What does the restaurant booking you just made, your tenancy application, and the latest app for your customers all have in common? Personal information and privacy.
Privacy and data breaches are hot topics here and overseas.
On 8 July 2019, the UK Information Commissioner announced its intention to fine British Airways a record £183.39 million (or A$329million) for a serious data breach under the EU General Data Protection Regulation (GDPR), where details of passengers’ credit cards, travel details and other personal information were stolen by use of a fraudulent website imitating the British Airways website. The UK Information Commission said a variety of information was compromised by poor security arrangements at the company.
So far, while fines of this magnitude have yet to be levied in Australia (the highest damages awarded being $60,000) there are proposals to increase the fines to align with those under the GDPR; see Future Developments below.
Moreover, the Office of the Information Commissioner (OAIC) now has an expanded role under the Notifiable Data Breach (NDB) scheme, which mirrors the mandatory data breach reporting requirements under the GDPR. The NDB scheme is over one year old. In the first 12 months, 964 data breaches were reported, many caused by human error.
Prior to the NDB scheme businesses were not required to report when personal information was lost or stolen. Given the value of this information, the introduction of the scheme was long overdue in order to incentivise businesses to take privacy seriously and protect individuals.
Although a year has passed, many businesses are unprepared, and worse, many are yet to properly consider their privacy and data protection obligations. Sound familiar?
Privacy and Data Protection Framework
For most people, ‘privacy’ is any information about them as an individual; but ‘what is private’, and what is subject to privacy laws, can be different.
When we speak of privacy or data protection, we are usually referring to the rights and protections an individual has under the Privacy Act 1988 (Cth) (Act). The Act covers all individuals in Australia and how their personal information is treated by government, companies, sole traders and associations including large charities. The Act also deals with the protection of an individual’s credit information which will be the subject of a separate article.
The Act includes 13 Australian Privacy Principles (APP). These govern how personal information is collected, held and used; disclosed; requirements for sending information overseas; and information security. There are additional requirements for ‘sensitive information’ (health data, race, religion, sexual preferences, etc) and for Government Identifiers (e.g. Medicare or Tax File Numbers).
Small businesses with less than $3m in annual turnover and individuals are exempt from the Act, but they can still suffer a loss of goodwill or reputational damage due to a disregard for privacy.
Personal Information – the Heart of Privacy
‘Personal information’ is a key concept for privacy and data protection, defined as:
…information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.
This includes a person’s name, signature, addresses, contact number, date of birth or bank account details.
If your business is not exempt, then it must have a privacy policy. This policy must set out how you handle personal information, be clearly expressed, be up-to-date, and contain seven key pieces of information reflecting the APPs. The policy must also set out the kinds of personal information, and how this information will be collected and held.
A core feature of the APPs is fully informed consent. Several of the APPs require consent to either allow or prohibit personal information to be used in a particular way.
Valid consent requires that the consent be current and specific. The individual giving consent must be:
- adequately informed beforehand;
- doing so voluntarily; and
- able to understand and communicate their consent.
If you have invalidly obtained consent and disclosed an individual’s personal information to a third party, you may have a Notifiable Data Breach.
What about Notifiable Data Breaches?
The NDB scheme requires entities to report data breaches. A breach occurs any time personal information is lost, inappropriately disclosed, or accessed by an unauthorised source. This includes if you lose the data (leaving a USB of customer data on the bus), the data is incorrectly disclosed (misfiring an email containing personal information), or your systems are breached by a third party.
If you suspect a breach has occurred, you must determine:
- How the breach occurred;
- what personal information, if any, has been accessed or disclosed;
- whether the breach is likely to result in serious harm; and
- whether this risk can be remedied.
If serious harm is likely and the breach cannot be remedied, the OAIC and the affected individual must be notified. ‘Serious harm’ is a wide-ranging concept and includes the risk of identity theft, financial loss, reputation damage, humiliation, damage to relationships and so on.
Failing to report a breach attracts significant penalties, but there is no penalty for the breach itself.
Why does Privacy Matter?
Serious or repeated privacy interferences can result in significant penalties. The OAIC can impose penalties of up to $420,000 per breach. This does not include any reputational loss you might suffer.
An investigation by OAIC may result in the Information Commissioner requiring an enforceable undertaking, making a determination, seeking an injunction, applying to a Court for a civil penalty, or compelling an entity to make a notification under the NDB scheme.
The OAIC takes a dim view of interferences of privacy which demonstrate that an entity is not taking its privacy obligations seriously. For this reason alone, privacy should be a prime consideration in any business risk assessment.
Can an Individual Sue for a Data Breach or a Privacy Interference?
An individual may complain to the OAIC about an interference with an individual’s privacy (including a data breach) but cannot sue under the Act for a breach of their privacy. The OAIC may choose to investigate a complaint or a privacy matter of its own volition.
Complaints to the OAIC are dealt with by confidential conciliation, with the OAIC acting as an independent conciliator, and as such the outcomes are not made public. However, the outcomes agreed between the individual and the organisation have included: an apology, changes to a respondent’s practices or procedures, compensation for any loss (such as a payment of money or a waiver of fees), or other non-financial options such as the provision of a free service from the organisation. These outcomes can be notional, but they can also be costly for organisations if many individuals are affected or significant changes to the organisation’s business practice are required.
Unfortunately for individuals, Australian Courts are yet to recognise a tort of privacy, and several judgments have suggested such a tort is unlikely to be recognised by the Courts without new legislation (see Kalaba v Commonwealth of Australia (per Heerey J); Chan v Sellwood (Per Davies J); Sands v State of SA (per Kelly J).
Aside from the OAIC complaint process, individuals have limited legal remedies available.
Traditional torts such as trespass to property, negligence and the equitable remedy of breach of confidence are available, but these torts operate in specific circumstances (for example to prevent photos or video recorded on private property being disseminated) and were developed before the digital information sharing era. Negligence is a logical choice for individuals, but difficulty arises in showing a causal link between the act and the damage or loss caused. These torts do little to assist an affected individual with the disclosure of their personal information via information systems.
Practical Effect of the NDB Scheme
Two new features of the NDB scheme will assist an individual wishing to bring a claim against an entity, these being:
- Notice – now that an individual must be notified of a breach, they can seek advice on their options and consider remedial action (this could be legal, or it could be simple safeguards such as changing passwords); and
- A paper trail – the assessment undertaken prior to giving notice is likely to be of interest in any legal proceedings. Affected individuals may seek to subpoena this information if they believe it would support their claims in Court.
In any complaint or legal proceedings, damage would still need to be proven, but the combination of notice and a new source of evidence may mean affected individuals have an easier time in supporting such claims.
Class Actions
Where several individuals have been wronged, they might consider joining a class action. The problem for privacy-based class actions in Australia is that there must be a cause of action to ground the class action. As there is no tort of privacy or ability for an individual to sue under the Privacy Act, a class action would need to rely on a traditional tort or a breach of other legislation to ground such action.
However, the Privacy Act does allow for individuals to band together to make a ‘representative complaint’ to the OAIC. A representative complaint is essentially where multiple individuals have suffered the same privacy breach and seek the same outcome as a group – similar to a class action.
In the USA and other countries, class actions for data breaches are quite popular (see the Yahoo Data breach and class action) due in part to the different actions available to individuals, and different rules governing class actions in those countries.
In Australia, Centennial Lawyers filed a class action against the NSW Ambulance Service on behalf of staff whose personal information was sold by a third party contractor. Centennial Lawyers is also exploring the possibility of a class action against recruitment and development platform PageUp regarding the well-publicised breach of its systems and the disclosure of information to a third party (rumoured to be a foreign State actor and perhaps prompting this statement by the Australian Signals Directorate).
The NSW Ambulance case is of particular interest in that Centennial is attempting to ground the class action claim on among other grounds tort of invasion of privacy. If they are successful in establishing a tort of an invasion of privacy, then this will open a new avenue for individuals to seek redress.
This case is a reminder that privacy breaches can have a long lead time (here, dating back to 2013) and the associated risk can last well into the future. It also highlights the need for safeguards when contractors perform work on your behalf and how they deal with personal information you have collected.
The PageUp incident highlights the need to have appropriate precautions against external threats. Should this matter proceed, it is likely to raise questions of what is a reasonable standard of security, and does a reasonable standard need to be able to repel an attack by something like a well-resourced foreign entity?
Given these risks, a proactive business should seek technical and legal advice to safeguard their processes for handling personal information. There are privacy associated legal, reputational and financial risks that a business should have a strategy for managing.
Future developments?
On 24 March 2019, the Commonwealth Attorney General announced that the Privacy Act would be amended to include a tougher penalty regime in line with the European GDPR. In summary these amendments would:
- Raise the penalties for serious or repeated breaches from $2.1m to $10m, or three times the value of the benefit obtained through the misuse of information or 10% of a company’s annual domestic turnover (whichever is greater);
- Give the OAIC increased infringement notice powers, with increased penalties for bodies and individuals which fail to cooperate with efforts to resolve minor breaches;
- Give the OAIC options to spread information about a breach to ensure affected individuals are notified (such as forcing notices to be published);
- Restrictions on social media companies from using or disclosing a person’s personal information on request;
- Add specific rules to protect minors and vulnerable persons.
The OAIC is also to receive a funding boost of $25m over three years to assist with enforcement and investigation activities.
The consultation draft of this amendment is due to be released in late 2019.
The corporate and commercial team at Hunt & Hunt have specific expertise in privacy and data protection matters. To find out how we can help you and your business in relation to privacy contact our privacy team today.
