Australia's new data breach disclosure laws have a rather floppy definition of 'breach'

After years of discussion a draft of Australia's proposed data breach disclosure laws has landed and, to The Register's mind, it leaves a lot of wriggle room for those who would keep breaches secret.

The draft Privacy Amendment (Notifiable Data Breaches) Bill 2016 (PDF) doesn't make it compulsory to report a breach.

“It would not be appropriate for minor breaches to be notified,” the memorandum says, “because of the administrative burden that may place on entities, the risk of ‘notification fatigue’ on the part of individuals, and the lack of utility where notification does not facilitate harm mitigation.”

Organisations will be required to assess themselves if they suspect something has gone awry. If something does go wrong, it will need to report to the Privacy Commissioner.

When considering if they've been breached, as outlined in the Bill's explanatory memorandum, organisations need to ask whether “.... a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure (assuming, in the case of loss of information, that the access or disclosure occurred).”

“It is expected that a likely risk of serious financial, economic or physical harm would be the most common likely forms of serious harm that may give rise to notification,” the memorandum continues at paragraph 10. The bill also aims to trigger a breach notification when “a reasonable person may conclude in some cases that a likely risk of serious psychological or emotional harm, serious harm to reputation or other serious harms arising from an unauthorised access, unauthorised disclosure or loss of personal information may exist.” The example offered is breaches of “... health information or other ‘sensitive information’ (in the sense of the definition of that term in existing subsection 6(1) of the Privacy Act or otherwise).”

But if an organisation feels a breach doesn't meet those criteria, they can decide not to disclose.

Section 26WG of the bill offers guidance on the “relevant matters” that suggest a breach has happened.

Here's that section:

For the purposes of this Division, in determining whether a reasonable person would conclude that an access to, or a disclosure of, information:

(a) would be likely; or

(b) would not be likely; to result in serious harm to any of the individuals to whom the information relates, have regard to the following:

(c) the kind or kinds of information;

(d) the sensitivity of the information;

(e) whether the information is protected by one or more security measures;

(f) if the information is protected by one or more security measures—the likelihood that any of those security measures could be overcome;

(g) the persons, or the kinds of persons, who have obtained, or who could obtain, the information;

(h) if a security technology or methodology:

(i) was used in relation to the information; and

(ii) was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information; the likelihood that the persons, or the kinds of persons, who:

(iii) have obtained, or who could obtain, the information and

(iv) have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates; have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology;

(i) the nature of the harm;

(j) any other relevant matters.

Note: If the security technology or methodology mentioned in paragraph (h) is encryption, an encryption key is an example of information required to circumvent the security technology or methodology

If an organisation goes through that decision tree and decides that yes, they have suffered a breach, they must then issue a statement explaining:

• The identity and contact details of the entity;
• A description of the serious data breach
• The kinds of information concerned, and;
• Recommendations about the steps that individuals should take in response to the serious data breach.

The Register understands that at this point the Privacy Act takes over and any actions found to have breached that law come into action.

The explanatory memorandum notes that the bill uses weaker definitions of “breach” than were offered during the consultation process, in part because stakeholders were worried about the impact of disclosing numerous minor breaches.

Testing the test

In assessing the bill, The Register has a scenario for readers to consider.

Imagine that you send your children to a school operated by an occasionally-controversial religious denomination against which violence has been practiced in a foreign conflict.

Now imagine that a cloud storage service is breached and photos of your kids in school uniform, complete with school crest proudly displayed, fall into the hands of parties unknown.

If you are unhappy for data thieves to know where your kids go to school and your religious affiliations, do the tests above satisfy you?

To your correspondent's mind, the cloud storage operator could quickly conclude that a reasonable person is not likely to assume serious harm could flow from the leak of a few family photos and therefore decide not to disclose. Yet you could be distraught at the prospect of your kids' place of education having been revealed given it is clear members of your religion are being targeted with violent action.

Hit the comments, dear readers, if we've hit the mark. Or if we, or the Bill, have missed. ®