Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Privacy Breach Notification: Are you ready?
Michael GrosserGrosser Legal
Outline
• Overview of 2014 amendments to the Privacy Act
• Mandatory data breach notification: what is it, when does it start and what does it mean for you
• Steps to get ready for the new regime – audit your processes and prepare a data breach response plan
Michael GrosserGrosser LegalNovember 2017
Australia’s Privacy Laws
• Commonwealth - Privacy Act 1988 (Cth)
• Australian Privacy Principles
• State - Information Privacy Act 2009 (Qld)
• Privacy Codes – Australian Government Agencies Code 2017
Michael GrosserGrosser LegalNovember 2017
2014 Amendments
• Australian Privacy Principles (APPs)• 13 principles• Replaced previous IPPs and NPPs
• Enhanced Office of the Australian Information Commissioner (OAIC) powers
• Changes to credit reporting laws
• Privacy Codes of Practice• APP codes• Credit Reporting code
Michael GrosserGrosser LegalNovember 2017
Privacy Basics
• Personal information must be managed in an open and transparent manner
• Privacy Policy must be clear and explain what entity will do with personal information
• Describe what information is collected, what will be done with it, whether it may disclosed offshore, how to access and correct personal information and how to make a complaint
• Privacy Notices at time of collectionMichael GrosserGrosser LegalNovember 2017
Privacy Notice
• Provide at time of collection
• Notice must identify the entity collecting personal information and how to contact entity
• Consequences of not providing personal information
• To whom the entity is likely to give personal information
• Whether entity will disclose overseas
Michael GrosserGrosser LegalNovember 2017
Australian Privacy Principles
Description
1 Open and transparent management of personal information
2 Anonymity & pseudonymity
3 Collection of solicited personal information
4 Dealing with unsolicited personal information
5 Notification of the collection of personal information
6 Use or disclosure of personal information
7 Direct marketing
8 Cross-border disclosure of personal information
9 Government related identifiers
10 Quality of personal information
11 Security of personal information
12 Access to personal information
13 Correction of personal informationMichael GrosserGrosser LegalNovember 2017
Life cycle of personal information
Consider & Manage
Collection
Use & Disclosure
Quality & Security
Access & Correction
APP 1, 2
APP 3, 4, 5
APP 6, 7, 8, 9
APP 10, 11
APP 12, 13
Michael GrosserGrosser LegalNovember 2017
Drivers for change
• ALRC Reform
• Consistency with terms used in State, Territory and Commonwealth legislation
• Reflects international approach to Privacy(EU US Privacy Shield)
• To keep in step with technological change
• Afford greater protection to individuals
• Impose significant penalties for breach
• Align to community expectations
Michael GrosserGrosser LegalNovember 2017
Data Breaches
• Obligations to have reasonable security safeguards and take reasonable steps to protect personal information
• Protection from misuse, interference, loss, unauthorised access, modification or disclosure
• Reasonable steps may include preparing and implementing a data breach policy and response plan
• Data breaches may arise from external or internal actions or omissions
Michael GrosserGrosser LegalNovember 2017
Mandatory Data Breach Notification• Privacy Amendment (Notifiable Data Breaches) Act 2017
• NDB scheme requires organisations covered by the Privacy Act to notify any individuals likely to be at risk of serious harm by a data breach
• Must provide recommended steps that individuals should take
• Australia Information Commissioner must also be notified
Michael GrosserGrosser LegalNovember 2017
What is a Notifiable Data Breach?
• If there is a real risk of serious harm resulting from a data breach, individuals and OAIC must be notified
• A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure
• The NDB scheme will commence on 22 February 2018 and applies to eligible data breaches that occur on, or after, that date
Michael GrosserGrosser LegalNovember 2017
Eligible Data Breach
• Objective assessment, determined from the viewpoint of a reasonable person in the entity’s position
• An eligible data breach arises when the following three criteria are satisfied:
1. unauthorised access to or unauthorised disclosure or loss of personal information held by an entity
2. likely to result in serious harm to one or more individuals, and
3. the entity has not been able to prevent the likely risk of serious harm with remedial action.
Michael GrosserGrosser LegalNovember 2017
Step 1 Has there been a data breach?
• Unauthorised access – personal information is accessed by someone who is not permitted to have access (e.g. employee, contractor, hacker)
• Unauthorised disclosure – personal information is accessible or visible to others outside the entity, and information is released from its effective control
• Loss – accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure
Michael GrosserGrosser LegalNovember 2017
Step 2 Is serious harm likely?
• Would a reasonable person consider the data breach would result in serious harm to an individual whose personal information was breached?
• reasonable person means a person in the entity’s position (not the individual whose personal information was breached), who is properly informed, based on information available or following reasonable inquiries or an assessment of the data breach.
• reasonable can be influenced by relevant standards and practices.
Michael GrosserGrosser LegalNovember 2017
Step 2 Is serious harm likely?
• likely to occur - on the balance of probabilities
• A data breach that involves the loss of personal information of a large number of individuals is likely to result in serious harm to at least one of those individuals
• serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm
• Use relevant matters to assess whether a breach is likely to result in serious harm
Michael GrosserGrosser LegalNovember 2017
Step 2 Is serious harm likely?
Relevant matters
• the kind or kinds of information
• the sensitivity of the information
• whether the information is protected by security measures and the likelihood of overcoming security measures
• the persons, or the kinds of persons, who have or could obtain the information
• whether a security technology was used and made information unintelligible
• the likelihood that the security technology could be circumvented
• the nature of the harm
• any other relevant matters
Michael GrosserGrosser LegalNovember 2017
Step 2 Is serious harm likely?
Types of information
• sensitive information, such as information about an individual’s health
• documents commonly used for identity fraud (e.g. Medicare card, driver licence, and passport details)
• financial information
• a combination of personal information (rather than a single piece of personal information)
Michael GrosserGrosser LegalNovember 2017
Step 2 Is serious harm likely?
Circumstances of the breach
• Whose personal information was involved in the breach?
• How many individuals were involved?
• Do the circumstances of the data breach affect the sensitivity of the personal information?
• Is the personal information adequately encrypted, anonymised, or otherwise not easily accessible?
• What parties have gained or may gain unauthorised access to the personal information?
Michael GrosserGrosser LegalNovember 2017
Step 2 Is serious harm likely?
Nature of the harm• identity theft
• significant financial loss
• threats to physical safety
• loss of business or employment opportunities
• humiliation, reputational damage or relationship harm
• workplace or social bullying or marginalisation
Likelihood of the harm occurring
Consequences for individualsMichael GrosserGrosser LegalNovember 2017
Step 3 Can remedial action be taken?
• Positive steps in a timely manner may avoid the need to notify
• If likelihood of serious harm is prevented, then the breach is not an eligible data breach
• Remedial action is adequate if it prevents the unauthorisedaccess or disclosure of personal information
• If the remedial action prevents the likelihood of serious harm to some individuals within a larger group of individuals, notification to those individuals for whom harm has been prevented is not required
Michael GrosserGrosser LegalNovember 2017
Notification
• You must provide a statement to the Commissioner, and notify individuals at risk of serious harm of the contents of the statement
• Prompt decision as to who needs to be notified
• Three options:1 Notify all individuals
2 Notify those individuals at risk of serious harm
3 Publish notification (only if 1 or 2 are not practicable)
• No prescribed method – can use usual methods of contact
Michael GrosserGrosser LegalNovember 2017
Notification Statement
The statement must include certain information:
• identity and contact details of the entity
• description of the eligible data breach that the entity has reasonable grounds to believe has happened
• kind/s of information concerned
• recommendations about the steps that individuals should take in response to the data breach
Michael GrosserGrosser LegalNovember 2017
Data Breach Response Plan
• Fast response may limit serious harm
• Cost of a data breach may be substantial
• Clear roles and responsibilities
• Review and test your response plan
• Plan should cover:
• How to assess, manage and control data breaches (inc comms)• What is a data breach (tailored to your activities)• Governance and reporting• Recording notifiable and non-notifiable data breaches• Post breach review and root cause analysis
Michael GrosserGrosser LegalNovember 2017
Data Breach Response:Response Team Actions
Four steps:
1. Contain the breach and do a preliminary assessment
2. Evaluate the risks associated with the breach
3. Notification
4. Prevent future breaches
Michael GrosserGrosser LegalNovember 2017
Preventing a breach
• Have tools in place to prevent a breach of personal information:
• Privacy policy• Privacy by design• Procedures and processes for handling personal information• Preventative countermeasures
(firewalls, access controls, network segmentation, anti-malware, encryption, security controls, remote access with authentication, mobile device security and controls, penetration testing, physical security)
• Data Breach Response Plan• Training of personnel
Michael GrosserGrosser LegalNovember 2017
What are the issues for practitioners?
• Are you subject to the Privacy Act?
• Do you have to comply with the Privacy Act?
• What constitutes personal information?
• What are the basic requirements to comply?
• What things might go wrong?
• What are your high risk activities?
• Are you prepared in the event of a data breach?
• How do I get more help?
Michael GrosserGrosser LegalNovember 2017
Sources
• Privacy Act 1988 (Cth)
• Office of the Australian Information Commissioner:www.oaic.gov.au
More information
• Webinars provided by OAIC
• OAIC fact sheets and guides
Michael GrosserGrosser LegalNovember 2017
Michael GrosserGrosser LegalNovember 2017
Contact Michael Grosser:
E [email protected] grosser.legalP 0414 233 344