19 minute read
THE AUSTRALIAN AND EUROPEAN PRIVACY AND DATA PROTECTION REGIMES IN THE CONTEXT OF AN ELIGIBLE DATA BREACH
ROBYN EDMANSON
ABSTRACT: This report outlines the statutory and regulatory regimes in Australia and the European Union (EU) in February 2023 in relation to a data breach by fictitious Queensland technology firm, Privacy Possums. Included is brief advice on the law around data breaches; a data breach response plan; and the mandatory reporting requirements in circumstances of an eligible data breach affecting the personal information of 5,000 Australian and EU engineers. In this scenario, one of Possums’s managers has left an unlocked laptop, with the Google Drive open to an excel spreadsheet on a train and has been unsuccessful in its recovery 290
I ADVICE ON AUSTRALIA’S DATA BREACH NOTIFICATION SCHEME
Introduction
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) enacted the Part IIIC ‘notifiable data breaches’ scheme into the Privacy Act 1988 (Cth) (‘the Act’) in 2018. The scheme applies to an eligible data breach291 by an Australian Privacy Principles (APP) entity. The scheme’s purpose is to protect the personal information292 the entity holds. Because Possums has an annual turnover exceeding $3 million, it is an eligible entity for the purposes of the scheme.293 The following advice defines and outlines the elements of an ‘eligible data breach;’ Possums’s mandatory reporting requirements; and the consequences of failure to comply.
294
What is an eligible data breach?
An ‘eligible data breach’ comprises three criteria. First, there needs to be an ‘unauthorised’ compromise by Possums as the holder of personal information of one or more individuals. This includes any access, disclosure, or loss of personal information including accidental loss or negligent or improper disclosures by internal parties, or malicious breaches involving hackers.295 Second, a ‘reasonable person’ would conclude such access, disclosure or loss
290 Submitted for assessment LAW3476 Privacy and Data Protection Law.
291 Privacy Act 1988 (Cth) s 26WE(1)(a) states the scope of an eligible data breach for an Australian entity is that it holds the personal information of one or more individuals (i); and is required under APP 15 not to act, or engage in a practice, that breaches 11.1 in relation to personal information (ii); Office of the Information Commissioner (‘OAIC’) ‘About the Notifiable Data Breaches scheme’ (Web Page) https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-thenotifiable-data-breaches-scheme
292 Ibid s 6(1) defines ‘personal information’ to include ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.’
293 Ibid s 6(4) states an entity includes a small business which has a turnover of more than $3 million.
294 OAIC, ‘Identifying eligible data breaches’ at https://www.oaic.gov.au/privacy/guidance-and-advice/data-breachpreparation-and-response/part-4-notifiable-data-breach-ndb-scheme#identifying-eligible-data-breaches; OAIC, ‘Data Breach Preparation Response’ at 24 states: ‘The NDB scheme only applies to entities and personal information holdings that are already subject to security requirements under the Privacy Act. This means that acts and practices of APP entities that are exempt from the Privacy Act will also be exempt from the NDB scheme.’
295 Australian Cyber Security Centre (ACSC), definition of a ‘hack’ is ‘an unauthorised exploitation of a weakness in a computer system or network’ at https://www.cyber.gov.au/acsc/view-all-content/glossary/h would likely result in ‘serious harm’ to any of the individuals about whom the information relates. Third, the regulated entity has been unable to prevent the harm with remedial action.
What is a ‘reasonable person’?
This ‘reasonable person’ element involves Possums’s objective assessment296 as to whether the data breach has, or is likely to have, caused serious harm to any of the individuals to which the information relates.297
What is ‘serious harm’?
While the Act does not define ‘serious harm’298 it provides the following factors that may be considered when deciding the issue:299
the type and sensitivity of the information;300
whether security (e.g. a locked laptop or password-protected computer files and if so, the likelihood of security being breached) protects the information;301
whether it was encrypted information and how strong that was;302
assessing the person who has, or is likely to, obtain the information and whether or not they are likely to circumvent any security measures.303
What action must be taken?
While not all compromised data is subject to mandatory notification which needs reporting304 if Possums suspects a data breach is likely to cause serious harm it must first make a determination as to whether or not this is the case within 30 days.305 If Possums has not been
296 The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) [4].
297 Privacy Act 1988 (Cth) s 26WG.
298 Explanatory Memorandum Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (‘Explanatory Memorandum’) [10] states: ‘serious harm’ could encompass ‘serious physical, psychological, emotional, economic and financial harm’ as well as ‘serious harm to reputation,’ although the ‘most common forms of serious harm would likely be ‘serious financial, economic or physical harm’; Niloufer Selvadurai, Nazzal Kisswani and Yaser Khalaileh ‘Strengthening Data Privacy: the Obligation of Organisations to Notify Affected Individuals of Data Breaches’ (2019) 33(3) International Review of Law, Computers & Technology 271, 278 state that in circumstances ‘where an individual is upset or distressed by the unauthorised access, disclosure or loss of their personal information, this would not, on its own, be sufficient to require notification.’
299 Privacy Act 1988 (Cth) s 26WG.
300 Ibid s 26WG(c)-(d).
301 Ibid s 26WG(e).
302 Ibid s26WG(h); Note the OAIC states that password encryption was a basic security strategy failure in preventing unauthorised access to 245,000 Australian online user accounts in the Ashley Madison case at https://www.oaic.gov.au/privacy/privacy-decisions/investigation-reports/ashley-madison-joint-investigation#summary able to prevent the likely risk of serious harm with remedial action then Possums must notify both the Privacy Commissioner306 and affected individuals as soon as practicable.307
303 Ibid s 26WG(h)(iii)-(iv).
304 Ibid s 26WF(3) provides for ‘limited circumstances in which a data breach does not need to be reported, although entities should consider the situation thoroughly before deciding that no further action need be taken because the consequences of misapplying exceptions could be highly damaging. The most relevant exception is that provided for if remedial action is taken; the action is taken before serious harm is done, and the action is taken such that a reasonable person would conclude serious harm was unlikely to occur.
305 Ibid s 26WH(2)(b).
Personal data of EU citizens
In circumstances of an eligible breach involving the personal data308 of EU citizens, mandatory notifications apply to Possums’s data handling activities.309 First, Possums will generally have to appoint a Data Protection Officer/representative in each EU member State who acts as the point of contact for affected individuals and Supervisory Authorities.310 Second, it must notify the competent311 Supervisory Authority of each EU member State to which the breach applies within 72 hours312 and advise affected individuals without undue delay.313
Failure to comply
Failure to comply with the scheme’s obligations will be considered an interference with an individual’s privacy and significant penalties, or other enforcement measures, may apply. 314 For example, the penalty for a person other than a body corporate is up to $2.5 million. In the event of an eligible breach involving the personal data of EU citizens, fines imposed may be the greater of €20 million (AUD30.8 million) or 4% of annual worldwide turnover.315
Ii Data Breach Response Plan
Context formCode=OAIC-NDB&tmFormVersion
306 OAIC, ‘Notifiable Data Breach Form’ https://forms.business.gov.au/smartforms/servlet/SmartForm.html?
307 Privacy Act 1988 (Cth) s 26WE(1)(a)(i); OAIC, ‘when to report a data breach’ at https://www.oaic.gov.au/privacy/notifiable-data-breaches/when-to-report-a-data-breach.
308 General Data Protection Regulation (GDPR) Art 4(1) ‘personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier…’ at https://gdpr-info.eu/art-4-gdpr/.
309 OAIC, ‘Australian entities and the EU General Data Protection Regulation (GDPR)’ states a ‘controller’ under Art 4 of the GDPR ‘means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; and ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; OAIC, ‘Does the GDPR apply to processing personal data for law enforcement purposes?’ (Web Page) https://www.oaic.gov.au/privacy/guidanceand-advice/australian-entities-and-the-eu-general-data-protection-regulation#does-the-gdpr-apply-to-processing-personaldata-for-law-enforcement-purposes
310 Ibid.
311 GDPR Art 55(1) states: ‘Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own member state.’
312 OAIC, ‘Australian entities and the EU general data protection regulation’ at https://www.oaic.gov.au/privacy/guidanceand-advice/australian-entities-and-the-eu-general-data-protection-regulation#ftn5; GDPR Art 33 https://gdpr-info.eu/art-33gdpr/
313 OAIC, ‘mandatory data breach notification’ at <https://www.oaic.gov.au/privacy/guidance-and-advice/australian-entitiesand-the-eu-general-data-protection-regulation#mandatory-data-breach-notification>; GDPR Art 34(1) at https://gdprinfo.eu/art-34-gdpr/
314 Privacy Act 1988 (Cth) s 13G(2); Note under s 13G(3) of the Act, the penalties for a large corporation is the greater of up to $50 million; 3 times the value of the benefit; or 30% of turnover; Note OAIC ‘Chapter 3: Enforceable undertakings’ the Commissioner has a range of enforcement powers depending on the seriousness of the breach, including accepting ‘an enforceable undertaking (s 33E) and bring proceedings to enforce an enforceable undertaking (s 33F); make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62); seek an injunction to prevent ongoing activity or a recurrence (s 98); apply to court for a civil penalty order for a breach of a civil penalty provision (s 80W).’
315 GDPR Art 83(5); OAIC, ‘Comparison table’ https://www.oaic.gov.au/privacy/guidance-and-advice/australian-entitiesand-the-eu-general-data-protection-regulation#ftn5
This Data Breach Response Plan sets out Possums’s responsibilities under the NDB scheme316 in accordance with its obligations as an APP entity,317 and under the GDPR,318 as the holder of both Australians and EU citizens’ personal information.
Purpose
By establishing the reporting, containment, assessment, and notification processes in the event of an eligible data breach, Possums is able to:
expeditiously and proactively mitigate and remediate the potential harm to affected individuals;
reduce the risk of reputational, financial or other damage;
document processes and data breach responses;
demonstrate respect for the privacy of individuals; private investors (e.g. Peter Pan); and the public;
promote staff awareness of the risk and their responsibilities.319
Procedures
This Plan is divided into the following parts:
Part A – Identification;
Part B - Containment and Assessment;
Part C - Notification and Remediation;
Part D - Additional GDPR administrative requirements.
Part A – Identification
Following are common examples of the causes of a data breach:
Human error: resulting in loss of data storage device (e.g. laptop, USB or phone) containing personal information;320
316 Note the OAIC ‘Notifiable data breaches report January to June 2022’ (Web Page, 10 November, 2022) reported 396 notifiable data breaches 63% of which were attributable to malicious or criminal attack and 33% attributable to human error https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-reportjanuary-june-2022.
317 See above nn 2-4.
318 Note the OAIC states ‘the GDPR applies to the data processing activities of processors and controllers outside the EU, regardless of size, and where the processing activities are related to offering goods or services to offering goods or services in the EU (irrespective of whether a payment is required); monitoring the behaviour of individuals in the EU, where that behaviour takes place in the EU (Article 30); data controllers and processors covered by the GDPR but not established in the EU will generally have to appoint a representative in the EU member State (Article 27); the representative is the point of contact for supervisory authorities and individuals in the EU on all issues related to data processing, to ensure compliance with the GDPR.’
319 OAIC, ‘Data breach response plan’ (Web Page, November 2021) https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response
320 Note the OAIC found human error resulted in 131 (33%) recent notifications in ‘Notifiable Data Breaches Report January to June 2022’ (Media Release, 10 November 2022) https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiabledata-breaches-statistics/notifiable-data-breaches-report-january-june-2022.
Malicious insider321or corporate espionage:322 threats of, or actual, cyber-attack323 resulting in unauthorised access, loss or disclosure of personal information.324
Part B – Containment and Assessment
Possums will contain the breach by conducting an immediate review.325 In circumstances of unauthorised access, disclosure or loss of personal information, Possums must make an assessment within 30 days to the Privacy Commissioner as to whether the breach is likely to result in serious harm to any individual.326 The OAIC suggests adopting the following threestage risk assessment process to decide the issue:
1. decide whether the breach requires an assessment and identify the person responsible for its completion;
2. expeditiously gather relevant evidence about the suspected breach including what personal information is affected, who is likely to gain access to it, and the likely effects;
3. decide whether the breach meets the criteria of an eligible data breach.327
Part C – Notification and Remediation
Whatever the cause of the breach, harm can result to Possums’s representatives and associates whether in Australia or overseas.328 If the threshold requirements for ‘eligible data breach’ are satisfied, Possums must notify the Office of the Australian Information Commissioner (OAIC) within 30 days with the following information:
1. Possums’s identity and contact details;329
2. description of the breach Possums has reasonable grounds to suspect has occurred;330
3. the type of information that is the subject of the breach;331
4. recommendations about the steps affected individuals should take.332
321 Note the ACSC defines a ‘malicious insider’ as either current or former employee, contract or business associate at https://www.cyber.gov.au/acsc/view-all-content/threats/malicious-insiders
322 Note the ACSC defines corporate espionage as ‘the improper or unlawful theft of trade secrets or other knowledge proprietary to a competitor for the purpose of achieving advantage in the marketplace’ at https://www.cyber.gov.au/acsc/view-all-content/glossary/corporate-espionage
323 Note the ACSC for a list of the latest threats including from malware, ransomware, and phishing at https://www.cyber.gov.au/acsc/view-all-content/threats; Note criminal hacking and misuse carries a maximum 2 year imprisonment penalty of the Criminal Code 1899 (Qld) s 408E(1).
324 Note, for example, the OAIC cites the failure to take reasonable steps to safeguard information under APP 11.1 may result in a breach as in the case of Cupid Media Pty Ltd’s failure to secure personal information held on its dating websites at [45] https://www.oaic.gov.au/privacy/privacy-decisions/investigation-reports/ashley-madison-joint-investigation;
325 OAIC ‘data breach preparation and response checklist’ (Web Page, November 2021) https://www.oaic.gov.au/about-us/our-corporate-information/key-documents/data-breach-response-plan#oaics-data-breachresponse-check-list
326 Privacy Act 1988 (Cth) s 26WH(2)(b); OAIC, ‘how quickly must an assessment be done’ (Web Page, 13 July 2019) that if Possums cannot reasonably complete an assessment within 30 days, the Commissioner recommends this be documented to demonstrate the reasonable steps taken; reasons for the delay; that the assessment was reasonable and expeditious at https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-4-notifiable-data-breachndb-scheme
327 See above n 5 and accompanying text.
328 Explanatory Memorandum (n 8).
329 Privacy Act 1988 (Cth) s 26WK(3)(a).
330 Ibid s 26WK(3)(b).
331 Ibid s 26WK(3)(c).
332 Ibid s 26WK(3)(d).
Possums may also include an apology or description of what it has done to prevent reoccurrence. The OAIC also encourages sufficient descriptive information about the breach.333
Possums is responsible for notifying the Commissioner using the formal notification through the OAIC’s NDB form334 and affected individuals. In its additional capacity as ‘data controller’ of the personal data of EU citizens, Possums must notify the relevant Supervisory Authority no later than 72 hours after becoming aware of an eligible data breach335 and communicate it to the affected person without undue delay.336
Possums should also notify the following parties:
internal staff;
investors (e.g. Peter Pan);
third party platform provider (e.g. Google);337
Australian Cybersecurity Centre’s (ACSC) registration and reporting service.338
Review
After finalising notification and reports, the incident should be reviewed and changes recommended to the current procedures to prevent future breaches and ensure they are better managed. The following items are suggested for the purpose of review and remediation:339
(a) root cause analysis of the data breach and report to appropriate Data Breach Coordinator/s;
(b) strategy implementation to identify the data handling weaknesses that lead to the breach;
(c) policy and procedure updates;340
(d) involvement of external partners, such as the ACSC;341
(e) updating staff training practices as required;
(f) audit to ensure enactment of necessary outcomes.
333 OAIC ‘Part 4: Notifiable Data Breach scheme – what to include in an eligible data breach statement’ at https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-4-notifiable-data-breachndb-scheme#what-must-be-included-in-the-statement.’
334 OAIC, ‘Notifiable Data Breach Form’ https://forms.business.gov.au/smartforms/servlet/SmartForm.html? formCode=OAIC-NDB&tmFormVersion
335 OAIC, ‘Mandatory Data Breach Notification’ https://www.oaic.gov.au/privacy/guidance-and-advice/australian-entitiesand-the-eu-general-data-protection-regulation#mandatory-data-breach-notification; GDPR Art 33 https://gdpr-info.eu/art33-gdpr/
336 Ibid; GDPR Art 34 https://gdpr-info.eu/art-34-gdpr/
337 Note the ACSC’s list of potential risks and encryption recommendations associated with cloud computing at https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-computing-security-considerations
338 ACSC, ‘ReportCyber: report a cybercrime, incident or vulnerability’ at https://www.cyber.gov.au/acsc/report
339 OAIC, ‘Part 3: Responding to data breaches - Step 4: Review’ at https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-3-responding-to-databreaches-four-key-steps#step-4-review
340 Note, for example, to avoid the risk of engaging in misleading and deceptive conduct Possums privacy policy should be consistent with APPs 3 and 6 in relation to true informed consent in relation to data collection, use and disclosure of personal information in Gordon Hughes and Lisa Di Marco ‘Online Privacy Policies - It’s Not Just About the Privacy Act’ (April, 2015) Internet Law Bulletin.
341 Note, for example, the Australian Cyber Security Centre at OAIC ‘Preventing data breaches: advice from the Australian Cyber Security Centre’ at https://www.oaic.gov.au/privacy/notifiable-data-breaches/preventing-data-breaches-advice-fromthe-australian-cyber-security-centre
Prevention Plan
To mitigate the extent of harm to individuals and prevent data breaches, Possums must ensure robust and detailed staff procedures and training is implemented regarding data security, including cloud and off-site data storage.
The following procedures should be employed by all Possums staff:
(a) report suspected data breaches to the Privacy Commissioner &/or EU State representative/s;
(b) assist in the prevention of data breaches through compliance with this Plan and the data breach policy,342 including implementing de-identification, data modification and reduction techniques as part of an overarching information life-cycle plan;343
(c) participate in data breach investigations;
(d) review all systems, services, and applications which incorporate personal information; 344
(e) require contracts or service arrangements to incorporate clauses which specify notification responsibilities, timeframes and investigation support.
Prevention Strategies
1. Enact remote deletion capabilities
mobile devices such as laptops and phones should enable remote deletion of personal information if stolen or lost.345
2. Use of laptops, USBs & mobile devices
put a lock on all staff laptops and mobile devices;346
if managerial staff are storing data on a USB or other mobile device and taking them off-site, that data should be encrypted or hashed to obscure personal identifiers.347
342 Note, in the event of an eligible data breach where third parties (e.g. Google as information held in Google Drive) hold personal information in a third party agreement, Possums’s data breach policy should include clear procedural guidelines that only one entity need assess the breach (s26WJ) and notify affected individuals and the Commissioner (s26WM) however, if neither entity notifies the Commissioner or affected individuals, then both entities may be in breach of the NDB scheme (s26WL(2)).
343OAIC, ‘De-identification and the Privacy Act’ (Web Page, 21 March, 2018) https://www.oaic.gov.au/privacy/guidanceand-advice/de-identification-and-the-privacy-act.
344 Sebastian Clevy ‘The EU’s Right to be Forgotten: A Right to “Un-Google Yourself? (2014) 17(8) Internet Law Bulletin suggests, for example, implementing internal guidelines or privacy compliance programs to handle deletion requests following the finding by the European Court of Justice that EU citizens have a ‘right to be forgotten’ with a similar requirement possible in Australia.
345 Note the OAIC states that pursuant to s 26WE(2)(b)(ii) in circumstances where the subsequent unauthorised access to or disclosure of information is unlikely there is no data breach if, for example, the data on a lost device is able to be deleted at https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-4-notifiable-data-breachndb-scheme
346 ACSC, ‘Secure your mobile phone’ (Web Page, 18 January 2023) https://www.cyber.gov.au/acsc/view-all-content/guidance/secure-your-mobile-phone; OAIC ‘Guide to securing Personal Information’ (Web Page, 5 June 2018) https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-securing-personalinformation
347 OAIC, ‘De-identification and the Privacy Act’ (Web Page, 21 March 2018); Note generally OAIC, ‘Portable Device Wins’ at https://www.cyber.gov.au/acsc/view-all-content/publications/quick-wins-your-portable-devices
3. Password/passphrase security348
Passphrase protect all files, including excel, that contain personal information;349
Create strong, unique passphrases that are not repeated; 350
Secure the architecture;351
Set up a secured online workspace with different access levels.352
4. Electronic devices should be branded
All work property and devices capable of storing data should have Possums’s name and contact details to ensure their return in the event of loss.
5. Checklists/Routines
staff are encouraged to use mental checklists to utilise upon exiting public spaces and transport such as trains.
6. Third-party & vendor risk management
develop a comprehensive risk plan to identify and mitigate data compromises.
NDB involving more than one entity
Possums’ obligations extend to personal information stored on a cloud353 service such as Google Drive. In the event of an eligible data breach, Possums’s data breach policy should advise whether only Possums need assess the breach354 for the purpose of fulfilling notification obligations.355 For example, when entering into service agreements or contractual arrangements with third parties, Possums should establish clear compliance procedures with the scheme.356
Part D – Additional GDPR requirements
The GDPR describes those who handle the personal information of EU citizens as ‘data controllers’357 and ‘data processors.’358 In the context of Possums’s information handling activities of European engineers, the administrative requirements for data controllers are to
348 ACSC, ‘Creating strong passphrases’ advises using passphrases not passwords because they are ‘easy for humans to remember and harder for machines to crack’ (Web Page, 6 October 2021) https://www.cyber.gov.au/acsc/view-all-content/publications/creating-strong-passphrases
349 ACSC, ‘Small business cyber security guide’ (Web Page, 24 November 2021) https://www.cyber.gov.au/acsc/view-allcontent/publications/small-business-cyber-security-guide
350 Note generally ACSC’s ‘Small business cloud security guidance’ (Web Page, 24 November 2021) https://www.cyber.gov.au/acsc/small-and-medium-businesses/small-business-cloud-security-guides.
351 ACSC, ‘Multi-factor authentication’ at https://www.cyber.gov.au/mfa; Joel Witts, ‘How To Secure and Safely Share Business Passwords’ (Blog Post, 28 January 2022) https://expertinsights.com/insights/how-to-securely-share-pass/
352 Note generally ACSC, ‘Cloud Computing Security Considerations’ (Web Page, 6 October 2021) https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-computing-security-considerations .
353 Note the ACSC defines the cloud as ‘a network of remote servers that provide massive, distributed storage and processing power’ https://www.cyber.gov.au/acsc/view-all-content/glossary/c
354 Privacy Act 1988 (Cth) s 26WJ.
355 Ibid s 26WM.
356 OAIC, ‘Data breach preparation and response’ [30] https://www.oaic.gov.au/__data/assets/pdf_file/0017/1691/databreach-preparation-and-response.pdf.
357 GDPR Art 4(7) states that a data controller ‘…determines the purposes and means of the processing of personal data.’ provide a detailed privacy notice prior to data collection,359 and appoint a Data Protection Officer/representative and Supervisory Authority for each EU member State in which the engineer is based.360 In the event of an eligible data breach, this Authority must be notified within 72 hours of becoming aware of the breach.361
358 GDPR Art 4(8) defines a ‘data processor’ as an agency which processes personal data on behalf of the controller.
Iii Specific Advice Related To A Potential Data Breach And Mandatory Notification Requirements
Introduction
The following advice is in relation to whether or not the loss of personal information meets the criteria of an ‘eligible data breach’ and, if so, what mandatory reporting obligations apply to Possums as a regulated entity.362 However, it must first be established whether or not statutory reporting exceptions apply. If these do not apply, then it must be determined whether or not the loss of the personal information of 5,000 engineers constitutes a serious data breach such that serious harm is likely to result. If this is the case, then Possums must meet its mandatory reporting obligations as outlined in Parts C and D of the Data Breach Response Plan. Finally, this advice lists its mandatory obligations and further steps Possums should take to prevent future breaches.
Do any statutory exceptions apply?
There are limited circumstances in which the loss may not be reported.363 However, these should be considered carefully before deciding no further action is required because the consequences of misapplying exceptions could be financially and reputationally highly damaging for Possums. If Possums takes remedial action before serious harm is done such that a reasonable person would conclude this is unlikely to occur, the loss is taken never to have been an eligible data breach. However, considering the information is unable to be recovered as the laptop has been lost for two (2) weeks, then no exceptions are likely to apply.
Does the loss constitute an eligible data breach?
Whether the loss constitutes a serious data breach and serious harm turns on the results of a risk assessment of the nature of the information; whether it was secured; the strength of any encryption; and the person likely to obtain the information.364 The facts indicate the loss comprised the identification of 2,500 Australian engineers, and 2,500 engineers based in Sweden and France. Identifying components are names, addresses, dates of birth, and opinions regarding the costs and benefits of Possums’ unmanned aerial vehicle (a ‘drone’)
359 OAIC, ‘Privacy notices’ (Web Page, 8 June 2018) https://www.oaic.gov.au/privacy/guidance-and-advice/australianentities-and-the-eu-general-data-protection-regulation#privacy-notices with facial recognition software (codename: Fruit Fly). Because the unencrypted information was directly accessible on an unlocked laptop and is unable to be deleted remotely, there is a high risk of either a hack or a cyber-attack.365 Whether access is gained unintentionally or maliciously, the loss of personal information in these circumstances could lead to serious financial and reputational harm for Possums while exposing the engineers’ to identity theft.
360 OAIC, ‘Australian entities and the EU general data protection regulation’ at https://www.oaic.gov.au/privacy/guidanceand-advice/australian-entities-and-the-eu-general-data-protection-regulation#ftnref10; GDPR Arts 36─37.
361 Ibid.
362 Note, the scheme applies to both the personal information of Australians and Europeans; see above nn 2-4 and accompanying text; see above nn 19-24 and accompanying text in relation to GDPR reporting obligations.
363 See above n 15.
364 See above nn 10-14 and accompanying text.
What mandatory steps are now required?
Step 1 Prepare a Statement for the Privacy Commissioner:
Finalise the risk assessment within 2 (two) weeks;366
Prepare a statement including the following information:367 o Possums’s name and contact details; o description of the data breach and the lost components of personal information; o recommendations for what the engineers can do to minimize their potential harm; o An apology or description of what Possums has done to prevent reoccurrence.
Step 2 Meet GDPR administrative and notification requirements:
• Possums must appoint a Data Protection Officer/representative in each of the EU member States in Sweden and France who act as points of contact for the 2,500 engineers and the Supervisory Authorities in each State;368 and
• notify the Supervisory Authority in each State within 72 hours; and
• notify the 2,500 engineers based in Sweden and France without undue delay.
Step 3 Notify the Privacy Commissioner and Australian engineers:
• notify the Commissioner using the online DB Form;369 and
• directly notify the 2,500 engineers whose personal information was lost as soon as practicable.
The following information should also be included in the statement to both the Commissioner and the Supervisory Authorities:
1. The time the data breach was discovered, and the name of the individual who discovered it or made the report (management staff member and Mrs Possilith).
2. Details of the breach (excel spreadsheet left open on the desktop of a laptop copied from Google Drive with shared common password access);
3. Number of people affected (5,000 engineers);
4. Components of the lost information: names, addresses, dates of birth and opinions.
Step 4 Notify other parties
• Internal staff;
• Peter Pan;
• Google as the third party platform provider;
365 See above nn 32-35 and accompanying text.
366 Note this mandatory 30 day requirement is now shortened to two (2) weeks because the laptop was lost two (2) weeks ago.
367 See above Data Breach Response Plan Part C – Notification and Remediation. .
368 See above Data Breach Response Plan Part D – Additional GDPR Requirements.
369 See above n 45.
• The Australian Cyber Security Centre;
• IDCARE – a national identity and cyber support service at idcare.org.
Step 5 Address vulnerabilities370
Strengthen security to prevent future breaches, especially eliminate the practice of common password sharing;
Implement strategies as identified in the Plan.
Step 6 Review response371
Determine the robustness of the Plan by reviewing your response to this breach;
Make changes to the Plan as required.
Conclusion
This advice has determined the loss of the laptop directly accessing the personal information of 5,000 engineers constitutes an eligible data breach. Because Possums is a regulated entity, it must comply with its mandatory reporting obligations as no exceptions are deemed to apply. Failure to comply may result in significant reputational and financial damage
372 for Possums as this will be considered an interference with the privacy of these engineers because it exposes each individual to the real risk of serious harm from identity theft. 370
