There’s a Bill lurking in the halls of federal parliament that should be amended before it is voted on again. The proposed data breach notification law – where you are told if someone secretly taps into your bank account, for example – contains major flaws which could be easily fixed, Prof Graham Greenleaf says.
Australia’s data breach notification Bill lacks transparency
Graham Greenleaf, Prof of Law & Information Systems, University of New South Wales
There are major flaws in Australia’s proposed data breach notification legislation (Privacy Amendment (Privacy Alerts) Bill 2013) because it does not make data breaches transparent enough, but they are flaws which can be remedied by simple amendments.
The gist of problem is that the Bill does not require that the Privacy Commissioner (technically, the OAIC, the Office of the Australian Information Commissioner) must publish on its website all of the Notices it receives about serious data breaches (SDBs), and retain them there for future reference. Unless such aggregation and publication occurs, most notifications of SDBs will never come to public attention because the company or agency concerned will be exempt from publishing a Notice of them either on its own website or in a newspaper. Even if the Notice is required to published on a organisation’s website, or a newspaper, it will soon be removed from the website, and newspaper notifications are easily missed at the time they occur.
In short, Notices of SDBs will therefore not be findable permanently after the event, nor findable in the one location. It is important that all notifications, over time, be able to be browsed and searched, so that interested parties including both the media and civil society organisations (and not only the OAIC) can identify any recurrent aspects of breach notification. Transparency in data breach notifications is also desirable because it is likely to have a deterrent effect on agencies and companies, inducing them to improve their security.
More precisely, the problem and the solution are as follows:
(i) If an entity (company or agency) believes that a ‘serious data breach’ (SDB) has occurred, it must notify the Privacy Commissioner, describing the breach, steps taken etc (s26ZB(1)(e) and (f)). However, although the Commissioner always gets these Notices, he is not required to publish them on his website and leave them there. Therefore, the Press, NGOs etc, have no way of knowing about a breach, either at the time it occurs, or over time to see which companies/agencies have repeated data breaches.
(ii) If the ‘general publication conditions’ (GPC) are satisfied, then the Notice also goes on the website of the company/agency and in a newspaper (s26ZB(1)(h)). BUT there is as yet no definition of ‘general publication conditions’ – to be defined in Regulations (so this might be quite rare). These Notices, whenever they are required, will not have to stay on the website, and journalists, NGOs etc will not be able to track them over time.
(iii) If the ‘general publication conditions’ are not satisfied, then there is no public notice at all, but each affected individual has to be notified (s26ZB(1)(g)).
So it seems that serious data breaches will often not come to public notice at all (unless an individual contacts a journalist), and will not be able to be tracked over time, unless the Privacy Commissioner is (a) required by the Bill to put all notices received on his website and leave them there; or (b) he does so voluntarily. Unless the Bill requires him to do so companies and agencies are likely to claim that the notices are confidential communications of some type, in order to defeat him voluntarily publishing them.
The cost implications of compliance with this policy are negligible for organisations, because they would already be required to provide a copy of the notifications to be published to the Commissioner, and the cost of web republication by the Commissioner would be negligible.
(iv) The Privacy Commissioner can also grant exemptions from s26ZB (including all of its notice requirements) on applications from companies / agencies, despite a SDB having occurred. Where this happens, the Commissioner does not have to provide any public notice that he has granted such an exemption. It is all totally secret.
(v) While an application for exemption is being heard, the company/entity does not have to give any notice to anyone, and if its application fails no one is told it has even made an unsuccessful application, which delays the public obtaining vital information (s26ZB(9)).
The problem in (iv) and (v) could be partially fixed by the Privacy Commissioner being required to give notice of such applications for exemption, and the results of them, unless it is against the public interest for any such notice to be given (consistent with the existing wording of the provisions).
The result is that, as a result of this Bill, the Australian public will have a belief that if SDBs occur, they will come to public attention, and to the attention of the individuals concerned, but they will be misled, because (i)-(v) above means that there is a whole raft of techniques by which SDBs can still be kept from public view.
To summarise, these problems can be largely remedied by:
(a) the Commissioner publishing all notices received, on his website, permanently.
(b) the Commissioner publishing the fact of exemption applications, and the results.
Many other deficiencies of the Bill are identified by the Australian Privacy Foundation in its submission on the Bill (see <http://www.privacy.org.au/Papers/Sen-DBN-130620.pdf>). Civil Liberties Australia says of the Bill ‘Notwithstanding our concerns, we believe this Bill represents a worthwhile first step and should be supported.’ That is a fair conclusion, but it would be a much more supportable Bill with a few simple amendments.