About Us

We work collaboratively with our clients to build strong, sustainable relationships. Our team is committed to delivering consistent high standards of service, and we understand the importance of accessibility. Working with us, you'll enjoy open communication, meaning well scoped, properly resourced and effectively managed matters.

Learn More

Latest Case

Advising on tech company IPOs July 6, 2018

Silicon Valley-based technology company Pivotal Systems launched an initial public offering (IPO) and listing on the Australian Securities Exchange (ASX) on 2 July 2018. The IPO raised $53.5 million, placing the value of the specialist … Continued

Latest News

Maddocks acts on major mining acquisition July 17, 2018

Tuesday 17 July 2018 Law firm Maddocks has advised Consolidated Mining & Civil Pty Ltd (CMC) on its purchase of 100 percent of Benagerie Gold Pty Ltd, which holds the Benagerie mining lease, from Havilah … Continued

Latest Article

NSW Crown land reforms have commenced – what do local councils need to know? July 18, 2018

The majority of the Crown Land Management Act 2016 (NSW) (the Act) commenced on 1 July 2018. The Act significantly reforms the use and management of Crown land in NSW. This article provides an overview of the key reforms, … Continued

Mandatory reporting of privacy breaches in the public sector

With the ever increasing collection and electronic retention of personal information across both the public and private sector, it is hardly surprising that data security breaches are also becoming more common.

Many countries have already established legislative frameworks which require the mandatory reporting of data security breaches. Such laws require organisations to notify appropriate regulators, as well as affected persons or bodies, where there has been unauthorised access to, or disclosure of, personal information.

In Australia, there is no law requiring privacy breaches to be reported at this point in time. While government bodies are bound by privacy principles relating to data security, either under Commonwealth or State based privacy laws, there is no obligation to notify a regulator of a breach.

Recently, the Australian Government has proposed the introduction of a mandatory data breach notification scheme (Proposed Scheme) to be enacted into the Privacy Act 1988 (Cth) (Privacy Act).

In December 2015, the Attorney General released a draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth) for public comment. More than 40 submissions were received. In April 2016, the Government indicated it intended to introduce a version of the Bill into Parliament. However, this did not occur before Parliament was dissolved for the upcoming election.

The Proposed Scheme is as follows:

  • it applies to bodies subject to the Privacy Act, which includes Commonwealth government bodies.
  • it requires such bodies to notify the Office of Australian Information Commissioner and affected individuals of serious data breaches.
  • notification must be provided ‘as soon as practicable’ upon becoming aware there are reasonable grounds to believe that there has been a serious data breach. A body has 30 days from becoming aware to carry out an assessment of whether there are reasonable grounds to believe a serious data breach has occurred.
  • serious data breaches involve the compromising of:
    • personal information
    • credit reporting information
    • credit eligibility
    • tax file number information

which puts any individual to whom the information relates at ‘real risk of serious harm’.

  • there is a penalty for non-compliance (maximum $1.8 million).

The Proposed Scheme will only apply to information regulated under the Privacy Act. As such, it will not apply to State or Territory government departments and agencies or local councils.

Neither the privacy laws in Victoria nor New South Wales require mandatory reporting. However, the NSW Privacy Commissioner last year called for the Privacy and Personal Information Protection Act 1998 (NSW) to provide for mandatory notification of serious breaches of privacy by a public sector agency.

In Victoria, the former Privacy Commissioner released a Guide on Responding to Privacy Breaches (May 2008). This Guide provides there are four key steps to consider when responding to a privacy breach or suspected breach:

  1. breach containment and preliminary assessment
  2. evaluation of the risks associated with the breach
  3. notification
  4. prevention.

The Guide states the decision on how to respond should be made on a case-by-case basis. The speed and adequacy of an organisation’s response to a serious privacy breach may significantly reduce the cost to the organisation later, both financially and from potential loss of reputation.

With respect to step (3) notification in particular, the Guide provides:

  • An assessment of the type of personal information involved will help an organisation determine how to respond to the breach, who should be informed (including the Privacy and Data Protection Commissioner) and what form of notification to the individuals affected, if any, is appropriate.

For example, if a laptop containing adequately encrypted information is stolen, subsequently recovered and investigations show that the information was not tampered with, notification to individuals may not be necessary.

  • Also of key relevance is what loss, damage or risk of harm to the individuals could result from the breach. An organisation should consider whether to seek advice from a specialist third party such as a health professional when assessing foreseeable harm to an individual.

Examples of harm include security risk (e.g. physical safety), identity theft, financial loss, loss of business or employment opportunities, and injury to an individual’s feelings, humiliation, damage to reputation or relationships.

  • If a privacy breach creates a risk of harm or loss to the individual, those affected should be notified. For example, third parties may be affected if they are required to cancel their credit cards or if organisations have to assign new unique identifiers or issue new forms of identity.  Prompt notification to individuals in these cases can help them mitigate the damage by taking steps to protect themselves. The challenge is to determine when notice should be required.  Each incident needs to be considered on a case-by-case basis to determine whether privacy breach notification is required. In some exceptional cases, notification may cause more harm than it would alleviate.

It seems inevitable that the Australian government, if not also its States and Territories, will soon implement mandatory reporting of serious data breaches.  If this occurs, government bodies will be required to create new procedures for ensuring they can comply with any new reporting regime.

Even without such mandatory reporting regimes, government bodies should consider the potential impact that a data breach may have on third parties in determining what action should be taken, including notification of those third parties and the relevant regulator.

 

Authors
MELANIE OLYNYK 5cm 300ppi Colour jpg 2008 Melanie Olynk | PartnerTel +61 3 9258 3691
melanie.olynk@maddocks.com.au
ERIN TUCKER 5cm 300ppi B&W April 2010 Erin Tucker | Lawyer
Tel +61 3 9258 3712
erin.tucker@maddocks.com.au

With the ever increasing collection and electronic retention of personal information across both the public and private sector, it is hardly surprising that data security breaches are also becoming more common.

Many countries have already established legislative frameworks which require the mandatory reporting of data security breaches. Such laws require organisations to notify appropriate regulators, as well as affected persons or bodies, where there has been unauthorised access to, or disclosure of, personal information.

In Australia, there is no law requiring privacy breaches to be reported at this point in time. While government bodies are bound by privacy principles relating to data security, either under Commonwealth or State based privacy laws, there is no obligation to notify a regulator of a breach.

Recently, the Australian Government has proposed the introduction of a mandatory data breach notification scheme (Proposed Scheme) to be enacted into the Privacy Act 1988 (Cth) (Privacy Act).

In December 2015, the Attorney General released a draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth) for public comment. More than 40 submissions were received. In April 2016, the Government indicated it intended to introduce a version of the Bill into Parliament. However, this did not occur before Parliament was dissolved for the upcoming election.

The Proposed Scheme is as follows:

  • it applies to bodies subject to the Privacy Act, which includes Commonwealth government bodies.
  • it requires such bodies to notify the Office of Australian Information Commissioner and affected individuals of serious data breaches.
  • notification must be provided ‘as soon as practicable’ upon becoming aware there are reasonable grounds to believe that there has been a serious data breach. A body has 30 days from becoming aware to carry out an assessment of whether there are reasonable grounds to believe a serious data breach has occurred.
  • serious data breaches involve the compromising of:
    • personal information
    • credit reporting information
    • credit eligibility
    • tax file number information

which puts any individual to whom the information relates at ‘real risk of serious harm’.

  • there is a penalty for non-compliance (maximum $1.8 million).

The Proposed Scheme will only apply to information regulated under the Privacy Act. As such, it will not apply to State or Territory government departments and agencies or local councils.

Neither the privacy laws in Victoria nor New South Wales require mandatory reporting. However, the NSW Privacy Commissioner last year called for the Privacy and Personal Information Protection Act 1998 (NSW) to provide for mandatory notification of serious breaches of privacy by a public sector agency.

In Victoria, the former Privacy Commissioner released a Guide on Responding to Privacy Breaches (May 2008). This Guide provides there are four key steps to consider when responding to a privacy breach or suspected breach:

  1. breach containment and preliminary assessment
  2. evaluation of the risks associated with the breach
  3. notification
  4. prevention.

The Guide states the decision on how to respond should be made on a case-by-case basis. The speed and adequacy of an organisation’s response to a serious privacy breach may significantly reduce the cost to the organisation later, both financially and from potential loss of reputation.

With respect to step (3) notification in particular, the Guide provides:

  • An assessment of the type of personal information involved will help an organisation determine how to respond to the breach, who should be informed (including the Privacy and Data Protection Commissioner) and what form of notification to the individuals affected, if any, is appropriate.

For example, if a laptop containing adequately encrypted information is stolen, subsequently recovered and investigations show that the information was not tampered with, notification to individuals may not be necessary.

  • Also of key relevance is what loss, damage or risk of harm to the individuals could result from the breach. An organisation should consider whether to seek advice from a specialist third party such as a health professional when assessing foreseeable harm to an individual.

Examples of harm include security risk (e.g. physical safety), identity theft, financial loss, loss of business or employment opportunities, and injury to an individual’s feelings, humiliation, damage to reputation or relationships.

  • If a privacy breach creates a risk of harm or loss to the individual, those affected should be notified. For example, third parties may be affected if they are required to cancel their credit cards or if organisations have to assign new unique identifiers or issue new forms of identity.  Prompt notification to individuals in these cases can help them mitigate the damage by taking steps to protect themselves. The challenge is to determine when notice should be required.  Each incident needs to be considered on a case-by-case basis to determine whether privacy breach notification is required. In some exceptional cases, notification may cause more harm than it would alleviate.

It seems inevitable that the Australian government, if not also its States and Territories, will soon implement mandatory reporting of serious data breaches.  If this occurs, government bodies will be required to create new procedures for ensuring they can comply with any new reporting regime.

Even without such mandatory reporting regimes, government bodies should consider the potential impact that a data breach may have on third parties in determining what action should be taken, including notification of those third parties and the relevant regulator.

 

Authors
MELANIE OLYNYK 5cm 300ppi Colour jpg 2008 Melanie Olynk | PartnerTel +61 3 9258 3691
melanie.olynk@maddocks.com.au
ERIN TUCKER 5cm 300ppi B&W April 2010 Erin Tucker | Lawyer
Tel +61 3 9258 3712
erin.tucker@maddocks.com.au