Why proposed changes to NZ Privacy legislation have implications for Australian businesses

Time flies: over three years of Notifiable Data Breaches

On 22 February 2020, the OAIC marked the third-year anniversary of the enactment of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), which introduced Part IIIC to the Privacy Act 1988 (Cth) (Privacy Act).

Under Part IIIC, any organisation or agency the Privacy Act 1988 covers, must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved.

Further the OIAC website states that:

“A data breach occurs when personal information an organisation or agency holds is lost or subjected to unauthorised access or disclosure. For example, when:

• a device with a customer’s personal information is lost or stolen
• a database with personal information is hacked
• personal information is mistakenly given to the wrong person…”.

Whilst the OIAC’s statement may be well understood, a Bill currently with the New Zealand parliament to introduce a similar breach notification scheme, sheds further light on what may constitute a breach beyond what is currently being considered.

What’s notifiable? NZ explicitly takes a broader view

In the proposed New Zealand legislation, a breach not only includes Personally Identifiable Information (PII) disclosure, but also loss of access to the PII. The latter is not explicitly made in the Australian Act.

Under the New Zealand Bill Section 117(1), a “privacy breach” means:

• Any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
• An action that prevents the agency from accessing the information on either a temporary or permanent basis.

Is loss of access considered in Australian privacy law?

In contrast, the Australian Privacy Act, under Part II, makes no definitive definition. Instead the definition of a breach is made through a contrary statement, that is that it is a breach only if a set of conditions do NOT apply, leaving the definition of “breach” to be potentially wide, and consideration for loss of access to PII to be missed.

Part II states that a “breach”:

“a) in relation to an Australian Privacy Principle, has the meaning given by section 6A; and

1. b) in relation to a registered APP code, has the meaning given by section 6B; and
2. c) in relation to the registered CR code, has the meaning given by section 6BA.”.

When examining the respective codes, the reader finds the following:

“(1) For the purposes of this Act, an act or practice breaches an Australian Privacy Principle if, and only if, it is contrary to, or inconsistent with, that principle.

No breach–contracted service provider

(2) An act or practice does not breach an Australian Privacy Principle if:

(a) the act is done, or the practice is engaged in:

(i) by an organisation that is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and

(ii) for the purposes of meeting (directly or indirectly) an obligation under the contract; and

(b) the act or practice is authorised by a provision of the contract that is inconsistent with the principle.”

and so on.

Adding to the lack of potential consideration for the loss of access to PII in the definition of a breach, the notifiable data breaches statistics published periodically by the OAIC provide details as to the nature of breaches, none of which typically include loss of access to PII.