Fact or fiction ‒ will the Notifiable Data Breach Requirements apply to State and Local Governments?
The Notifiable Data Breach Scheme has a broad application with State and Local Governments potentially being subject to some aspects of the Scheme. With the 22 February 2018 deadline fast approaching, it is not too late for State and Local Governments to consider the nature and scope of their exposure.
The Mandatory Data Breach Notification Scheme under Part IIIC of the Privacy Act 1988 (Cth) will require subject entities to report a data breach that is likely to result in serious harm to both the subject individual and the Australian Information Commissioner. To date, much of the discussion about the mandatory data breach notification requirements has been focused on their impact on APP entities.
However, the Data Breach Requirements also may apply to a broader range of entities, including Tax File Number (TFN) Recipients' handling TFN information. A TFN Recipient is any person who is in possession or control of a record that contains TFN information which is information that connects a TFN with the identity of a particular individual.
While an APP Entity can also be a TFN Recipient, the specific inclusion of TFN information into the Data Breach Requirements means that entities such as State and Local Government entities that hold TFN information could also be subject to the Data Breach Requirements - to the extent that TFN information is involved in any data breach.
State and Local Governments as TFN Recipients
State and Local Government entities are likely to hold TFN information for employee payroll related purposes and on that basis they are likely to possess or control TFN information.
Assessing whether a particular State or Local Government entity is a TFN Recipient under the Privacy Act involves an examination as to whether the particular entity is a "person" under the Privacy Act that possess or controls TFN information.
The term "person" is not defined under the Privacy Act but it is defined in section 2C of the Acts Interpretation Act 1901 (Cth) to include "a body politic or corporate as well as an individual". State Government Departments are "bodies politic", and in some jurisdictions Local Governments, are established as bodies corporate. This means that Departments of State and Local Governments that are a "person" under the Privacy Act may, to the extent that they possess or control TFN information, be subject to the Data Breach Requirements if the relevant data breach involves the disclosure of TFN information.
Determining whether other State or Local Government entities that possess or control TFN information are subject to the Data Breach Requirements in relation to TFN information will require a case by case assessment, having regard to the manner in which these entities are established and whether they hold TFN information.
Getting ready for the changes
Given the potential for the Data Breach Requirements to apply, albeit on a narrower basis, State and Local Governments should now consider their potential exposure and put in place processes and procedures that will apply in the event that a relevant data breach then triggers the Mandatory Data Breach Notification Requirements.
This should include developing a plan for when there is a suspected or actual eligible data breach by setting out the decision-making processes and procedures that will be followed. The plan and the decision-making processes should consider when information will need to be disclosed to the Office of the Australian Information Commissioner and to the individuals who are potentially affected by the data breach.
Regulatory consistency
The potential application of the Mandatory Data Breach Requirements to State and Local Government entities highlights the inconsistencies and the challenges our current privacy framework raises across the various Australian jurisdictions.
State and Local Government entities need to be aware of and to plan for the potential application of the new mandatory data breach notification obligations under the Privacy Act.