Submissions and consultations

General

51.50 There continued to be strong support among stakeholders for the introduction of a requirement that data users notify individuals of a breach to their personal information where that breach may give rise to real harm to an individual.[84]

51.51 In particular, the OPC expressed strong support for the proposal. In its view, the more prescriptive and technology-specific approach taken in California is not appropriate to apply to the Privacy Act. The OPC also supported limiting the requirement to notify to circumstances where a breach is assessed as giving rise to a real potential for serious harm to an individual—on the basis that this higher threshold test would reduce the compliance burden on agencies and organisations. It agreed that the Privacy Commissioner should have the power to require notification where he or she believes that the unauthorised acquisition gives rise to a real risk of serious harm to any affected individual, even if the agency or organisation disagrees.[85]

51.52 A number of other stakeholders opposed the proposal. Telstra took the view that the proposed data breach notification requirement ‘fails to achieve the right balance between the competing policy interests in this area’.[86] The Australian Direct Marketing Association (ADMA) was concerned that the operation of this proposal, in conjunction with the introduction of a statutory cause of action for serious invasion of privacy,[87] could result in an organisation incriminating itself by making a data breach notification which could then be used as evidence of an invasion of privacy.[88]

51.53 Some stakeholders stated that there was no need for a data breach notification requirement. The Australian Bankers’ Association (ABA) noted that there is an express obligation under the Privacy Act to have in place adequate data security measures. It argued that this obligation, combined with the ALRC’s proposed new enforcement powers for the Privacy Commissioner,[89] will ensure that there are sufficient ‘commercial incentives’ for organisations to secure data, without a need for breach notification requirements.[90]

51.54 Other organisations did not support the introduction of mandatory notification of serious data security breaches on the basis that it would impose too great a burden on business.[91] The Australian Information Industry Association submitted that:

Coupled with the introduction of a statutory cause of action for invasion of privacy, a further additional burden on businesses is being suggested by the ALRC in the form of requiring notification of breach. Examples exist in overseas jurisdictions, such as the United States, where the requirements for notification make it difficult for any business to comply …[92]

51.55 Optus argued that businesses already deal with the issue of data breaches adequately. In its view:

there is little recognition by the ALRC that organisations have been facing the risk of data security breaches for many years and that this risk, along with the many other risks, is constantly being managed by Australian businesses. There currently exists an environment where businesses know that a security breach could significantly undermine an organisation’s or agency’s reputation. Further, organisations are currently assessing risks to the individual created by a data security breach and deciding to contact affected parties.[93]

51.56 Google Australia argued that voluntary guidelines were a better approach to the issue than mandatory notification requirements. In Google’s view:

the real risk arising from the implementation of data breach legislation is to trivialise notification obligations in the mind of consumers to such an extent that they become meaningless and ineffective in terms of real data protection. In fact, the potential damage to consumers of a blanket notification obligation could be twofold: on the one hand, it can create unjustified anxieties and on the other hand, it may result in a lack of proper attention to more serious incidents (for example, if consumers come to regard numerous ‘less serious’ data breach notification emails as a form of spam).[94]

Triggers for notification

51.57 A number of stakeholders supported the data breach notification proposal in principle, but sought greater clarity as to when the notification requirements would be triggered. For example, a large number of stakeholders expressed the view that guidance from the OPC on what would constitute ‘a real risk of serious harm’ would be required.[95] The ABA argued that any evaluation of a ‘real risk’ should be done in consultation with stakeholders, and that assessments of risk should be industry specific.[96]

51.58 The Cyberspace Law and Policy Centre suggested that, if the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual, then there is no reason to limit the requirement to notify to specified classes of information. In its view, ‘the likelihood of serious harm should be a sufficient trigger in itself’.[97] In contrast, Microsoft Asia Pacific (Microsoft) argued that any data breach notification obligation should apply only in respect of unencrypted sensitive financial information, as it is most likely to be access to this type of information that leads to identity fraud.[98]

51.59 Some stakeholders felt that the ALRC had not set the bar for notification high enough, arguing that it should be required only where the unauthorised acquisition is ‘likely’ to result in a real risk of serious harm to any affected individual, rather than where it ‘may give rise’ to a real risk.[99] ADMA was concerned that the proposal would result in production of so many data breach notifications ‘as to be both onerous for organisations and meaningless for consumers’.[100] The Insurance Council of Australia argued that only systemic breaches, as opposed to individual breaches, should be required to be reported.[101]

51.60 One stakeholder expressed the view that organisations will not always be in the position to know when information might be acquired by an ‘unauthorised person’ or if a particular person is in fact unauthorised.[102]

Role of the OPC

51.61 Some stakeholders questioned the proposed oversight role of the Privacy Commissioner.[103] Microsoft argued that the Commissioner’s role in the data breach notification context should be confined to assessing whether any of the exceptions to notification apply, and not in deciding if notification is necessary.[104]

51.62 One stakeholder argued:

The test should be whether an organisation or agency considers there to be such a risk. Otherwise, the test will have the effect of imposing a de facto obligation on organisations and agencies to notify the Privacy Commissioner of every data breach, however trivial. This is likely to impose significant and unnecessary costs on the organisations and agencies concerned and on the Privacy Commissioner. It is likely to take up Privacy Commissioner resources which could better be used for other purposes, such as education and complaint handling.[105]

Exceptions to notification

51.63 The Department of Defence submitted that examples should be given of when notification would not be in the public interest. It recommended that these examples include breaches of information relating to national security.[106] The Australian Federal Police (AFP) also submitted that further consideration needed to be given to defining situations where the risk of notifying individuals would outweigh the benefits. In the AFP’s view, this could include where an agency’s internal processes have dealt appropriately with the person or system responsible for the disclosure and the individual to which the personal information relates has not been affected by that disclosure.[107]

51.64 Microsoft was of the view that adequate encryption should be considered an example of a circumstance where there is no real risk of serious harm to affected individuals, rather than as an exception to the notification obligation.[108] The Cyberspace Law and Policy Centre agreed that the operation of the exceptions needed to be clarified.[109]

51.65 The Cyberspace Law and Policy Centre also submitted that the Privacy Commissioner’s power to determine that notification would not be in the public interest should be limited to substituting his or her view for that of the agency or organisation, or deferring notification until an investigation can be carried out.[110]

51.66 The Right to Know Coalition argued that there should be an exception for information supplied to a media organisation in circumstances which would be akin to a situation of qualified privilege under defamation law, or where the supply of the information was in the public interest.[111]

Form and content of notifications

51.67 The Law Council of Australia did not agree that organisations and agencies should include in a notice an assessment of the risk of identity fraud and the steps individuals can take to mitigate that risk. In its view, most organisations and agencies would be unqualified to advise on such matters and, therefore, the advice would not necessarily benefit individuals. It argued that the most appropriate entity to advise on steps to avoid identity fraud would be the OPC, which could publish guidelines on a website.[112] The Australian Unity Group agreed that such a requirement implies both an element of expertise by an organisation in the area of identity fraud and an assumption of a duty of care in protecting the individual from identity theft.[113]

51.68 Chartered Secretaries Australia submitted that more specificity was required as to the permitted means of notifying affected individuals of a breach. It noted that a public advertisement may be the most practical, or only, way of notifying certain individuals.[114]

Penalties

51.69 The Australian Taxation Office (ATO) expressed concern about the circumstances in which a civil penalty could be imposed for a failure to notify. It noted that, in cases where an employee had gained access to information inappropriately, there may be some time between when the act took place and the agency becoming aware of the breach. The ATO did not believe an agency should suffer a penalty because notification did not occur quickly.[115] Telstra did not support the availability of a civil penalty for a failure to notify the Privacy Commissioner of a data breach.[116]

Other comments

51.70 A number of organisations argued that the data breach notification schemes should be aligned with other reporting requirements, such as those imposed by the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA).[117]

51.71 The Cyberspace Law and Policy Centre submitted that the data breach notification provisions should be included in the model UPPs.[118]

51.72 Microsoft submitted that the obligation to notify should apply only to residents of Australia. It argued that if the breach notification obligation applied more broadly, then organisations that do business in multiple jurisdictions are likely to be faced with inconsistent data breach notification obligations that cannot be reconciled.[119]

[84] Unisys, Submission PR 569, 12 February 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Australia Post, Submission PR 445, 10 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; S Hawkins, Submission PR 382, 6 December 2007; Australian Unity Group, Submission PR 381, 6 December 2007.

[85] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[86] Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[87] See Ch 74.

[88] Australian Direct Marketing Association, Submission PR 543, 21 December 2007. This view was supported by Acxiom Australia, Submission PR 551, 1 January 2008.

[89] See Ch 50.

[90] See Ch 28.

[91] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; BPay, Submission PR 566, 31 January 2008; Investment and Financial Services Association, Submission PR 538, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; BUPA Australia Health, Submission PR 455, 7 December 2007. In relation to agencies, this view was shared by the Victoria Police: Victoria Police, Submission PR 523, 21 December 2007.

[92] Australian Information Industry Association, Submission PR 410, 7 December 2007. This view was shared by IBM Australia, Submission PR 405, 7 December 2007.

[93] Optus, Submission PR 532, 21 December 2007.

[94] Google Australia, Submission PR 539, 21 December 2007. The ABA also submitted that voluntary protocols would be a better alternative approach than mandatory notification requirements: Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[95] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Confidential, Submission PR 519, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007; Australia Post, Submission PR 445, 10 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Chartered Secretaries Australia, Submission PR 351, 28 November 2007. AXA noted that the introduction of a ‘materiality’ test (ie, where the material has an adverse effect on investors’ interests) for reporting under the Superannuation Industry (Supervision) Act 1993 (Cth) had been important: AXA, Submission PR 442, 10 December 2007.

[96] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[97] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. This view was shared by Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[98] Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[99] BPay, Submission PR 566, 31 January 2008; Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[100] Australian Direct Marketing Association, Submission PR 543, 21 December 2007. This view was supported by Acxiom Australia, Submission PR 551, 1 January 2008.

[101] Insurance Council of Australia, Submission PR 485, 18 December 2007.

[102] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007.

[103] For example, Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[104] Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[105] Confidential, Submission PR 536, 21 December 2007.

[106] Australian Government Department of Defence, Submission PR 440, 10 December 2007.

[107] Australian Federal Police, Submission PR 545, 24 December 2007.

[108] Microsoft Asia Pacific, Submission PR 463, 12 December 2007. This view was shared by other stakeholders: see, eg, Confidential, Submission PR 536, 21 December 2007.

[109] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[110] Ibid.

[111] Right to Know Coalition, Submission PR 542, 21 December 2007.

[112] Law Council of Australia, Submission PR 527, 21 December 2007. This view was shared by another stakeholder: Confidential, Submission PR 536, 21 December 2007.

[113] Australian Unity Group, Submission PR 381, 6 December 2007.

[114] Chartered Secretaries Australia, Submission PR 351, 28 November 2007.

[115] Australian Taxation Office, Submission PR 515, 21 December 2007.

[116] Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[117] Investment and Financial Services Association, Submission PR 538, 21 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007.

[118] The ALRC does not agree with this approach, on the basis that the notification requirements are not high-level principles: this is discussed further in Ch 28.

[119] Microsoft Asia Pacific, Submission PR 463, 12 December 2007.