Data protection & privacy laws - annual review 2013

September 2013

Q: As companies increase their data processing activities, including transfer and storage, what regulatory risks do they face in Australia?

McMillan: Companies engaged in the processing of personal information face increased regulatory risks with the recent amendments to the Privacy Act and the 13 Australian Privacy Principles (APPs) which come into force in March 2014.These APPs apply to the majority of organisations in Australia and govern their handling of personal information throughout the information handling lifecycle, including transfer and storage. A company in breach may be investigated by the Australian Privacy Commissioner- either in response to a complaint by an individual or on the initiative of the Commissioner himself. If a company is found to have interfered with an individual's privacy, a determination may be made that the complaint be compensated or that the company take steps to ensure the conduct is not repeated or continued. These determinations may be enforced by a court. For serious privacy breaches, a company may be liable to fines of up to $1.7m.

Q: Could you outline the latest legal and regulatory developments, if any, affecting corporate handling of data in Australia?

McMillan: There have been many notable developments. The Privacy Amendment (Enhancing Privacy Protection) Act was passed in December 2012, representing the most significant change in Australian privacy law in the last 20 years. The reforms commence in March 2014 and include increased disclosure and information governance obligations on companies; an obligation to provide consumers with greater scope to 'opt out' of direct marketing; new rights for individuals to access and correct credit reports; the introduction of comprehensive credit reporting; higher standards of protection for 'sensitive information'; the conferral of new powers on the Commissioner with respect to complaints, investigations and remedies; and new civil penalty orders. Another development is the proposed mandatory breach notification laws which, if passed, will require a company to notify the Commissioner and affected individuals whenever a serious data breach occurs. For regulated institutions, the Australian Prudential Regulation Authority has released a guide on managing data risk.

Q: Do you believe companies fully understand their duties or confidentiality and data protection in an age of evolving privacy laws?

McMillan: Whilst many large corporates are aware of the upcoming changes to the Privacy Act and are implementing compliance programs, a number of companies do not fully understand their duties. The proliferation of internet connected devices and systems means that personal information is being produced and processed at a rate never seen before. However, many companies fail to appreciate that the type of personal information which is regulated goes beyond information sourced directly from an individual, and extends to metadata, system event logs or even data sets comprising anonymised data coupled with data extracted from an information system or generated using an algorithm which is capable of identifying an individual. As companies discover new uses for such information, there is sometimes a lack of 'informed consent' of the individual concerned. There is also often a failure by companies to train their employees properly in the management and use of personal information.

Q: What penalties might arise for a company that breaches or violates data or privacy laws in Australia?

McMillan: One of the key reforms being introduced into Australian privacy law is the introduction of new civil penalty orders. If a company breaches the Privacy Act, as amended, or an undertaking given by the company to the Commissioner, the Commissioner may apply to the court for an order to have a civil penalty imposed. The court must be satisfied of the breach on the balance of probabilities. If such a determination is made, a civil penalty order may be ordered. This may be up to $1.7m for companies and $340,000 for individuals. Additionally, where the personal information involves credit information of an individual, certain acts or practices may render a company guilty of an offence and carry a criminal penalty. This may be the case, for example, where the act or practice relates to the unauthorised disclosure or use of false and misleading information.

Q: In our experience, what steps should a company take to prepare for a potential data security breach, including up-to-date knowledge of any notification requirements?

McMillan: The sorts of steps a company ought to be taking include: the creation of a breach reporting policy, including processes for identifying breaches, timeframes for actioning responses and notification procedures; staff training; identification of data risks and vulnerabilities; appointment of a responsible officer to deal with breaches; implementation of privacy and data security enhancing technologies; undertaking privacy impact assessments to determine how current systems align with privacy practices and regulations; monitoring and review of the company's security policy; careful management of service providers accessing or using personal information; and maintenance an information security and data breach prevention plan.

Q: What can companies do to manage internal risks and threats, such as liabilities arising from the actions of rogue employees?

McMillan: One of the most effective ways to manage the risk of an internal data breach is to limit a staff member's access to those systems, resources and data which he or she requires to perform his or her job. Risk-based access controls- where employee access is modelled on organisational risk- ought to be favoured over traditional role-based access controls. Extra care should be taken when the data involves 'sensitive information'. Having the right processes, governance and technology in place to prevent an internal data breach is key. This may include implementing measures such as the proper classification, qualification and tagging of data to enable the company to better monitor, manage and mitigate data loss. It is also about creating the right workplace culture - one where staff understand the rules in place, that the rules are enforced and are aware of the consequences where those rules are breached.

Q: Would you say there is a strong culture of data protection developing in Australia? Are companies proactively implementing appropriate controls and risk management processes?

McMillan: A culture of data protection appears to be developing in Australia. The Office of the Australian Information Commissioner (OIAC) has been particularly active in raising awareness of privacy and cyber-risk issues over the last year. It has also recently commissioned a study to explore changes in community attitudes to privacy across a range of areas, including those associated with new and emerging technologies. The results of this survey will be used to gauge privacy trends and developments and inform OAIC's compliance, policy and education work. While a number of companies in Australia are developing privacy compliance programs, and increasing their investment in IT to address cyber-security risks, there continues to be gaps in the adequate training of staff, the way companies manage the use of personal devices within the workplace - with many companies having no personal device policy in place - and the implementation of sophisticated data protection and recovery measures.