Data breaches revealed by Z Energy and Ticketmaster in the past few days have provided a salient reminder that they can affect any of us at any time. Unfortunately, disclosures of privacy breaches are often belated, depriving individuals of the chance to take any steps such as password changes to try to reduce harm.

As a result of the increasing number of data breaches over the past months and years, the Government recently introduced a new Bill to Parliament to replace the existing Privacy Act with one more suited to our digital world.

The core elements of the Privacy Bill are the same as the Act it is designed to replace. It retains the twelve information privacy principles, which protect people's privacy by governing the collection, storage, and use of personal information, while also providing for legitimate use of information by government, businesses, and other organisations. However these information privacy principles are updated in the Bill, to better protect personal information sent overseas.

The Privacy Bill also retains the role of the Privacy Commissioner, and the system for making a complaint to the Commissioner if there has been a breach of privacy. In addition, the Privacy Commissioner is being given new powers, allowing the Commissioner to make binding decisions on complaints about access to information, and to issue compliance notices to those who are in breach of the legislation.

A key addition to the Privacy Bill is a requirement for any entity which handles personal information to notify the Privacy Commissioner and any affected individuals of any unauthorised access to or disclosure of personal information, where the access or disclosure poses a risk of harm. This will be something that:

  • has caused, or may cause, loss, detriment, damage, or injury to an individual;
  • has adversely affected, or may adversely affect, the rights, benefits, privileges, obligations, or interests of an individual; or
  • has resulted in, or may result in, significant humiliation, significant loss of dignity, or significant injury to the feelings of the individual.

This key change will ensure that the correct entities are aware of the data breach. Z Energy has commented that although it did not disclose the breach to customers, they did take advice from experts and government agencies. However, they also did not disclose the breach to the Privacy Commissioner.

Under the new Bill, the notification of a breach to the Privacy Commissioner must:

  • occur as soon as practicable after becoming aware that the breach has occurred;
  • describe the breach, including the number of people affected (if known), and the identity of any person or body suspected of being in possession of the personal information;
  • set out the steps already taken or that are intended to be taken in respect of the breach, including in relation to the notification to affected people;
  • if the intention is to not personally notify affected people, provide the reasons for either notifying by way of public notice or for relying on an exception to the requirement to notify; and
  • provide details of any other agency advised of the privacy breach (which would include lawyers, insurers, IT technicians, and the Police).

Failure to notify the Privacy Commissioner of a breach can result in a fine of up to $10,000, regardless of whether steps had been taken to address the breach.

The notification of a breach to an affected individual must:

  • occur as soon as practicable after becoming aware that the breach has occurred;
  • describe the breach, and state whether the identity of the person or body suspected of being in possession of the personal information is known, but must not disclose the identity;
  • set out the steps already taken or that are intended to be taken in respect of the breach;
  • set out any steps the affected individual may wish to take to mitigate or avoid potential loss or harm;
  • advise the individual that the Privacy Commissioner has been notified of the breach, and that the individual may make a complaint about the breach to the Commissioner; and
  • not disclose any details about any other person affected by the breach.

Anyone who holds personal information should consider setting up processes for notification before they actually experience a breach to ensure that they can respond to a breach in a timely way.

The penalty provisions for breaching the Act are also being expanded. The maximum fine will increase from $2,000 to $10,000, and is available for a wider range of offences, including:

  • obstructing, hindering or resisting the Commissioner or any other person exercising powers under the Act;
  • refusing or failing to comply with any lawful requirement of the Commissioner or any other person exercising powers under the Act;
  • making a false or misleading statement or providing false or misleading information to the Commissioner;
  • a person impersonating or falsely pretending to be another individual for the purpose of obtaining access to that individual's personal information or having that personal information used, altered or destroyed; or
  • destroying any document containing personal information knowing that a request had been made in respect of that information.

The Privacy Commissioner had been requesting the inclusion of an ability to impose a fine within the options available to the Commissioner when dealing with a complaint. While this has not been included in the Bill at this stage, that could change as the Bill progresses through the select committee. Submissions on the Bill have already closed, and the select committee is due to report back to Parliament in October 2018.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.