Prioritizing Proactive Incident Response Under the Australian Privacy Act

Australia’s hallmark privacy legislation, the Australian Privacy Act 1988, is now well over 30 years old. But thanks to a steady stream of amendments over the past three decades (plus more on the horizon), it remains as relevant as ever. And with a potential fine of up to AU$2.1 million, every organization needs to stay up to date on what exactly the latest version of the country’s Privacy Act requires.

Who is Subject to the Australian Privacy Act

The Australian Privacy Act applies to Australian government agencies and organizations with an annual turnover of more than AU$3 million. Small business operators (those with an annual turnover of less than AU$3 million) must also comply if they meet any of the following criteria:

• Private sector health service provider
• Business that sells or purchases information
• Credit reporting body
• Service provider for Australian government contract work
• Employee association recognized under the Fair Work Act of 2009
• Accredited business under the Consumer Data Right System
• Business that has opted into the Privacy Act
• Business related to another business subject to the Privacy Act (e.g. a subsidiary)
• Business prescribed by the Privacy Regulation of 2013

The Privacy Act also includes specific exceptions for the following organizations:

• State or territory government agencies (including healthcare providers)
• Individuals acting in their own capacity
• Universities, other than a private university and the Australian National University
• Public schools
• Media organizations acting in the course of journalism, if the organization is publicly committed to observing published privacy standards
• Registered political parties and political representatives
• Small businesses with annual turnover of less than AU$3 million that do not meet the above criteria

Finally, the Australian Privacy Act has an extra-territorial scope only in cases where the organization has “an Australian link.” Organizations have an Australian link if they were formed in Australia, are managed in Australia, and/or conduct business and collect or hold personal information from Australian residents. Signals that indicate an organization conducts business in Australia include having employees in the country, running a website that offers goods or services to Australian citizens, fulfilling orders from Australia, or collecting personal information from people physically located in Australia.

How the Australian Privacy Act Gets Enforced

The Office of the Australian Information Commissioner (OAIC) was established in 2010 as an independent agency that sits under the Attorney General. The OAIC is responsible for privacy, freedom of information, and government information policy, including enforcement for the Privacy Act. 

Currently, the OAIC has the power to issue guidelines on how it interprets the Privacy Act, investigate potential violations of the law, and issue fines accordingly. However, in early 2021 the commission asked for amendments to the act that would expand its regulatory powers (and remove certain exemptions, like the one for political parties).

This comes after another proposed amendment in 2020 that would give the commission AU$25 million to investigate breaches and raise the maximum fines for serious or repeated breaches from AU$2.1 million to whichever of the following three is greatest: AU$10 million, three times the value of any benefit obtained through the misuse of information, or 10% of the organization’s annual Australian turnover. Despite expectations this amendment would pass, the government prioritized COVID-related legislation instead.

As a result, the current maximum fine for failing to comply with the Privacy Act (including violating the privacy principles it sets forth or failing to issue a data breach notification when required) still sits at AU$2.1 million.

What Qualifies as a Breach of Privacy Under the Australian Privacy Act

The Australian Privacy Act governs the way organizations can collect, use, and store personal information. It does so through 13 principles that cover transparency in data collection and use, the right to anonymity, the right to stop receiving unwanted direct marketing, the right to access and correct personal data, and the right to have personal data protected from misuse, loss, and unauthorized access.

The act covers both personal information and sensitive information, but gives more guidelines around the collection and use of sensitive information as well as stricter penalties for breaches involving sensitive information. 

Personal information is defined as information or an opinion about an identified individual or an individual who is reasonably identifiable. Sensitive information is information about an individual’s racial or ethnic origin, political opinions, professional, political, or religious affiliations or memberships, sexual orientation or practices, criminal record, and health, genetics and/or biometrics.

Incident Response Measures Required Under the Australian Privacy Act

The Notifiable Data Breaches Act of 2017, which came into effect in 2018, established clear incident response guidelines for organizations to follow. These guidelines include what qualifies as an eligible data breach for notification, who to notify, how to issue the notification, what to include in the notification, and exemptions from issuing a notification.

What Qualifies as an Eligible Data Breach

An eligible data breach is any instance of (1) unauthorized access to or disclosure of personal information, or cases in which information is lost and the circumstances are likely to lead to unauthorized access or disclosure, that is (2) likely to result in serious harm to the individuals and (3) where the organization can not take any remedial action prevent the likely risk of serious harm.

If organizations are unsure whether or not a situation meets these requirements, they must conduct an investigation to determine if the breach is eligible and requires notification. The act requires organizations to complete this investigation within 30 days of discovering the instance.

Notably, the OAIC provides guidance around how to define “serious harm.” The commission notes that serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm. They also recommend organizations consider the type of data involved in the breach, as certain types of information, including sensitive information, may be more likely to cause harm than others. 

Who to Notify About an Eligible Data Breach

Any organization that experiences an eligible data breach must notify affected individuals as well as the OAIC as soon as possible. When it comes to notifying individuals, organizations have three options and can choose whichever is most practical: 

• Notify all individuals affected in the breach
• Notify only those individuals who are at risk of serious harm
• Post a notification on their website and take reasonable steps to publicize that content (*note that the commission only recommends this option when the first two are not practical)

How to Issue a Notification About an Eligible Data Breach

Organizations can notify individuals using a variety of methods, including telephone calls, SMS messages, physical mail, or email, as long as the method is likely to reach affected individuals. The OAIC recommends organizations using their usual method of communications, which may vary across individuals. This variation is allowed as long as each method includes the full required contents of the notification.

What to Include in a Notification About an Eligible Data Breach

Any notification about an eligible data breach must include the following information:

• Identity and contact details for the organization
• A description of the eligible data breach that occurred
• The type of information involved in the breach
• Recommendations about what steps individuals should take in response to the breach

Who is Exempt from Issuing a Notification

The Privacy Act outlines a handful of cases in which organizations are exempt from issuing a notification. These include: 

• Cases relating to enforcement activities: If an enforcement body has reasonable grounds to believe that notifying individuals would create a prejudice against that entity’s enforcement work, then the organization does not need to issue a notification but must still provide a statement to the OAIC.
• Instances of inconsistency with secrecy provisions: Instances in which a Commonwealth law prohibits or regulates the use or disclosure of information may exclude an organization from issuing a breach notification. Organizations should only apply this rule to the extent necessary to avoid conflicts with the secrecy provision.
• Declaration by commissioner: In some cases, the OAIC may declare that an organization does not need to notify individuals about the breach. The commissioner will typically make this decision based on whether the risks associated with issuing a notification outweigh the benefits of notifying individuals. 
• Breaches that are notified under the My Health Records Act: The My Health Records Act requires data breach notification in certain instances, and any organization that issues a notification under these guidelines does not need to issue a duplicate notice.

Examples of Incidents That Can Trigger a Notification Under the Australian Privacy Act

Any incident that qualifies as an eligible data breach will trigger a notification under the Australian Privacy Act, and there are a variety of cases that meet those qualifications. Some of the most common examples include:

Trojan Attack

A trojan attack is when a hacker installs a malicious program inside of another program users would access for legitimate purposes. This malicious program can then create a backdoor for hackers to monitor users’ digital behavior and access their information, creating a situation that qualifies as an eligible data breach.

Watering Hole Attack

A watering hole attack is a social engineering attack in which hackers profile their intended victims to understand the websites they regularly visit. The hackers then infect these websites as a way to gain access to the intended victims’ computers and network. This type of attack can ultimately lead to hackers gaining access to private data and is most often targeted at highly secure organizations, as it preys on individual employee behavior rather than corporate security protocols.

Lost or Stolen Data

Instances of lost or stolen data qualify as an eligible data breach under the Australia Privacy Act if the situation is likely to lead to unauthorized access or disclosure that can cause harm to individuals. This is the case regardless of whether the loss was accidental, since the standard for notifications is based on the outcomes of the situation, not how it happened.

How Organizations Can Prepare for the Australian Privacy Act

The OAIC recommends that all organizations prepare proactively for the Australian Privacy Act, especially when it comes to having incident response plans in place. Being ready with these plans can not only ensure compliance and reduce the potential penalties as a result, but it’s especially important given the current environment in which incidents are inevitable.

This type of proactive planning starts by gaining visibility into how data gets collected and used, assigning responsibility for incident response, and then developing plans before they’re needed. Automation is crucial. In developing these plans, organizations should focus on three essential areas of incident response:

1) Readiness

Organizations must be ready to quickly and confidently respond when an incident occurs. This is important to meeting Australia’s guidelines around conducting an investigation within 30 days of becoming aware of an incident and then issuing a notification promptly if needed. For organizations to be ready to jump into action at any time, they must:

• Detail the requirements set forth in applicable laws, like the Australian Privacy Act, as well as customer and partner contracts
• Outline incident response plans according to those requirements

2) Response

Next, when an incident occurs, organizations must put those plans into motion and do so as quickly as possible. This speed to action can help meet Australia’s tight timelines for response and potentially reduce any penalties if the organization can take remedial action to alleviate the risk of harm. To effectively respond to an incident, organizations need to:

• Investigate what happened, including when the incident happened, what data was involved, which individuals were affected, and what is the potential risk of harm
• Determine if the incident qualifies as an eligible data breach under the Australian Privacy Act and issue the proper notification if so
• Take action to avoid a recurrence of the issue and, if possible, reduce any potential harm to the affected individuals 

3) Ongoing Management

Finally, organizations must approach this incident response planning as an ongoing effort by keeping their plans up to date as both external and internal factors evolve over time. For instance, the Australian Privacy Act has been amended numerous times since its inception in 1988 and has more proposed amendments today. Successfully keeping plans up to date requires organizations to:

• Introduce a centralized dashboard as a single source of truth for all monitoring, reporting, and incident response plans
• Promote accessibility to that dashboard to ensure key stakeholders remain aware of their responsibilities and aligned on response protocols

Examples of High Profile Australian Privacy Act Cases

Several high profile cases involving violations of the Australian Privacy Act have surfaced in recent years. Understanding these cases is helpful in learning how the OAIC enforces the law, including what the commission expects when it comes to incident response. Here’s a deeper look at two notable cases.

Uber: Failure to protect personal information and issue necessary notifications

In June 2021, the OAIC determined that ride-sharing company Uber violated the Australian Privacy Act by failing to investigate and disclose a data breach in a timely manner.

Specifically, Uber experienced a cyber-attack in October and November 2016 that compromised the personal information of 1.2 million Australian residents. The company ultimately issued a bug bounty award to the hackers for discovering the security vulnerability, but they failed to investigate the breach until November 2017 (at which point they also issued a notification).

The OAIC cited Uber’s failure to investigate, issue a notification, and take protection measures in a timely manner as part of its ruling. Recognizing regulatory action already taken against Uber in other jurisdictions for the same data breach, the commission ordered the company to prepare, implement, and maintain an information security program and incident response plan in compliance with the Australian Privacy Act. The commission also ordered Uber to appoint an independent expert to review and report on these policies and their implementation.

Facebook: Selling user data without explicit permission

In September 2020, an Australian federal court ruled that Facebook does conduct business in Australia, giving the OAIC the opportunity to investigate the company’s sale of Australian residents’ personal information to Cambridge Analytica.

The OAIC sued Facebook in March 2020, alleging that the organization breached the privacy of more than 300,000 Australians from March 2014-May 2015 by selling users’ personal information to a company known as Cambridge Analytica without those individuals’ explicit permission.

Facebook has incorporations in both the United States and Ireland and originally fought the lawsuit on the grounds that it does not do business in Australia, which is a requirement for giving the OAIC extra-territorial scope in applying the Australian Privacy Act. A federal court ruled against Facebook in September 2020, giving the OAIC the authority to continue its investigation — although Facebook proceeded to appeal the decision in January 2021.

Now is the Time to Prioritize Proactive Incident Response

The Australian Privacy Act has evolved countless times since it first passed into law in 1988 and a handful of recent amendments indicate this trend will only continue. The constant changes to requirements for the law along with the fact that data breaches are inevitable in today’s world underscore the need for organizations to prioritize proactive incident response.

Prioritizing proactive incident response can help organizations remain compliant even as privacy laws change and security threats evolve. This type of proactive planning can also empower organizations to respond quickly and confidently when an incident does occur, which can mitigate the fallout by potentially reducing penalties and maintaining consumer trust.

To deliver on this goal, organizations must stay up to date on regulations like the Australian Privacy Act, determine who will be responsible for security, implement response plans that can be put into action at any time, and update those plans regularly as regulatory, contractual, and privacy needs continue to change.