Focus: Privacy Commissioner's new guide on notification of data breaches
11 September 2008
In brief: The Federal Privacy Commissioner has released a guide for businesses, government agencies and non-government organisations on how to respond to data security breaches, including when affected individuals should be notified. Importantly, the guidelines recognise that it is not always desirable that the individuals concerned be told about the breach. Partner Michael Pattison and Special Counsel Karin Clark discuss the guide's recommendations.
- What is the scope of the guide?
- What is a personal information security breach?
- Four main steps
- Putting in place a response plan
How does it affect you?
- The new guide contains helpful advice for all organisations (and particularly for managers responsible for privacy compliance and information security) about how to prevent and mitigate the damage that may result from a data security breach.
- The steps recommended in the guide about notifying security breaches are not specifically required by law, but organisations should still consider them carefully. This is because there are circumstances in which notification of a security breach may be part of a legal obligation to take reasonable steps to secure personal information, or part of a general duty of care to some individuals.
- If there is a security breach, assess the harm that the affected individuals are likely to suffer as a result. Where there is a real risk of serious harm, consider notifying the affected individuals of the breach. Any notifications should take place as soon as possible.
The Federal Privacy Commissioner (the FPC) recently released the Guide to handling personal information security breaches (the guide). The guide provides helpful guidance about what steps should be taken (or considered to be taken) by businesses, government agencies and non-government organisations in the event of a data security breach, in order to meet Australian information security obligations. Some of the advice provided is also useful as a way of assessing what security measures should be put in place to avoid a breach occurring in the first place.
The release of the guide is particularly timely given the spate of recent reports from overseas about the loss of large amounts of sensitive data by private and government organisations. It is also relevant given the recent recommendation of the Australian Law Reform Commission (the ALRC) that private sector organisations and federal agencies should be required to notify the FPC and affected individuals when a data breach has occurred that may give rise to serious harm to any affected individual (see Allens Client Update: Privacy 11 August 2008 and chapter 51 of the ALRC's For Your Information: Australian Privacy Law and Practice (the report)).
It is important to note that the advice in the guide is not mandatory, and particularly that there are currently no specific legal requirements in the Privacy Act 1988 (Cth) (the Act) to notify individuals if a breach of their data security has occurred. Nevertheless, public and private sector organisations should keep in mind that:
- they are generally required to take 'reasonable steps' to protect the personal information they hold from misuse and loss, and from unauthorised access, modification or disclosure and notification of a breach may, in some circumstances, be considered a 'reasonable step';
- there may be circumstances in which they may owe individuals a duty of care (independently of their obligations under the Act) to notify them of a security breach, to help individuals to protect against identity fraud or other misuse of their data; and
- there are some classes of information (eg Tax File Numbers) and some sectors (such as the telecommunications industry) that are subject to additional privacy and confidentiality obligations.
Thus, the actual scope of an organisation's legal obligations may differ depending on the circumstances of loss. However, given that there may be other advantages in notifying loss (for example, if notification might prevent harm to individuals, it may be an important way of demonstrating corporate responsibility) the guide's recommendations should usually be taken into account, even if there is clearly no legal obligation to notify affected individuals.
The guide discusses loss of data that is the personal information of individuals, although some of its recommendations about how personal information data should be secured could also apply to other kinds of data. It is also significant that the guide does not confine itself to data security breaches that are a result of a breach of the Act, but also breaches that may occur even if reasonable security measures have been taken.
The guide points out that it is important to keep in mind that security breaches are not limited to external malicious acts (such as 'hacking') but include internal errors and failures that may affect an individual's privacy as much as malicious actions. For example, the privacy of individuals may be seriously compromised as a result of:
- paper records being inadequately recycled or left in the garbage;
- computer hard drives and other storage media being disposed of without erasing contents;
- employees accessing personal information outside the scope of their employment; and
- lost (or stolen) laptops, removable storage devices or physical files.
The guide recommends taking four main steps in responding to a personal information breach.
Contain the breach and do a preliminary assessment
This part of the guide contains useful tips about what steps might need to be taken to immediately contain the breach, including to quickly appoint someone to lead the initial assessment and to consider whether it is appropriate to notify individuals immediately. Assessment should also take place at this point about whether other steps can be taken to mitigate the harm to individuals (the guide gives the example of where a customer's bank account has been compromised, whether the affected account should be immediately frozen and the funds transferred to a new account).
Evaluate the risks associated with the breach
This part of the guide contains helpful comments and examples of how to evaluate the risks of a breach. For example:
- Could the information that has been accessed be easily combined with other public information to be used for fraudulent or other purposes that may significantly embarrass the individual?
- Has the stolen information been rendered unreadable by security measures?
- Is the breach an isolated incident or indicative of a systemic problem?
- What is the relationship between the unauthorised recipients and the affected individuals?
- What harm might result to the individuals concerned, as well as to the organisation?
- Might separate breaches of personal information have a cumulative effect?
The FPC recommends that:
in general, if a personal information security breach creates a real risk of serious harm to the individual, those affected should be notified.
The FPC also recommends that organisations should:
- take into account the ability of the individual to take specific steps to mitigate any such harm; and
- consider whether it is appropriate to inform other third parties such as the police, professional bodies, the FPC or other regulators.
The guide provides a useful discussion about what to consider when considering methods of notification and what information needs to be provided in the notification. The notification may need to include (for example) information about how to mitigate the loss and its precise wording may need to be checked for legal implications (including, secrecy obligations that may apply to public sector agencies).
Prevent future breaches
The guide's suggestions on how to prevent future breaches (including the development of a breach response plan, designating a management group responsible for responding to personal information breaches, and other preventative steps) should be considered for implementation by all organisations as part of their general information security obligations, whether or not any data breaches have occurred.
The guide also contains a section on when it may be appropriate to notify the FPC of a security breach. While the FPC states that it cannot preclude investigating a breach if it is reported, it also puts forward a number of potential benefits of notification, including that such an initiative may be viewed by the public as a positive action and that it can assist the FPC in responding to inquiries made by the public and managing any complaints that may be made as a result of the breach.
For more information, or for assistance with assessing the impact of these recommendations, and how your business may be able to implement them, please contact one our experts below.
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.