New privacy laws and compulsory data breach reporting obligations have been introduced. What do they mean for your facility?
On 22 February 2018 amendments to the Privacy Act came into force across Australia. The amendments impose mandatory investigation and notification obligations on various “organisations” (hereafter organisation), namely:
- businesses with a greater than $3 million annual turnover,
- health service providers, or
- hose trading in personal information.
Many members will therefore need to comply with these new requirements.
What do the new amendments do?
The amendments to the Privacy Act require notification of certain “eligible data breaches” (see below for definition). Where there are “reasonable grounds” to believe there has been an eligible data breach the organisation must, within 30 days of when they first become aware of the suspected breach, undertake a reasonable and expeditious assessment of the potential breach. When it is determined that an eligible data breach has occurred, the data holder is required to report the breach to the Office of the Australian Information Commissioner and the persons at risk of serious harm from the breach (ie. the persons whose information has been lost, released, obtained, etc.).
Failure to comply, either by not investigating or not reporting, may result in civil penalty orders of up to $360,000 in the case of an individual and $1.8 million for a company. Complaints about a suspected breach can be taken directly to the Commissioner by an individual.
What is an “eligible data breach”?
An eligible date breach is considered:
- any unauthorised disclosure of or access to personal information
- loss of information in circumstances likely to lead to unauthorised disclosure or access to personal information, where a reasonable person would conclude there is a likely risk of serious harm to the individual/s arising from the disclosure or access. Data breaches are not only aimed at malicious or malevolent attacks, such as might occur when you have a cyber attack and customers’ details are stolen or copied. Data breaches also extend to erroneous or non-intentional behaviour and activities, such as when a staff member accidentally provides information which is in effect a data breach. The accepted scope of the term “data breach” is very broad and is likely to apply to any loss, use, misuse, modification, disclosure or interference with personal information without prior authorisation. Practical examples of a data breach might include:
- a staff member takes a USB home containing all the financial information about your storers and loses that USB;
- a storage account is sent to the wrong storer;
- reading a storer’s email or text requests for an extension of time to pay in a public place where others may be able to see the information (including using non-secure wireless connections);
- leaving completed storage agreements out on the counter where the public might be able to read the details recorded;
- allowing staff members to access information not relevant to their employment position, such as allowing the grounds maintenance employee access to storers’ payment records;
a breach of any cloud-based storage of storers’ information (including email, accounts records (ie. Xero) or software management data (ie. StorMan and SiteLink).
What is considered personal information is very broad. It includes very clear examples, such as “sensitive information” (information or opinions about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record), health information, credit information, employee record information and tax file number information.
However, the definition also captures wide and varying information such as telecommunications metadata (who called whom, when and from where, for example), information that identifies a person or even identifies aspects of a person’s private life, work habits or family life — this might include a person’s home address, marital status, and family size, for example.
The breach must be “likely” to cause “serious harm”
The test here is the reasonable person test. Would a reasonable person conclude that the breach will cause serious harm? Harm is not defined within the amendments but is taken to include physical, psychological, emotional, economic and financial harm.
In assessing whether harm is “serious”, factors for consideration include the nature of the information, whether information was encrypted and the strength of that encryption, and the nature of the harm likely to arise.
Hence, providing a storage fee payment receipt to a storer’s violent ex-boyfriend whereby that receipt contains the storer’s new address might result in serious psychological or even physical harm for the storer. Or calling a storer’s workplace and advising the
a person who answers that the storer is overdue might be considered seriously psychologically or even potentially economically harmful.
A breach must be unauthorised. Hence, when the storer has provided you with the name and contact details of an Alternate Contact Person, it is not a breach to disclose to that person that the storer is in arrears. The SSAA’s Privacy Documents set out in detail that various information will be disclosed to the ACP, including the nature and extent of arrears. On the other hand, as raised above, disclosing that the storer is in arrears to their employer is not an authorised disclosure. Taking immediate remedial action to avoid serious harm when a breach is identified may also allow the organisation to avoid the need for notification. This might include when the storer’s account is accidentally sent to the wrong email and the recipient is immediately contacted by the facility and agrees to destroy the email without opening or reading it.
How does this impact on selling up?
It is likely that this legislation will have an impact on the method and practicalities of selling up. The SSAA has consistently advised members NOT to offer for sale items of a sensitive or personal nature. Obvious examples here include medical and financial records, passports and so forth. Although the agreement includes terms authorising the facility to sell or dispose of any items within the space upon default, we are yet to see how these clauses will interplay with amendments to the Privacy Act. At a minimum, members are again urged to ensure any boxes or bags or other enclosed items that are offered for sale are first sorted through to ensure they do not contain personal or sensitive items. This is particularly important when the items containing personal information belonging to a third party who is not the storer, such as when an accountant or doctor is storing files with you.
What should I do?
Members are encouraged to ensure they are using up to date Privacy Documents as issued by the SSAA.
It would be sensible for members to draft a Data Breach Response Plan. How will you handle a breach? Who will investigate? Are your staff aware of what is considered a reportable breach?
Members are also encouraged to ensure they use legitimate and reputable service providers when storing any data in the cloud — remember, it is your obligation to ensure that offshore providers are handling private information in accordance with the Privacy Act.
Where can I get more information?
The Office of the Australian Information Commissioner (OAIC) offers excellent guidelines and provides detailed information on many aspects of Privacy Law. See the website https://www.oaic.gov. au under: Agencies and organisations>Guides
What is the New Zealand position?
New Zealand privacy law does not currently have mandatory reporting requirements and is not affected by these changes to Australian law.
However, the New Zealand government is proposing to update the NZ Privacy Act 1993 on the back of recommendations made by the NZ Privacy Commissioner in his recent review of the current legislation. The reform proposals include stronger powers for the Privacy Commissioner, mandatory reporting of privacy breaches, new offenses, and increased fines.
The reform should bring NZ data protection legislation in line with new international legal frameworks like the European Union’s General Data Protection Regulation
The NZ Ministry of Justice, which is responsible for the proposed legislation, indicated that a Bill amending the current Act was likely to be introduced to Parliament in 2017 but it appears now that this will happen in 2018.