The Privacy Bill 2024 proposes a new mechanism to enable controlled and targeted data sharing in response to major data leaks. The aim is to reduce the risk of harm to individuals whose personal information has been compromised.
This legislative proposal is a direct response to the lessons learned from the Optus data breach, which left financial institutions uncertain about which customers were vulnerable to identity theft and fraud, thereby requiring enhanced account monitoring.
Under current privacy laws, organisations face restrictions on sharing personal information with external parties. While these rules are designed to protect privacy rights, they can hinder efforts to safeguard customers from the wider impacts of a data breach.
Conditions for Issuing an Eligible Data Breach Declaration
The new law would allow the Minister to issue an eligible data breach declaration if necessary or appropriate to prevent or reduce the risk of harm to individuals affected by a serious data breach.
An eligible data breach declaration would layout the specific conditions on why, how, for how long, and by whom certain kinds of personal information can be accessed, used, or shared to prevent or reduce the risk of harm to individuals impacted by a data breach. The declaration may allow specific entities to handle personal information to prevent or respond to cybersecurity incidents, fraud, scams, or identity theft outside the normal parameters of the Privacy Principles. It could also address the fallout from these incidents, including financial loss, emotional or psychological harm, family violence, physical harm, intimidation, or to counter malicious cyber activity.
When the declaration is in effect, specified entities may share prescribed information to detect and mitigate against the risks of malicious activities, including ID theft and scams. The purpose is to enable swift, coordinated responses across industry sectors and government agencies.
Use of Personal Information and Legal Protections
Organisations relying on the declaration to protect their customers from harm must strictly adhere to the terms of the declaration. Any unauthorised use or disclosure beyond these purposes remains illegal and is subject to penalties. Entities may only collect, use, or disclose personal information if they reasonably believe that an individual is at risk due to the eligible data breach, ensuring that actions are based on sound judgment and evidence of risk.
All information covered by the declaration would need be kept separate from other data.
Criminal Liability
To further prevent unauthorised secondary disclosures, sharing information obtained under the declaration with other parties would be a criminal offence with 60 penalty units or one year of imprisonment as proposed by the Privacy Bill 2024.
The declaration is designed as a temporary emergency tool and would end at the earliest of the time specified in the declaration, its repeal, or 12 months after it begins. This time limit ensures that the declaration applies only as long as necessary to manage the immediate risks arising from the eligible data breach.
Security and destruction obligations apply to entities holding personal information under the declaration, including those entities not typically covered by the Privacy Act 1988.
Commentary
Protecting consumers from the consequences of a data breach requires a coordinated response amongst various stakeholders, including financial institutions, government and credit reporting agencies, and mobile service providers.
The proposal in the Privacy Bill adds much needed flexibility to Australia’s privacy framework, allowing for faster responses to significant data breaches with a focus on harm reduction and prevention. It introduces a legislative measure akin to an emergency declaration, which is a positive step forward.
The approach is broad and not industry-specific, making it a versatile response tool for significant data breaches.
However, the mechanism would pose compliance challenges for organisations relying on an eligible data breach declaration. Data segregation, deletion capabilities, and strong security controls will be crucial to avoiding criminal liability, which could include imprisonment if the data is not properly secured.
This structure will bring compliance challenges for organisations that rely on the declaration to better protect their customers. There are risks of mishandling declaration information if it is not properly secured, destroyed, or limited to its intended purpose.
Organisations with less mature data governance structures and control mechanisms will face greater risks of non-compliance. In contrast, organisations with strong data governance and established controls will be better positioned to manage information under the eligible data breach declaration to protect their customers more effectively.
