Privacy Amendment (Notifiable Data Breaches) Act 2017

The Privacy Amendment (Notifiable Data Breaches) Act 2017 amended the Privacy Act 1988 to create a mandatory notification scheme for eligible data breaches. The Act itself is short, but it inserted a detailed new Part into the Privacy Act dealing with when a breach is notifiable, how an entity must assess a suspected breach, what must be included in a statement to the Information Commissioner, and how affected individuals must be notified.

The legislation is aimed at situations where personal information, credit information or tax file number information is compromised in a way that is likely to cause serious harm. It is not limited to deliberate attacks. The scheme expressly covers unauthorised access, unauthorised disclosure, and loss of information in certain circumstances. That means a ransomware event, an email sent to the wrong recipient, a lost device, or a misplaced file can all need legal assessment.

The practical effect for businesses is that data breach response is a legal compliance issue, not just an IT issue. Once the legal trigger is met, the entity must move quickly. The law sets a 30 day outer timeframe for completing a reasonable and expeditious assessment of a suspected eligible data breach, and then requires notification steps as soon as practicable if the entity has reasonable grounds to believe an eligible data breach has happened.

The inserted provisions apply to several categories of entities and information holdings. The main category for most businesses is an APP entity that holds personal information and is required to comply with Australian Privacy Principle 11.1 in relation to that information. In practical terms, APP entities are the organisations and agencies regulated by the Privacy Act. For many private sector organisations, that will generally include businesses and not-for-profits with annual turnover above $3 million, but some smaller businesses are also covered under the Privacy Act.

The scheme also separately applies to credit reporting bodies holding credit reporting information, credit providers holding credit eligibility information, and file number recipients holding tax file number information. The legislation also contains a deemed holding rule for some overseas disclosures. If an APP entity disclosed personal information to an overseas recipient and APP 8.1 applied to that disclosure, the scheme can operate as if the information were still held by the APP entity. Similar deemed holding rules apply in some credit reporting situations involving bodies or persons with no Australian link.

For a business owner, the first practical check is not simply turnover. You should ask whether your organisation is an APP entity under the Privacy Act, whether you provide health services, whether you trade in personal information, whether you handle regulated credit information or tax file number information, and whether you disclose personal information overseas in a way that keeps responsibility with the Australian entity.

An eligible data breach exists where the statutory conditions are met. For APP entities, that starts with personal information held by the entity. The breach can happen in two broad ways.

First, there can be unauthorised access to, or unauthorised disclosure of, the information, and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to one or more of the individuals concerned. Secondly, the information can be lost in circumstances where unauthorised access or disclosure is likely to occur, and if that access or disclosure were to occur, a reasonable person would conclude it would be likely to result in serious harm.

This is important because loss alone can trigger the scheme even before anyone confirms the information has been viewed. A lost laptop, USB, paper file or backup can therefore require assessment if unauthorised access or disclosure is likely and serious harm would likely follow.

The serious harm test is objective. The legislation says the decision-maker must consider matters including the kind of information, its sensitivity, whether it is protected by security measures, the likelihood those measures could be overcome, who has obtained or could obtain the information, the likelihood that someone with harmful intent could circumvent security technology, the nature of the harm, and any other relevant matters. The Act gives encryption as an example of security technology and notes that an encryption key may be the information needed to circumvent it.

In practice, this means the same incident can produce different outcomes depending on the facts. Encrypted data may present a lower risk than unencrypted data. Contact details alone may present a different level of risk from health information, financial information or identity documents. A mistaken disclosure to a trusted professional adviser may be different from disclosure to an unknown third party. The legal question is whether a reasonable person would conclude serious harm is likely.

The legislation does not require notification for every incident. It creates an important exception where effective remedial action is taken in time. This is one of the most practical parts of the scheme for businesses.

For unauthorised access or unauthorised disclosure, if the entity takes action before the access or disclosure results in serious harm, and as a result a reasonable person would conclude the access or disclosure would not be likely to result in serious harm, the incident is taken not to be an eligible data breach. The Act also allows for a narrower outcome where remedial action means a particular individual is no longer likely to suffer serious harm, so that person does not need to be notified even if others still do.

For loss of information, the timing is slightly different. If the entity takes action before there is any unauthorised access or disclosure and, as a result, there is no unauthorised access or disclosure, the loss is taken not to be an eligible data breach. If unauthorised access or disclosure has already occurred after the loss, notification can still be avoided if the entity acts before serious harm results and the action means a reasonable person would conclude serious harm is no longer likely.

The practical point is that speed matters. Containment steps such as recovering a device, revoking credentials, remotely wiping data, disabling access, or securing a mistaken recipient's confirmation may affect whether the legal threshold is met. But the exception depends on the statutory timing and outcome. The action must be taken before the relevant harm point described in the Act, and it must actually change the serious harm assessment.

The assessment duty starts before you know for sure that a notifiable breach has happened. It applies where an entity is aware that there are reasonable grounds to suspect there may have been an eligible data breach, but is not yet aware of reasonable grounds to believe that the circumstances amount to one.

At that point, the entity must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe an eligible data breach has occurred. The entity must also take all reasonable steps to ensure the assessment is completed within 30 days after becoming aware of the suspicion trigger.

This is not a permission to wait 30 days in every case. The statutory language requires a reasonable and expeditious assessment, with all reasonable steps taken to complete it within that period. For many incidents, the right response will be much faster. Businesses should therefore have an internal escalation process that gets legal, privacy, IT and operational decision-makers involved immediately.

The Act also includes coordination rules where the same access, disclosure or loss may amount to an eligible data breach of more than one entity. In some situations, compliance by one entity can displace duplicate obligations for another entity in relation to the same incident. That can matter in outsourcing, platform, software provider and group company arrangements, but the allocation should be checked carefully against the legislation and the relevant contracts.

If an entity is aware that there are reasonable grounds to believe there has been an eligible data breach of the entity, it must prepare a statement and give a copy to the Commissioner as soon as practicable. The statement must set out the entity's identity and contact details, a description of the eligible data breach, the kind or kinds of information concerned, and recommendations about the steps individuals should take in response.

After preparing the statement, the entity must notify individuals as soon as practicable. The Act sets out a stepped approach. If it is practicable to notify each individual to whom the relevant information relates, the entity must take reasonable steps in the circumstances to notify each of them. If that is not practicable, but it is practicable to notify each individual who is at risk from the eligible data breach, the entity must take reasonable steps to notify those at-risk individuals. If neither option is practicable, the entity must publish a copy of the statement on its website, if any, and take reasonable steps to publicise the contents of the statement.

The Act also says that if the entity normally communicates with a particular individual using a particular method, the notification may use that method. This gives businesses some flexibility to use existing communication channels, but the broader obligation remains to take reasonable steps in the circumstances.

For businesses, the operational challenge is usually not the wording of the statement but identifying the right notification group, deciding whether direct notice is practicable, and making sure the recommendations to individuals are useful and accurate. Customer support, media handling and regulator communications should be coordinated with the legal notification process.

The legislation gives the Information Commissioner several important powers. If the Commissioner is aware that there are reasonable grounds to believe there has been an eligible data breach, the Commissioner may declare that the statement and notification provisions do not apply in relation to that breach, or may declare that the time for notifying individuals is extended to a specified period. The Commissioner must be satisfied it is reasonable in the circumstances to do so, having regard to the public interest, relevant advice from an enforcement body or the Australian Signals Directorate, and any other relevant matters.

An entity can apply for one of these declarations. While the application is awaiting decision, the statement and notification provisions do not apply in relation to the relevant eligible data breach. The Commissioner may also refuse the application. The legislation also allows the Commissioner to extend a period previously specified in a declaration.

The Commissioner also has a separate power to direct an entity to notify an eligible data breach. This matters where the regulator forms the view that the legal threshold has been met and the entity has not taken the required steps on its own initiative.

There are also express statutory exceptions. The scheme does not apply where the relevant access, disclosure or loss has been, or is required to be, notified under section 75 of the My Health Records Act 2012. There is an exception for enforcement bodies where the chief executive officer reasonably believes compliance with the individual notification provision would be likely to prejudice enforcement related activities. There are also exceptions where compliance would be inconsistent with certain Commonwealth secrecy provisions.

These exceptions are specific and should not be assumed. A business should check carefully whether the exact statutory conditions are met before relying on them.

The Act provides that if an entity contravenes the assessment duty, the statement duty, the notification duty, or a Commissioner direction provision listed in the amendment, that contravention is taken to be an interference with the privacy of an individual. That links non-compliance with the broader enforcement framework of the Privacy Act.

For businesses, the most useful way to read this legislation is as a checklist for readiness. You should know whether your organisation is in scope, what information holdings could trigger the scheme, who decides whether there are reasonable grounds to suspect or believe a breach, how the 30 day assessment clock is tracked, what containment actions are available, and how statements and notifications will be approved and sent.

You should also review contracts with service providers, cloud vendors and overseas recipients. The deemed holding rules and multi-entity provisions mean responsibility can sit in places that are not obvious from a purely technical view of where the data is stored. Internal records of incidents, assessments, remedial action and notification decisions are also important, especially where you conclude that notification is not required because serious harm is not likely or because remedial action changed the outcome.

The Act received Royal Assent on 22 February 2017. Sections 1 to 3 commenced on that day. Schedule 1, which inserted the notifiable data breach amendments into the Privacy Act 1988, commenced on 22 February 2018 under the commencement table.

The title is listed as in force on the Federal Register of Legislation. Businesses should still check the current consolidated Privacy Act 1988 and any later amendments before relying on a summary page, especially because privacy law reform can affect the broader compliance landscape around the notifiable data breach scheme.