WA privacy and responsible information sharing laws: Notifiable information breaches scheme

In this series of articles on WA’s new privacy and responsible information sharing (PRIS) laws, which have passed both houses and is awaiting assent, we have been exploring the main features of this new privacy and information sharing regime, including providing our first impressions and, most recently, undertaking an examination of the information privacy principles. In this latest article, we provide an overview of the notifiable information breaches scheme and the steps IPP Entities – which include WA Ministers and parliamentary secretaries, WA public entities and contracted service providers – will need to take in order to comply.

How does the notifiable information breaches scheme work?

The new notifiable information breaches scheme will require that notice of an “assessed notifiable information breach” be given to the Information Commissioner and affected individuals. The scheme will apply to assessed notifiable information breaches which occur after the commencement of the PRIS laws (expected early next year), irrespective of whether personal information affected was collected before, on or after the commencement of the PRIS laws.

Much like the Commonwealth notifiable data breaches scheme, the WA notifiable information breaches scheme is intended to improve an individual's privacy protections by providing them with prompt notice of a breach that affects them and, with it, the opportunity to take steps to protect their privacy.

When does a notifiable information breach occur?

A notifiable information breach will occur where:

• there has been unauthorised access to, or unauthorised disclosure of, personal information and a reasonable person would conclude that the access or disclosure is likely to result in serious harm to any of the affected individuals; or
• personal information has been lost in circumstances in which unauthorised access to or unauthorised disclosure of the information is likely to occur and, if the access or disclosure were to occur, a reasonable person would conclude that it would be likely to result in serious harm to any of the affected individuals.

The Information Commissioner will also be able to make declarations that particular circumstances will enliven the obligation to notify in the event of unauthorised access or disclosure.

When will serious harm be “likely”?

Whether an information breach is likely to result in serious harm requires an objective assessment determined from the viewpoint of a reasonable person in the IPP Entity’s position. “Serious harm” is not defined in the legislation, but is commonly considered to extend both to financial and other harms such as psychological, emotional, physical or reputational harm.

In considering whether or not such “serious harm” is “likely”, an IPP Entity will need to have regard to a non-exhaustive list of identified matters including:

• the nature and sensitivity of the personal information;
• whether the personal information is or was protected by security measures. That is, if the personal information that was lost or accessed was encrypted, whether that encryption would prevent unauthorised access to the personal information or render such access unlikely;
• the persons, or kinds of persons, who have obtained or could obtain the personal information, and the likelihood that they would intend to cause harm or circumvent the many security measures applied to the personal information; and
• the nature of the harm that has resulted or could result from the access, disclosure or loss.

It can be expected that, in time, the Information Commissioner will issue guidance on the application of each factor and the assessment process as a whole. In the meantime, given the similarity of this list with the factors which require consideration under the Commonwealth notifiable data breaches scheme, it would be prudent to have regard to guidance issued by the Office of the Australian Information Commissioner.

Assessing, containing and mitigating an information breach

Where an IPP Entity reasonably suspects that a notifiable information breach has occurred in relation to the personal information it holds it must:

• immediately take all reasonable steps to contain the suspected notifiable information breach;
• as soon as reasonably practicable, but in any case within 30 days after the day on which the reasonable suspicion was formed, conduct an assessment to determine whether an information breach has occurred and prepare a written report on the assessment; and
• take all reasonable steps to mitigate any harm caused by the suspected notifiable information breach.

If the assessment determines that a notifiable information breach has occurred, or that there are reasonable grounds to believe that such a breach has occurred, then the notifiable information breach is deemed to be an “assessed notifiable information breach”.

Notifying the Information Commissioner and affected individuals

The Information Commissioner and affected individuals must be notified as soon as practicable of an “assessed notifiable information breach”.

The notification to the Information Commissioner must be in the approved form and include certain prescribed details of the breach including a description of the breach, how and when it occurred, how many individuals are impacted, the kind of personal information involved, the steps that have been taken or will be taken to mitigate the harm caused, and an estimate of the costs to the IPP Entity of the breach.

A notable difference between the proposed PRIS laws and the Commonwealth Privacy Act is the absence of certain exemptions available under the Federal scheme. For example, under section 26WF of the Commonwealth Privacy Act, a notifiable data breach does not need to be reported to the regulator where remedial action has been taken which has the result of avoiding the anticipated or potential serious harm. No such exemption exists under the proposed PRIS laws, although if effective remedial action is taken during the assessment period this may mean that the breach never reaches the threshold of an assessed notifiable information breach.

There are some limited and temporary exceptions to what must be disclosed to the Information Commissioner and/or affected individuals where the information breach occurs to law enforcement agencies, where compliance with the scheme would be inconsistent with secrecy provisions, where compliance may cause a threat to life, health, safety or welfare, or where compliance may have an adverse effect on the information security of the information affected by the breach. Reliance on these exemptions must be carefully considered as notification of that reliance is in many cases required to be given to the Information Commissioner, who can be expected to scrutinise that reliance.

Jointly held personal information

As is the case for the notifiable data breaches scheme under the Commonwealth Privacy Act, there are specific provisions in the proposed PRIS laws dealing with the situation where the notifiable information breach involves personal information held jointly by more than one IPP Entity. The PRIS laws approach this situation differently from the Federal scheme. Notwithstanding that the personal information is jointly held, each IPP Entity will need to conduct its own assessment, mitigation and containment exercise, and notify the Information Commissioner of the breach (if that is the outcome of the assessment). However, the IPP Entities can amongst themselves nominate which one of them will provide the requisite notice to the affected individuals.

While this approach will achieve the aim of avoiding individuals receiving multiple notices relating to the same breach, it gives rise to the possibility of inconsistent assessment outcomes by the individual IPP Entities and disagreements as to the appropriate path for notification of individuals. While not mandated by the PRIS laws, IPP Entities which jointly hold personal information may wish to consider putting in place a joint policy or agreement between them as to how they will handle the assessment and notification of notifiable information breaches which impact them both.

Preparation is key

Each WA public entity is required to have an information breach policy setting out the procedures to be followed in complying with its obligations to assess, contain and mitigate any information breaches and notifying the Information Commissioner and affected individuals. This policy must be publicly available.

WA public entities are also required to establish and maintain a register of actual or suspected notifiable information breaches which includes details of the breach such as whether notification was deemed necessary, the steps taken to mitigate the risk at the time, and the steps taken to prevent future breaches of the same kind. While this register does not need to be published or made publicly available, any WA public entity which is required by law to issue an annual report will need to include details in that report of any assessed notifiable information breaches in respect of which notifications were given to affected individuals. Such registers would also be susceptible to freedom of information requests.

While IPP Entities other than WA public entities are not required to have an information breach policy or the associated register under the proposed PRIS laws, it can be expected that such a requirement will become a feature of contracts between private entities and the WA public sector. Having such policies and procedures has also long been a matter of best practice. For those entities that have a data breach response plan which promotes compliance with the Federal notifiable data breaches scheme, it will be time to review and update those policies to enable compliance with the notifiable information breaches scheme, or to have in place a separate plan for the response to a breach which impacts personal information to which the PRIS laws apply.

While preparing the information breach policy and associated registers is a necessary first step, the policy must be adequately operationalised. This requires staff training and simulation exercises so that each individual understands their role in responding to a notifiable information breach.

Ready yourself

The task facing IPP Entities, particularly WA public entities, in readying themselves for the new PRIS laws is a considerable one. By the time the PRIS laws come into effect, IPP Entities should have in place a policy outlining its response to an information breach and its key personnel should be trained and experienced in its operation.

As experienced privacy practitioners, we are here to assist. Look out for our further articles in coming weeks on the opportunities presented by the responsible information sharing system and how the PRIS laws impact contracted service providers. Those articles will include discussion of how the notifiable information breaches scheme applies to them.