New data breach notification laws come into effect on 22 February 2018. Most people already know the gist of it: If you become aware of a data breach, you have to determine if it's an “eligible data breach” (preferably within 30 days). If it is, you have to notify the Office of the Australian Information Commissioner (OAIC), and affected individuals.
How do you assess whether it's an eligible breach? Firstly, it depends on whether the data loss arose from unauthorised access, or from loss. At Bird & Bird we've developed flow charts to help with this assessment, but essentially you need to determine the type of information, the potential impact on individuals, the extent to which the information was protected, and the steps taken to minimise any harm to the individual.
These are questions to consider now if organisations want to be ready for the new regime.
As the 30-day assessment period will start as soon as you find about the data breach, you need to be able to move fast. So map your personal information. Where do you store it — is it all in one place, in a number of different places, with a number of different service providers, is it outside Australia? How is it accessed — only internally, through mobile devices, through firewalls, passwords, encryption?
Then map your lines of communication. Who should employees/officers/service providers contact if they suspect a breach? And who is the assessment team — for example representatives from management, IT, customer service, and operations. You may need to get a PR firm or call centre involved if there are a large number of people involved. If so, you'll be in a stronger position establishing relationships early, rather than scrambling when a breach has already occurred.
Identifying these will allow you to get policies and procedures in place, and educate everyone about them. So when a manager realises they left their device in a taxi/plane/restaurant, they know who to contact. That contact person, and the data breach team, should then be in a position to quickly assess what information may be at risk, what the potential impact may be on affected individuals, how the information was protected, and how to contain the breach. Does that list sound familiar? Like the information you need to determine whether there's been an eligible breach?
Keep in mind that a breach may not an eligible breach if steps are taken so the loss or unauthorised access is unlikely to cause serious harm to the individual. As a result, strong data breach management processes can mean that, while a breach has occurred, it won't be notifiable under the legislation.
The most minimal privacy compliance sentence you find in an agreement is that each party must comply with all applicable laws. A more fulsome clause might mention that each party has to comply with the Australia Privacy Principles (APPs). However, the data breach obligations aren't in the APPs, and an obligation to comply with the Privacy Act won't necessarily help.
For example, if a number of different organisations are involved in the same breach, only one needs to notify the OAIC. So ask yourself — if you had an eligible breach, would you want someone else providing details about the breach to the OAIC? And contacting your customers? The answer is probably no, but the other organisation(s) involved in the data breach probably has the same response. How are you going to resolve this? Addressing this up front in a contract can avoid having to deal with it in the middle of a data breach.
Flows of personal information are no longer simple. Organisations that retain their own data are becoming less common, and external storage methods more standard. If you're the storage provider and you suffer a data breach, then you probably already have a contractual obligation to notify your customer. Your customer will need you to help assess whether it’s an eligible breach within 30 days - can you do that? What happens if you can't?
If you're the customer, how can you guarantee that the storage provider is going to be able to move quickly enough to meet the 30 day (preferred but not obligatory) deadline? Is the best way to ensure this through contractual obligations? If so, what are the consequences if they don't meet such obligations — just termination? And if it was a serious enough breach, can you terminate or suspend the contract and still get the supplier to cooperate with you?