July 2019 Published By Policy Reform And Legislation NSW

July 2019 Published By Policy Reform And Legislation NSW

DESCARGAR PDF


July 2019
Published by
Policy, Reform and Legislation
NSW Department of Communities and Justice
Email: [email protected]
Phone: 02 8688 7777
GPO Box 31 SYDNEY 2001
www.justice.nsw.gov.au
Disclaimer
This document has been prepared by the Department of Communities and
Justice for general information purposes. While every care has been
taken in relation to its accuracy, no warranty is given or implied.
Further, recipients should obtain their own independent advice before
making any decisions that rely on this information.
Copyright information
© State of New South Wales through Department of Communities and
Justice 2019
You may copy, distribute, display, download and otherwise freely deal
with this work for any purpose, provided that you attribute the
Department of Communities and Justice as the owner.
Table of contents
1. Introduction 1
2. The New South Wales privacy framework 2
Privacy and Personal Information Protection Act 1998 2
Health Records and Information Privacy Act 2002 3
IPC voluntary data breach reporting scheme 4
3. The rationale for introducing a mandatory data breach notification
scheme in NSW 5
Why data breaches occur 5
The consequences for individuals and organisations 6
Incentives and barriers to the reporting of data breaches 6
Providing individuals with an opportunity to take remedial action 7
A number of jurisdictions have introduced mandatory notification
schemes 8
A consistent approach to privacy breaches across the NSW public sector
8
4. Key features of mandatory data breach reporting schemes 9
Reporting threshold 9
Content and method of notification 12
Timeframe for notification 13
Compliance and enforcement powers 14
Exceptions from notification requirements 16
Appendix A – Information Protection Principles 17
Appendix B – Health Privacy Principles 18
1.
Introduction
============
1.
NSW Government agencies hold a broad range of information
about citizens, including sensitive personal, health and
financial records. Unauthorised release of such information
can have serious consequences for individuals and agencies.
For individuals, the potential consequences include but are
not limited to:
*
Reputational damage;
*
Harm to physical or mental health;
*
Financial loss;
*
Identity theft;
*
Family violence;
*
Physical harm or intimidation.
1.
For government agencies, data breaches can cause significant
reputational damage and undermine public trust and confidence in
government.
2.
In NSW, the Information Privacy Commission NSW (IPC) is
responsible for receiving and investigating complaints about
breaches of privacy. This can include complaints regarding data
breaches by NSW public sector agencies. The IPC has implemented
a voluntary data breach reporting policy to encourage agencies
to report breaches to the NSW Privacy Commissioner.1 However,
data breach reporting by agencies is not mandatory.
3.
On 22 February 2018, the Privacy Amendment (Notifiable Data
Breaches) Act 2017 (Cth) commenced. The Act establishes the
Commonwealth Notifiable Data Breaches (NDB) scheme under Part
IIIC of the Privacy Act 1988 (Cth) (the Privacy Act). The
objective of the scheme is to ensure that eligible data breaches
are notified to the Australian Information Commissioner.
4.
The NDB Scheme applies to organisations which are governed by
the Privacy Act 1988 (Cth), including most Australian Government
agencies, business entities with an annual turnover of more than
$3 million, and other organisations including:
*
Health services providers;
*
Businesses that sell or purchase personal information; and
*
Credit reporting bodies.
1.
State government agencies that hold tax file number (TFN)
information are also required to comply with the Act, but only
in respect to TFN information. Otherwise, the scheme does not
apply to state government agencies or local councils.
2.
In response to developments at the Commonwealth level, the NSW
Government is considering whether a mandatory reporting regime
should apply to NSW public sector agencies. NSW public sector
agencies include agencies and organisations bound by the Privacy
and Personal Information Protection Act 1998 and Health Records
and Information Privacy Act 2002. This includes principal
departments, statutory authorities, universities, local
councils, and other bodies whose accounts are subject to
auditing by the NSW Auditor General.
3.
The purpose of this discussion paper is to seek feedback as to
whether NSW public sector agencies should be required to report
data breaches to the NSW Privacy Commissioner and, if so, how
the scheme should operate.
1.
The New South Wales privacy framework
=====================================
1.
In NSW, two principal Acts govern the protection of personal
and health information. These are the Privacy and Personal
Information Protection Act 1998 (NSW) (PPIP Act) and the
Health Records and Information Privacy Act 2002 (NSW) (HRIP
Act).
2.
The PPIP Act applies to NSW public sector agencies, as well as
local councils and universities. The HRIP Act also applies to
NSW public sector agencies, local councils, and universities.
In addition, the HRIP Act applies to public sector health
organisations and private sector organisations, health service
providers and businesses with a turnover of more than $3
million that hold health information.
3.
A number of other NSW laws also contain provisions that relate
to privacy, including the Workplace Surveillance Act 2005,
Surveillance Devices Act 2007, Adoption Act 2000, Assisted
Reproductive Technology Act 2007, Crimes (Forensic Procedures)
Act 2000 and the Criminal Records Act 1991.
Privacy and Personal Information Protection Act 1998
====================================================
4.
The Privacy and Personal Information Protection Act 1998 (NSW) (PPIP
Act) ensures that personal information is properly collected,
stored, used and released by NSW public sector agencies via the
Information Protection Principles (IPPs). A summary of the IPPs
is at Appendix A.
5.
Section 4 of the PPIP Act defines personal information as
‘information or an opinion (including information or an opinion
forming part of a database and whether or not in a recorded
form) about an individual whose identity is apparent or can be
reasonably be ascertained from the information or opinion’. This
may include but is not limited to:
*
Records that include names, addresses or other details;
*
Photographs, images, video or audio footage;
*
Fingerprints, body samples such as blood or genetic
characteristics such as gene sequencing.
6.
Under the PPIP Act, individuals are entitled to access and
request changes to their personal or health information held by
NSW public sector agencies. The PPIP Act also permits citizens
to lodge a complaint with the NSW Privacy Commissioner if they
believe a NSW public sector agency has violated or interfered
with their privacy.1
7.
The PPIP Act includes a number of exemptions from the IPPs,
including in relation to law enforcement, authorised
non-compliance, where non-compliance would benefit the
individual, and research and credit information. Public Interest
Directions and Codes of Practice may also modify the application
of the IPPs.
8.
Where a person believes that a NSW public sector agency or
organisation has contravened an IPP, contravened a privacy code
of practice, or disclosed personal information kept on a public
register, they can lodge an application for internal review with
an organisation or lodge a complaint with the NSW Privacy
Commissioner. If an agency receives an application for internal
review, the agency must inform the NSW Privacy Commissioner, who
has an oversight role under section 54 of the PPIP Act.
9.
If the person is not satisfied with the outcome of an internal
review, they may apply to the NSW Civil and Administrative
Tribunal (NCAT) for administrative review of the agency’s
decision.
Health Records and Information Privacy Act 2002
===============================================
10.
The purpose of the HRIP Act is to promote fair and responsible
handling of health information. The HRIP Act contains 15 Health
Privacy Principles (HPPs) that place legal duties on
organisations in relation to the handling of personal health
information. A summary of the HPPs is at Appendix B.
11.
Section 6 of the HRIP Act defines health information as personal
information that is information or an opinion about:
*
The physical or mental health of or a disability (at any time) of
an individual;
*
An individual’s express wishes about the future provision of
health services;
*
A health service provided, or to be provided, to an individual;
*
Other personal information collected to provide, or in providing,
a health service;
*
Other personal information about an individual collected in
connection with the donation, or intended donation, of an
individual’s body parts, organs or body substances;
*
Other personal information that is genetic information about an
individual arising from a health service provided to the
individual in a form that is or could be predictive of the health
(at any time) of the individual or of a genetic relative of the
individual; or
*
Healthcare identifiers.
12.
Individuals are also entitled to access and request corrections
to health information held by agencies and organisations. The
HRIP Act also gives powers to the NSW Privacy Commissioner to
receive, investigate and conciliate complaints made against an
agency, health service provider or organisation that holds
health information.
13.
There are some circumstances where individuals and organisations
do not have to abide by the HPPs. These circumstances are
outlined in Health Privacy Codes of Practice and Health Public
Interest Directions.
IPC voluntary data breach reporting scheme
==========================================
14.
NSW privacy laws do not currently require public sector agencies
to notify the NSW Privacy Commissioner, or affected individuals,
when a data breach occurs. However, the IPC Data Breach Policy
recommends that agencies, as a matter of good practice, should
notify the Commissioner and affected individuals where a data
breach creates a real risk of serious harm.1
15.
In addition to the Data Breach Policy, the IPC has also
developed a suite of resources to support the voluntary
reporting scheme. This includes fact sheets and guidance to
agencies on how to assess the seriousness of data breaches, what
actions should be taken in response to data breaches, and
whether breaches should be reported or not.2
16.
Where an agency reports a data breach, the NSW Privacy
Commissioner conducts a review to check the circumstances of the
breach. The review considers all relevant causes and considers
the steps the agency has taken in response to the breach, as
well as short or long-term measures identified by the agency
that could prevent a further breach.
17.
Following review, the NSW Privacy Commissioner writes to the
agency outlining any actions the Commissioner proposes to take,
or that the agency should take. This may include recommending
that the agency review its governance arrangements, contact
affected individuals, seek additional information, or deliver
privacy training. The IPC reports in a de-identified form the
number of voluntary notifications reported by agencies each
year, summarised in Table 1.
Table 1: Voluntary breach notifications reported to the NSW Privacy
Commissioner
Year
Voluntary notifications
2017–18
45
2016–17
103
2015–16
44
2014–15
11
S
Source: IPC Annual Reports
18.
Quarterly data published by the IPC since July 2018 provides a
breakdown of voluntary notifications by sector. The majority of
notifications received by the IPC are received from the state
government sector, which may reflect greater awareness regarding
the voluntary notification scheme amongst state government
agencies.
Table 2: Quarterly voluntary notifications by sector

Source: IPC website
3.
The rationale for introducing a mandatory data breach notification
scheme in NSW
==================================================================
Why data breaches occur
=======================
1.
Privacy breaches can occur for a number of reasons. A breach can
occur due to a technical problem, failure to take reasonable
steps to manage risk of human error, inadequate policies and
training, or a misunderstanding of the law. Privacy breaches
commonly include:
*
Sending emails to unintended recipients;
*
Accidental loss of paper records, laptops or USB flash drives;
*
Unauthorised access to information (for example, an employee
looking up restricted information for personal reasons).
2.
Statistics released by the Office of the Australian Information
Commissioner (OAIC) show that 35 per cent of notifications
received under the Commonwealth mandatory reporting scheme in
the period 1 April 2018 to 31 March 2019 involved human error.1
3.
Privacy breaches can also be the result of a deliberate act.
Malicious or criminal attacks differ from human error breaches
in that they are deliberately crafted to exploit known
vulnerabilities for financial or other gain.2 This includes
cyber incidents such as phishing, malware, ransom ware,
brute-force attacks or hacks. It can also include deliberate
acts committed by employees, such as theft of paperwork or
storage devices. Sixty per cent of notifications received by the
OAIC in the period 1 April 2018 to 31 March 2019 involved
malicious or criminal attacks.3
4.
The volume of personal information held by government agencies
can make them a target for cyber security attacks. Statistics
collected by the Australian Cyber Security Centre indicate that
in 2016–17, while the majority of cyber security incidents were
targeted at industry,4 around 20 per cent of cyber security
incidents were aimed at the Australian Government and eight per
cent were aimed at State and Territory Governments.5
The consequences for individuals and organisations
==================================================
5.
Depending on the size and nature of a data breach, the
consequences for individuals can be significant. This can
include:
*
Financial fraud (including unauthorised credit card transactions
or credit fraud);
*
Identity theft causing financial loss or emotional and
psychological harm;
*
Family violence;
*
Physical harm or intimidation;
*
Damage to personal reputation or position.
6.
Data breaches can also have serious consequences for government
agencies. For example, a breach may create commercial risk
through the disclosure of commercially sensitive information, or
otherwise impact on an agency’s reputation, finances, interests
or operations. Ultimately, data breaches can lead to a loss of
trust and confidence in an agency or the services it provides.
Incentives and barriers to the reporting of data breaches
=========================================================
7.
There are a number of reasons that agencies should report data
breaches. According to the IPC, proactive reporting:
*
Demonstrates to clients that processes are in place to identify
and manage data breaches, and that these are deployed without
delay;
*
Strengthens data breach and privacy processes, preventing future
breaches and minimising risk;
*
Reinforces accountability for the protection of personal
information internally and promotes a privacy positive culture;
and
*
Demonstrates to the public that the agency views the protection of
information as a priority, helping to maintain public trust.1
1.
However, there are factors that may influence agencies not to
disclose data breaches. For example, the Australian Law Reform
Commission has identified that there are limited incentives to
encourage voluntary reporting of data breaches.2 In particular,
there may be little incentive to voluntarily report where:
*
The cost of notifying may exceed expected damage to the
organisation;
*
The notification could result in negative media publicity;
*
There is a risk of litigation proceedings by affected individuals;
and
*
There is real potential for reputational damage and lost future
profits.3
Providing individuals with an opportunity to take remedial action
=================================================================
9.
Informing citizens when privacy breaches have occurred provides
them with an opportunity to take action to protect themselves
and potentially avoid adverse consequences.
10.
In its 2008 report on Australian Privacy Law and Practice, the
Australian Law Reform Commission (ALRC) noted that concerns
about identity theft and identity fraud have been key drivers
for the introduction of mandatory data breach notification
schemes in the United States.1 For example, Michael Turner
stated in a 2006 publication by the Information Policy Institute
that:
The logic behind notification is simple. If individuals are told that
their sensitive information has been breached, they can monitor their
accounts, take preventative measures such as opening new accounts, and
be ready to correct any damage done.2
11.
Other preventative or reactive measures that individuals can
take include checking accounts, changing account passwords,
notifying the police, reviewing financial accounts and credit
reports for fraudulent activity, and notifying financial
institutions.3
A number of jurisdictions have introduced mandatory notification
schemes
================================================================
12.
Mandatory notification schemes are increasingly considered ‘best
practice’. In addition to the Commonwealth NDB scheme, the
European Union,1 United States2 and Canada3 have also
implemented mandatory data breach notification schemes.
Legislation is currently before the New Zealand Parliament to
implement a mandatory notification scheme in New Zealand.4
13.
Surveys conducted in Australia indicate that the Australian
community expects to be told when a data breach occurs. For
example, the Australian Community Attitudes to Privacy Survey
2017 found that 94 per cent of respondents agreed that they
should be told if a business loses their personal information.5
Ninety-five per cent of respondents agreed that they should be
told if a government agency loses their personal information.6
A consistent approach to privacy breaches across the NSW public sector
======================================================================
14.
Many NSW public sector agencies already voluntarily report data
breaches to the IPC. However, the Commonwealth experience
suggests that underreporting may be the norm. For example, the
Office of the
Australian Information Commissioner reported that notifications
increased by 712 per cent during the first year of the
Commonwealth NDB scheme.1 Without a clear and consistent
legislative framework, agencies may take different approaches to
the reporting of data breaches. Some agencies may report all
data breaches, some may report serious breaches only, while
others may not report at all.
15.
A legislated mandatory notification scheme would provide
certainty for the public and government agencies regarding
rights and obligations around the handling of personal
information and the actions that should be taken if a privacy
breach occurs.
Question 1:
Should the NSW Government introduce a mandatory data breach
notification scheme for NSW public sector agencies?
4.
Key features of mandatory data breach reporting schemes
=======================================================
Reporting threshold
===================
1.
The Commonwealth NDB scheme requires all organisations with
personal information security obligations under the Privacy Act
to notify individuals of ‘eligible data breaches’.1 The
organisation must also advise the Australian Information
Commissioner.2 For the purposes of the NDB Scheme, an eligible
data breach occurs when the following criteria are met:
*
There is unauthorised access to or disclosure of personal
information held by an entity (or information is lost in
circumstances where unauthorised access or disclosure is likely to
occur); and
*
A reasonable person would conclude that this is likely to result
in serious harm to any of the individuals to whom the information
relates; and
*
The entity has been unable to prevent the likely risk of serious
harm with remedial action.3
Unauthorised access to or disclosure of personal information
2.
Personal information is defined in the Privacy Act as
‘information or an opinion about an identified individual, or an
individual who is reasonably identifiable:
a.
Whether the information or opinion is true or not; and
b.
Whether the information or opinion is recorded in a material form
or not’.4
1.
The types of information captured under this definition include
an individual’s name, signature, address, telephone number, date
of birth, medical records, bank account details and commentary
or opinion about a person.5
2.
Under the NSW PPIP Act, ‘personal information’ is similarly
defined to mean ‘information or an opinion (including
information or an opinion forming part of a database and whether
or not in a recorded form) about an individual whose identity is
apparent or can reasonably be ascertained from the information
or opinion’.6
3.
In order to be considered an eligible data breach, the
Commonwealth NDB scheme requires there to be unauthorised access
to or disclosure of personal information. Examples of
unauthorised access or disclosure include malicious action (by
an external or insider party), human error, or a failure in
information handling or security.7 Common examples include:
*
Loss or theft of physical devices such as laptops or physical
records;
*
Unauthorised access to information by an employee;
*
Inadvertent disclosure of personal information, for example, an
email sent to the wrong person; and
*
Disclosure of information to a scammer due to inadequate identity
verification procedures.8
1.
The NDB scheme does not require entities to report breaches of
any Australian Privacy Principle (APP) prescribed under the
Privacy Act. While some APPs relate to unauthorised use or
disclosure, others place broader obligations on entities,
including in relation to:
*
When individuals should be notified that personal information is
being collected;9
*
The taking of reasonable steps to ensure personal information is
up to date, accurate and complete;10
*
The correction of personal information held about individuals;11
and
*
Providing individuals with access to their personal information on
request.12
7.
Where an individual considers that an APP has been breached,
they may make a complaint under the Privacy Act regardless of
whether the entity is required to report it under the NDB
scheme. Similar Information Protection Principles and complaint
mechanisms apply under the NSW PPIP Act and HRIP Act.
Frame3
Serious harm
8.
The term ‘serious harm’ is not defined in the Privacy Act.
However, guidance issued by the Office of the Australian
Information Commissioner provides advice to agencies and
organisations about how to assess whether a risk of serious harm
is likely to occur.13 The guidance provides that, in the context
of a data breach, serious harm to an individual may include
serious physical, psychological, emotional, financial, or
reputational harm.14 The phrase ‘likely to occur’ means the risk
of serious harm is more probable than not, as opposed to
possible.15
9.
Whether a data breach is likely to result in serious harm
requires an objective assessment determined from the viewpoint
of a reasonable person in the entity’s position.16 The Privacy
Act also provides a non-exhaustive list of ‘relevant matters’ to
assist entities assess the likelihood of serious harm, which
includes:
*
The types of personal information involved in the data breach;
*
The sensitivity of the information;
*
Whether the information is protected by security measures;
*
The persons who have obtained, or could obtain, the information;
*
The likelihood that the persons who have obtained, or could
obtain, the information have the intention of causing harm or
could circumvent the security measures; and
*
The nature of the harm.17
10.
The NSW Privacy Commissioner’s voluntary notification scheme
also encourages agencies to notify individuals of data breaches
where the breach creates a real risk of serious harm to the
individual.18 The IPC has issued guidance to help agencies
determine what constitutes a serious breach.19
11.
There would be benefit in aligning the reporting threshold under
a NSW mandatory notification scheme with the Commonwealth NDB
scheme reporting threshold, particularly where NSW public sector
agencies are already subject to the Scheme. However, additional
legislative guidance as to the meaning of ‘serious’ may be
justified in order to provide agencies with clear guidance and
limit the subjective nature of the assessment.
12.
Other jurisdictions also apply, or intend to apply, a threshold
of ‘serious’ or ‘significant’ harm but provide additional
guidance in legislation. For example, in Canada, significant
harm is defined to include bodily harm, humiliation, damage to
reputation or relationships, loss of employment, business or
professional opportunities, financial loss, identity theft,
negative effects on a credit record and damage to or loss of
property.20
13.
T
Question 3:
a.
Is the threshold of ‘likely to result in serious harm’
appropriate, or should a different standard be applied?
b.
Should legislation define the term serious harm?
c.
Should legislation prescribe the factors an agency must
consider when assessing whether a data breach meets the
threshold of serious harm?
he proposed Privacy Bill 2018 (NZ) applies a threshold of
‘serious harm’. While the Bill does not define the term serious
harm, it includes a list of factors that agencies must consider
when assessing whether a privacy breach is likely to cause
serious harm.21 The European Union General Data Protection
Regulation requires individuals to be notified of data breaches
where there is a high risk to the rights and freedoms of a
natural person.22
Remedial action
14.
The Commonwealth NDB scheme provides that a breach is not an
eligible data breach if an entity acts quickly to remediate the
breach, and as a result of this action, a reasonable person
would conclude that the breach is not likely to result in
serious harm.23 This is intended to provide entities with an
incentive to take positive steps to address data breaches in a
timely manner.24
15.
Examples of when remedial action may prevent serious harm from
occurring and avoid the notification requirement include:
*
Where a data file containing personal information has been sent to
the wrong recipient, but the sender realises the error and
contacts the recipient before the information is accessed and
confirms that the file has been deleted;25 and
*
W
Question 4:
Should legislation require NSW public sector agencies to report
data breaches only where the agency has been unable to prevent
likely risk of serious harm with remedial action?
here an employee leaves a smartphone on public transport and
immediately requests that the employer’s IT support staff remotely
delete any information stored on the phone.26
Content and method of notification
==================================
16.
Legislation establishing mandatory notification schemes
generally prescribes the content and form of the notification
that entities must provide to the relevant authority. For
example, the Commonwealth NDB scheme requires that a statement
be provided to the Australian Information Commissioner which
includes the following details:
*
The identity and contact details of the entity;
*
A description of the eligible data breach the entity has
reasonable grounds to believe has happened;
*
The kind, or kinds, of information concerned; and
*
Recommendations about the steps that individuals should take in
response.1
1.
The entity must also notify individuals affected by the breach
about the content of the statement, or if this is not
practicable, publish a statement on their website and take
reasonable steps to publicise it.2 The entity can tailor the
form of the notification and may use any method to notify
individuals, including a telephone call, SMS, physical mail,
social media post or in-person conversation, provided the method
is reasonable.3
2.
Current guidance issued by the IPC under the voluntary
notification scheme suggests that agencies include the following
content in a notification:
*
Information about the breach, including when it happened;
*
A description of the data that has been disclosed and assurances
about what data has not been disclosed;
*
What the agency is doing to control or reduce the harm;
*
What steps the person can take to further protect themselves; and
*
Information about the individual’s right to lodge a privacy
complaint with the NSW Privacy Commissioner and contact details
for the IPC.4
19.
The IPC also provides templates that agencies can use to notify
the NSW Privacy Commissioner and affected individuals.5
Question 5:
a.
What information should be notified to the NSW Privacy
Commissioner and affected individuals in relation to data
breaches?
b.
Should the legislation prescribe the form and content of the
notification?
Timeframe for notification
==========================
20.
The timeframe for notification that is set in legislation is an
important mechanism to encourage agencies to respond to data
breaches swiftly. A prompt response can assist individuals to
mitigate harm and reflect positively on the agency’s reputation.
21.
However, there is also benefit in providing agencies with
sufficient time to investigate the nature and extent of a breach
and determine an appropriate response. If the timeframe for
notification is too short, this may result in a ‘rush to notify’
and over-reporting of breaches. This may in turn lead to ‘breach
fatigue’, whereby individuals pay less attention to each
individual data breach over time.
22.
In Canada, data breaches must be notified as soon as feasible
after the organisation determines that the breach has occurred.1
The New Zealand Privacy Bill 2018 takes a similar approach,
stating that an agency must notify the Commissioner as soon as
practicable after becoming aware that a notifiable breach has
occurred.2
23.
The European Union requires data breaches to be reported to the
relevant regulator without undue delay and, where feasible, not
later than 72 hours after an organisation becomes aware of the
breach.3 Where the breach is likely to result in a high risk to
affected individuals, it must be communicated to them without
undue delay. The Commonwealth NDB scheme requires entities to
take all reasonable steps to investigate within 30 days of
becoming aware that there may have been an eligible data breach.4
Once the entity has reasonable grounds to believe there may have
been such a breach, the Australian Information Commissioner and
affected individuals must be notified as soon as practicable.5
Question 6:
What notification timeframe should be prescribed in the legislation?
Compliance and enforcement powers
=================================
24.
Where organisations do not comply with notification
requirements, legislation establishing mandatory notification
schemes confers a range of compliance and enforcement powers on
the relevant authority.
25.
Under the Commonwealth NDB scheme, failure by an entity to meet
any of the following requirements is classed as interference
with the privacy of an individual:1
*
Conduct a reasonable and expeditious assessment of a suspected
eligible data breach;
*
Take all reasonable steps to ensure that the assessment is
completed within 30 days of becoming aware;
*
Prepare a statement about the data breach and provide a copy to
the Commissioner as soon as practicable;
*
Notify the contents of the statement to individuals at risk of
serious harm; or
*
Comply with a direction from the Commissioner to prepare a
statement and notify as soon as practicable.
26.
The Commissioner’s powers include accepting enforceable
undertakings, seeking court injunctions, and making
determinations.2 Where the failure constitutes a serious or
repeated interference with privacy, the Commissioner may apply
to court for a civil penalty order.3 The maximum civil penalty
available is 2,000 penalty units (currently $420,000), or 10,000
penalty units ($2.1 million) for body corporates.4
27.
However, the preferred approach of the Commissioner is to work
with entities to encourage and facilitate compliance with the
obligations of the NDB scheme before taking enforcement action.5
28.
Legislation in other jurisdictions also provides for penalties
where an entity fails to comply with reporting requirements. In
New Zealand, the proposed Privacy Bill 2018 provides for fines
of up to NZ$10,000.6 In the European Union, failure to notify a
breach can result in a fine of up to €10 million or 2 per cent
of global turnover.7 The maximum fine in Canada is C$100,000.8
29.
Authorities in other jurisdictions also have complaint and
investigation powers to encourage compliance with mandatory
reporting requirements. These include powers to compel the
production of information, enter premises, issue compliance
notices, and issue warnings and reprimands.9
30.
The NSW Privacy Commissioner is already empowered to conduct
investigations in response to complaints about the handling of
personal information under the PPIP Act.10 The Commissioner may
require agencies to produce information and documents for that
purpose and require agencies to appear before the Commissioner
in conciliation proceedings.11
31.
A
Question 7:
a.
Does the NSW Privacy Commissioner require any additional
powers to encourage compliance with a mandatory notification
scheme?
b.
Should monetary penalties apply where NSW public sector
agencies fail to comply with the requirements of the scheme?
person may also request that an agency conduct an internal
review regarding its handling of personal information.12 If the
person is not satisfied with the result, they may apply to NCAT
for a review of the conduct complained about.13 NCAT may order
the agency to change its practices, apologise, take steps to
remedy damage, and/or pay compensation of up to $40,000 for loss
or damage suffered.14
Exceptions from notification requirements
=========================================
32.
The Commonwealth NDB scheme provides for certain exceptions from
the requirement to notify. These include:
*
Where information is held jointly with another entity (in this
situation, only one entity is required to notify);1
*
Where notification would be inconsistent with a Commonwealth law
that prohibits or regulates the use or disclosure of information
(a secrecy provision);2 and
*
Where the CEO of a law enforcement body believes on reasonable
grounds that notification would be likely to prejudice an
enforcement activity.3
33.
I
Question 8:
What exemptions from the requirement to notify individuals and
the NSW Privacy Commissioner of eligible data breaches should
apply?
n NSW, law enforcement and investigative agencies are already
exempt from certain requirements of the PPIP Act. For example,
law enforcement agencies are not required to comply with
particular IPPs if compliance would prejudice the agency’s law
enforcement functions.4 Investigative agencies, such as the
Independent Commission Against Corruption and Law Enforcement
Conduct Commission, are also exempt from compliance with certain
IPPs if compliance would detrimentally affect the agency’s
complaint handling or investigative functions.5
Appendix A – Information Protection Principles
==============================================
Collection
1.
Lawful
An agency must only collect personal information for a lawful purpose.
It must be directly related to the agency’s function or activities and
necessary for that purpose.
2.
Direct
An agency must only collect personal information directly from you,
unless you have authorised collection from someone else, or if you are
under the age of 16 and the information has been provided by a parent
or guardian.
3.
Open
An agency must inform you that the information is being collected, why
it is being collected, and who will be storing and using it. You must
also be told how you can access and correct your personal information,
if the information is required by law or is voluntary, and any
consequences that may apply if you decide not to provide it.
4.
Relevant
An agency must ensure that your personal information is relevant,
accurate, complete, up-to-date and not excessive. The collection
should not unreasonably intrude into your personal affairs.
Storage
5.
Secure
An agency must store personal information securely, keep it no longer
than necessary and dispose of it appropriately. It should also be
protected from unauthorised access, use, modification or disclosure.
Access and accuracy
6.
Transparent
An agency must provide you with details regarding the personal
information they are storing, why they are storing it and what rights
you have to access it.
7.
Accessible
An agency must allow you to access your personal information without
excessive delay or expense.
8.
Correct
An agency must allow you to update, correct or amend your personal
information where necessary.
Use
9.
Accurate
An agency must ensure that your personal information is relevant,
accurate, up to date and complete before using it.
10.
Limited
An agency can only use your personal information for the purpose for
which it was collected unless you have given consent, or the use is
directly related to a purpose that you would expect, or to prevent or
lessen a serious or imminent threat to any person’s health or safety.
Disclosure
11.
Restricted
An agency can only disclose information in limited circumstances if
you have consented or if you were told at the time they collected it
that they would do so. An agency can also disclose your information if
it is for a directly related purpose and it can be reasonably assumed
that you would not object, if you have been made aware that
information of that kind is usually disclosed, or if disclosure is
necessary to prevent a serious and imminent threat to any person’s
health or safety.
12.
Safeguarded
An agency cannot disclose your sensitive personal information without
your consent, for example, information about ethnic or racial origin,
political opinions, religious or philosophical beliefs, sexual
activities or trade union membership. It can only disclose sensitive
information without consent in order to deal with a serious and
imminent threat to any person’s health or safety
Source: Fact Sheet, Information Protection Principles (IPPs) for the
public, Information and Privacy Commission NSW, September 2014
Appendix B – Health Privacy Principles
Collection
1.
Lawful
An agency or organisation can only collect your health information for
a lawful purpose. It must also be directly related to the agency or
organisation’s activities and necessary for that purpose.
2.
Relevant
An agency or organisation must ensure that your health information is
relevant, accurate, up-to-date and not excessive. The collection
should not unreasonably intrude into your personal affairs.
3.
Direct
An agency or organisation must collect your health information
directly from you, unless it is unreasonable or impracticable to do so
4.
Open
An agency or organisation must inform you why your health information
is being collected, what will be done with it and who else might
access it. You must also be told how you can access and correct your
health information, and any consequences if you decide not to provide
it.
Storage
5.
Secure
An agency or organisation must store personal information securely,
keep it no longer than necessary and dispose of it appropriately. It
should be protected from unauthorised access, use or disclosure.
Access and accuracy
6.
Transparent
An agency or organisation must provide you with details regarding the
health information they are storing, why they are storing it and what
rights you have to access it.
7.
Accessible
An agency or organisation must allow you to access your health
information without unreasonable delay or expense.
8.
Correct
Allows a person to update, correct or amend their personal information
where necessary.
9
Accurate
Ensures that the health information is relevant and accurate before
being used.
Use
10.
Limited
An agency or organisation can only use your health information for the
purpose for which it was collected or a directly related purpose
unless an exemption applies). Otherwise separate consent is required.
Disclosure
11.
Limited
An agency or organisation can only disclose health information for the
purpose for which it was collected or a directly related purpose
(unless an exemption applies). Otherwise separate consent is required.
Identifiers and Anonymity
12.
Not identified
An agency or organisation can only give you an identification number
if it is reasonably necessary to carry out their functions
efficiently.
13.
Anonymous
Give the person the option of receiving services anonymously, where
this is lawful and practicable.
Transferrals and linkage
14.
Controlled
Only transfer health information outside New South Wales in accordance
with HPP 14.
15.
Authorised
Only use health records linkage systems if the person has provided or
expressed their consent.
Source: Fact Sheet, Health Privacy Principles for the Public,
Information and Privacy Commission NSW, May 2014
1 Information and Privacy Commission NSW, IPC Data Breach Policy,
November 2016, available at
https://www.ipc.nsw.gov.au/sites/default/files/2018-12/IPC_Data_Breach_Policy_Nov2016.pdf.
1 Privacy and Personal Information Protection Act 1998, s 45.
1 Information and Privacy Commission NSW, IPC Data Breach Policy,
available at
https://www.ipc.nsw.gov.au/sites/default/files/2018-12/IPC_Data_Breach_Policy_Nov2016.pdf.
2
https://www.ipc.nsw.gov.au/privacy/voluntary-data-breach-notification.
1 Office of the Australian Information Commissioner, Notifiable Data
Breaches Scheme 12‑month Insights Report, p.4.
2 Ibid, p.24.
3 Ibid, p.4.
4 Australian Government Australian Cyber Security Centre, 2017 Threat
Report, p.22.
5 Ibid.
1 Information and Privacy Commission NSW, IPC Data Breach Guidance,
May 2018.
2 Australian Law Reform Commission, Report 108, For Your Information:
Australian Privacy Law and Practice, 2008, p.1169.
3 Australian Law Reform Commission, Report 108, For Your Information:
Australian Privacy Law and Practice, 2008, p.1169.
1 Australian Law Reform Commission, Report 108, For Your Information:
Australian Privacy Law and Practice, 2008, p.1168.
2 Turner, M., Towards A Rational Personal Data Breach Notification
Regime, Information Policy Institute, 2006, p.3.
3 Australian Cybercrime Online Reporting Network, Identity Theft,
available at
https://www.acorn.gov.au/learn-about-cybercrime/identity-theft.
1 The European Union General Data Protection Regulation 2016/679
commenced on 25 May 2018.
2 In the United States, all 50 US states and the District of Columbia
have implemented mandatory data breach notification laws. Federal laws
require notification in the case of breaches of healthcare
information, breaches of information from financial institutions,
breaches of telecom usage information, and breaches of government
agency information.
3 In Canada, mandatory data breach reporting requirements contained in
Division 1.1 of the Personal Information Protection and Electronic
Documents Act 2000 and related Regulations came into effect on 1
November 2018.
4 Privacy Bill 2018 (NZ).
5Office of the Australian Information Commissioner, Australian
Community Attitudes to Privacy Survey, 2017, p. 16.
6 Ibid.
1 Office of the Australian Information Commissioner, Notifiable Data
Breaches Scheme 12-month insights report, 2019, p.4.
1 Privacy Act 1998 (Cth), s 26WL.
2 Ibid, s 26WK.
3 Ibid, ss 26WE, 26WF.
4 Ibid, s 6.
5 Office of the Australian Information Commissioner, Data breach
preparation and response – A guide to managing data breaches in
accordance with the Privacy Act 1988 (Cth), 2018, p 8.
6 Privacy and Personal Information Protection Act 1998, s 4.
7 Ibid.
8 Office of the Australian Information Commissioner, Data breach
preparation and response – A guide to managing data breaches in
accordance with the Privacy Act 1988 (Cth), 2018, p 8.
9 Australian Privacy Principle 5.
10 Australian Privacy Principle 10.
11 Australian Privacy Principle 13.
12 Australian Privacy Principle 12.
13 Office of the Australian Information Commissioner, Data breach
preparation and response – A guide to managing data breaches in
accordance with the Privacy Act 1988 (Cth), 2018.
14 Ibid, p.34.
15 Ibid.
16 Ibid.
17 Privacy Act 1988 (Cth), section 26WG.
18 Information and Privacy Commission NSW, IPC Data Breach Guidance,
May 2018.
19 https://www.ipc.nsw.gov.au/data-breach-guidance.
20 Personal Information Protection and Electronic Documents Act 2000,
Division 1.1.
21 Privacy Bill 2018 (NZ), cl 117A.
22 European Union General Data Protection Regulation 2016/679, Article
34.
23 Privacy Act 1988 (Cth), s 26WF.
24 Office of the Australian Information Commissioner, Data breach
preparation and response – A guide to managing data breaches in
accordance with the Privacy Act 1988 (Cth), 2018, p 37.
25 Ibid, p 38.
26 Ibid.
1 Privacy Act 1998 (Cth), s 26WK.
2 Ibid, s 26WL.
3 Privacy Act 1998 (Cth), s 26WL; Office of the Australian Information
Commissioner, Data breach preparation and response – A guide to
managing data breaches in accordance with the Privacy Act 1988 (Cth),
2018, p 51.
4 Information and Privacy Commission NSW, IPC Data Breach Policy, p 7.
5 Ibid, Appendix A.
1 Personal Information Protection and Electronic Documents Act 2000,
Division 1.1, 10.1(6).
2 Privacy Bill 2018 (NZ), cl 118.
3 European Union General Data Protection Regulation 2016/679, Article
33.
4 Privacy Act 1988 (Cth), s 26WH.
5 Ibid, s 26WK.
1 Privacy Act 1988 (Cth), s 13(4A).
2 Ibid, ss 33E, 52 and 98.
3 Ibid, s 13G.
4 Ibid; s82 Regulatory Powers (Standard Provisions) Act 2014 (Cth).
5 Office of the Australian Information Commissioner, Data breach
preparation and response – A guide to managing data breaches in
accordance with the Privacy Act 1988 (Cth), 2018, p 59.
6 Privacy Bill 2018 (NZ), cl 122.
7 European Union General Data Protection Regulation 2016/679, Article
83.
8 Personal Information Protection and Electronic Documents Act 2000, s
28(b).
9 See, for example, European Union General Data Protection Regulation
2016/679, Article 58, Digital Privacy Act 2015 (Canada), s 17.
10 Privacy and Personal Information Protection Act 1998 (NSW), s 45.
11 Ibid, s 37.
12 Ibid, s 53.
13 Ibid, s 55.
14 Ibid.
1 Privacy Act 1988 (Cth), s 26WM.
2 Privacy Act 1988 (Cth), s 26WP.
3 Ibid, s 26WN.
4 Privacy and Personal Information Protection Act 1998, s 23.
5 Privacy and Personal Information Protection Act 1998, s 24.
NSW Department of Communities and Justice 0