Privacy Commissioner publishes data breach notification guidelines for comment

The Office of the Australian Information and Privacy Commissioner has published draft resources for the Notifiable Data Breaches scheme, asking for public comment.
Written by Asha Barbaschow, Contributor

The Office of the Australian Information and Privacy Commissioner (OAIC) is seeking public comment on draft resources it has published relating to Australia's impending data breach notification laws.

The draft resources include guidelines on how to prepare an eligible data breach statement for when the scheme takes effect on February 22, 2018, how to assess a suspected breach, what quantifies reporting, how to notify the OAIC of an incident, and exceptions under the legislated obligations.

The new laws mandated under the Privacy Amendment (Notifiable Data Breaches) Act require organisations covered by the Australian Privacy Act 1988 to notify any individuals likely to be at risk of serious harm by a data breach.

This notice must include recommendations about the steps that individuals should take in response to the data breach, the OAIC explains in its draft material. Australian Information Commissioner Timothy Pilgrim must also be notified.

"Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm," the OAIC said.

A data breach worthy of reporting is defined by the OAIC as one that is likely to result in serious harm to any of the individuals to whom the information relates, noting also that a data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

Examples offered by the commissioner include a device containing customers' personal information that is lost or stolen, a database containing personal information that is "hacked", or where personal information is mistakenly provided to the wrong person.

As part of its reference material package, the OAIC prepared a guide to securing personal information, which also urges organisations to prepare or update their data breach response plan to ensure that they are able to respond quickly to suspected data breaches.

As not all data breaches are notifiable -- the scheme only requires organisations to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates -- the OAIC explains that exceptions to the scheme will apply for some data breaches, meaning that notification to individuals or to the commissioner may not be required. The OAIC has asked for comment on its draft exceptions information.

Similarly, it is asking for responses to its draft document that aims to help organisations assess suspected data breaches.

Where an organisation becomes aware that there are reasonable grounds to believe an eligible data breach has occurred, they are obligated to notify individuals at likely risk of serious harm, in addition to Pilgrim, as soon as practicable. Organisations have 30 days to declare the breach.

According to the OAIC material, this notification must set out: The identity and contact details of the organisation, a description of the data breach, the kinds of information concerned, and recommendations about the steps individuals should take in response to the data breach.

It is asking for submissions to address the information to be included, as well as the format of the OAIC's "smart" form.

Lastly, the role of Pilgrim and his office in the data breach notification scheme is up for debate.

Responses to the OAIC's draft resources close October 23, 2017.

Speaking at the SINET61 conference in Sydney this week, David Thodey, chairman of the CSIRO and the former CEO of Telstra, said the fact Australia has to put a laws in place to make disclosing a breach happen is a "disappointment".

"Regulation is never the answer in the end," he said. "It should come from doing the right thing."

Thodey has had the unfortunate task of living through a breach, and said the aftermath was "not fun".

"You've got to make it right with your client base, manage your reputational issues, etc," he explained.

"I can remember a time when someone was working on confidential information, put it on a USB stick, took it home to do some work at home, and they lost the USB stick and it had employee information.

"These are serious issues and making that decision in the moment is very, very difficult and I know the privacy commissioner way too well and he's not always friendly."

Thodey, however, is concerned with the decision organisations need to make as to whether or not the breach has reasonable grounds to affect an individual.

As the data breach notification scheme only applies to companies covered by the Privacy Act, intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties are exempt from disclosing breaches.

Also speaking at the SINET61 conference this week was David Irvine, chairperson of Australian Cyber Security Research Institute (ACSRI) -- formerly the head of the Australian Security Intelligence Organisation (ASIO) and director-general of the Australian Secret Intelligence Service (ASIS). Irvine questioned why political parties find themselves excused from the new laws.

"I think that should be treated as a rhetorical question; my response would be why indeed," Irvine told ZDNet.

"I think the parties probably do need a good cyber disaster to focus on this issue as is now happening in the United States."

Just this month alone, US credit rating and reporting firm Equifax revealed it had exposed as many as 143 million customers, and Deloitte confirmed it was targeted by a cyber attack on Tuesday resulting in the theft of confidential documents and emails.

It followed accusations throughout the year from US intelligence agencies that Russia hacked into Democratic Party emails, as well as revelations that the storefront of the National Republican Senatorial Committee contained malware that siphoned off every credit card number used in the store in a six-month period.

Editorial standards