used or disclosed for a secondary purpose if it is related to the primary purpose (and directly related in the case of sensitive information).

In September this year, the Australian Information Commissioner (Commissioner) fined Comcare $3000 for breaching an injured public servant’s privacy when it improperly shared details of his work-related injury to his previous employer and its insurer. The Commissioner found that Comcare improperly disclosed his personal information in breach of APP 6.1.

Cross border data transfers. APP Entities must take reasonable steps prior to disclosure of personal information to overseas recipients to ensure that such recipients do not breach the APPs (APP 8). Reasonable steps include having agreements in place with overseas group entities and third-party service providers to ensure their compliance with the APPs in dealing with the disclosed personal information.

This issue is becoming increasingly prevalent in light of the growing use of cloud storage and offshore data processing. Importantly, disclosing entities may be accountable, in certain circumstances, for acts or practices of overseas recipients that are in breach of the APPs (s. 16C of the Privacy Act).

There are certain exceptions to APP 8, including where:

1. The disclosing entity reasonably believes that the overseas recipient is subject to a legal system that has the effect of protecting an individual’s information in a substantially similar way to the APPs, and there are mechanisms for the individual to enforce that law; or
2. The disclosing entity informs the individual that if he or she consents to the disclosure of the personal information, the entity will not be required to take reasonable steps to ensure that the overseas recipients do not breach the APPs, and the individual consents to this disclosure.

Security of personal information. APP Entities must take reasonable steps to ensure that personal information it holds is secure (APP 11.1). Once an APP Entity no longer needs the personal information, it must destroy the information or ensure that it is de-identified (APP 11.2).

The Commissioner has issued a Guide to securing personal information: ‘Reasonable steps’ to protect personal information (updated in January 2015) that lists factors that are relevant in determining what steps are reasonable in the circumstances. The factors include the nature of the APP Entity; the amount and sensitivity of the personal information held; and the practical implications of implementing the security measure, including time and cost involved.

What data security standard companies must implement is a topical issue globally. A recent decision of a United States court offered a somewhat obtuse ruling as to what constitutes “reasonable data security” for US companies in complying with the Federal Trade Commission Act.

Mandatory data breach notification

Australian businesses are currently not legally required to report data breaches. The Commissioner has published guidelines that recommend that companies who are subject to a serious data breach should notify the Commissioner and the individuals to whom the breach relates.

On 19 October 2016, the Federal Government introduced the Privacy Amendment (Notification of Serious Data Breaches) Bill 2016 (Cth) (Bill). The Bill has bipartisan support and is likely to become law.

Some key issues for APP Entities to be aware of and prepare for are as follows.

• It will require APP Entities to notify the Commissioner and affected individuals of serious data breaches. A ‘serious breach’ occurs when there has been authorised access or disclosure of personal information, or personal information is lost and unauthorised access or disclosure is likely. Accordingly, it covers both cases of deliberate unauthorised access, such as hacking incidents, as well as losses or theft of laptops, hard drives or documents.
• For the breach to be ‘serious’, it must be likely to result in serious harm to the relevant individuals.
• An APP Entity must notify, in the form of a statement, a description of the breach, the kinds of personal information involved and any steps the affected individuals should take (for example, changing passwords).
• Failure to comply is deemed to be an interference with the privacy of the individual/s concerned. The Commissioner has the power to investigate, make determinations, seek enforceable undertakings and impose civil penalties (of up to $1.8 million) for serious or repeated infringements.

If the Bill becomes law, responding efficiently and effectively to a data breach will be imperative. APP Entities should consider preparing internally to minimise the risk of a breach, including by reviewing and strengthening computer systems, policies and procedures, and externally, including by understanding and preparing for the mandatory reporting requirements to regulatory authorities and affected customers or clients.

We foresee the real potential for litigation arising from mandatory data breach notification. This could be action for failing to report a breach, failing to report a breach in accordance with the requirements of the law or supply contracts with consumer or business customers, or potentially facing class action litigation from a class of individuals whose data was breached.

Since the introduction of mandatory data breach notification laws in various states across the US from 2003, there has been a significant amount of class action litigation against companies involved in data breaches. Mandatory notification may facilitate class actions by providing claimants with early notification of breaches, and assist in identifying the affected class of individuals and the type of claim to be made.

Image credit: ©alphaspirit/Dollar Photo Club