The Notifiable Data Breaches Scheme: What You Need to Know

The Notifiable Data Breaches Scheme: What You Need to Know

From 23 February 2018, amendments to the Privacy Act 1988 (Cth) (“Privacy Act”) will come into effect. These amendments create a new Notifiable Data Breaches scheme (“NDB scheme”) for many businesses and organisations in Australia, overseen by the Office of the Australian Information Commissioner (“OAIC”).

This article provides an overview of the new obligations on businesses and organisations under the NDB scheme. It provides general information only and is not intended as legal advice.

Who does the NDB scheme apply to?

The NDB scheme applies to an “APP Entity”, which is defined as an agency or organisation.[1]

An “organisation” includes:[2]

  • An individual person (including a sole trader);
  • A body corporate
  • A partnership
  • Any other unincorporated association, or
  • A Trust

However, there are exceptions:

  • Small business operators (defined as having annual turnover of three million dollars or less in a financial year), unless they provide certain health services, provide information about individuals for profit, or are contracted by the Australian government;
  • Registered political parties; or
  • State or Territory authorities

Which data breaches have to be notified?

A notification obligation arises when an APP Entity is aware of reasonable grounds to believe that there has been an “eligible data breach”.[3]

This is where:

  1. There is a data breach.

This includes unauthorised access to or an unauthorised disclosure of personal information, or a loss of personal information, that an APP Entity holds.[4]

Data breaches can arise in many different ways. For example, it will be a data breach where:

  • file servers are accessed by unauthorised parties over the internet (such as by hacking);
  • an employee of the entity leaves a folder with personal information on public transport;
  • an email with personal information is sent to the wrong person outside the entity; or
  • a filing cabinet containing personal files is sold to third parties.
  1. The data breach is likely to cause “serious harm” to one or more individuals

This assessment is an objective assessment, based on the perspective of a reasonable person in the position of the APP entity.[5]

The APP entity must consider the following factors (which are not an exhaustive list):[6]

  • The kind of information;
  • The sensitivity of the information;
  • Whether the information is protected by security measures, and if so the likelihood that any of those security measures could be overcome;
  • The people or kind of people who have obtained (or could obtain) the information
  • Where measures were taken to make the information meaningless to unauthorised third parties (e.g. encryption) – whether it is likely that the people who have obtained (or could obtain) the information will be able to counter these measures.
  • The nature of the harm or potential harm

Exception – the APP entity takes remedial action before any “serious harm” occurs

This exception is designed to provide entities with an incentive to take positive steps to address a data breach in a timely manner.

The assessment of whether such action is sufficient is again an objective one, based on whether a reasonable person would consider that the acts would prevent serious harm.[7]

What if a data breach is only suspected?

If an entity merely suspects an eligible data breach has occurred it must conduct an assessment within 30 calendar days to determine whether there are reasonable grounds to believe an eligible data breach has occurred. If so, the APP entity must then follow the notification procedure. [8]

What is the notification procedure?

As soon as practicable after there are reasonable grounds to believe an eligible data breach has occurred, an APP entity must prepare a statement containing prescribed information about the data breach and provide it to the OAIC.[9]

The entity must also notify the individuals at risk of harm. Depending on the circumstances, the APP entity may either:[10]

  • Notify all individuals whose personal information was part of the eligible data breach; or
  • Notify only individuals at risk of serious harm from the eligible data breach; or
  • If the above isn’t practicable, then publish a copy of the statement on the entity’s website (if it has one) and take reasonable steps to publicise the contents of the statement.

How is the NDB Scheme enforced?

Enforcement of the NDB scheme falls under the Privacy Act’s existing framework. The Information Commissioner has the power to investigate non-compliance, issue binding determinations, seek injunctions, and (in the event of serious or repeated non-compliance) apply to the Federal Court or Federal Circuit Court to impose a civil penalty on an APP entity.[11]

Conclusion

Under the NDB framework, many businesses and organisations in Australia will have new proactive obligations in the event of a data breach. It is recommended that affected entities audit their current information security processes and procedures to ensure they are adequate, and prepare a data breach response plan to ensure compliance.

If you have any concerns about your privacy obligations, JHK Legal would be pleased to assist. You may contact our office on 07 3859 4500.

[1] s 6 Privacy Act.

[2] s 6C Privacy Act.

[3] ss 26WK & 26WL Privacy Act.

[4] s 26WE(2) Privacy Act.

[5] Ibid.

[6] s 21WG Privacy Act. Further guidance on assessing the likelihood of “serious harm” can be found on the OAIC website at https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/identifying-eligible-data-breaches.

[7] s 26WF Privacy Act. Examples of satisfactory remedial action can be found on the OAIC website at https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/identifying-eligible-data-breaches.

[8] s 26WH Privacy Act.

[9] s 26WK Privacy Act.

[10] s 26WL Privacy Act.

[11] ss 13G, 33E, 33F, 36, 55A, 62, 80W, 98 Privacy Act.

Matthew Paul – Lawyer

DOWNLOAD THIS ARTICLE

Short Term Financing: A ‘timely’ reminder to include within letters of offer time requirements for the acceptance of the terms of loan agreements

Interim Finance Pty Ltd v Bright Beginnings Learning Centre Glendenning Pty Ltd [2018] NSWSC 36

On Friday 2 February 2018, the New South Wales Supreme Court released its decision on the interpretation of the terms of a letter of offer for short term financial accommodation, specifying when fees for preparing loan documentation become payable by the borrower to the lender, in circumstances where the loan did not proceed.

Background

Interim Finance Pty Ltd (“Interim Finance”) provides short term finance accommodation to customers. Bright Beginnings Learning Centre Glendenning Pty Ltd (“Bright Beginnings”) is a childcare provider who was in need of short term finance.

Interim Finance sent Bright Beginnings a letter of offer dated 22 June 2016 (“letter of offer”) for an apparent urgent loan for $450,000, which was duly executed by Bright Beginnings in order for Interim Finance to then go to the expense of drawing up the loan agreement (“loan agreement”).

Letter of Offer

The letter of offer contained Parts A to I. Part I, pertaining to the terms and conditions of the acceptance of the offer, was the subject of dispute. Part I set out Interim Finance’s liberty to withdraw from the loan at any point if, among other things, Interim Finance became aware of certain circumstances which changed its decision to provide the loan amount without providing reasons for such a withdrawal. Part I also set out Bright Beginnings’ financial obligations in the event the letter of offer was signed and Interim Finance prepared loan documents, but the loan failed to succeed due to one of the following occurrences (“occurrences”):

  1. Bright Beginnings did not elect to continue with the loan;
  2. Bright Beginnings was unable to satisfy Interim Finance’s requirements for whatever reason; or
  3. Interim Finance discovered or was made aware of any item or issue which changed its mind about providing the loan amount.

If any of the above occurred, then Bright Beginnings would be liable for the following fees:

  • Loan application fee as in the letter of offer;
  • Legal costs and disbursements for preparation of loan documents; and
  • Administration fee of $1,650.00 incl GST.

(“fees”).

Part I stipulated fees became due and payable within 5 days of Interim Finance producing an invoice. If payment wasn’t made, then the Part included a charging clause allowing Interim Finance to take an equitable interest over the security property held by Bright Beginnings, being a property in Guildford (“the property”), by registering a caveat. The Part also provided for fees associated with preparation of such a caveat to be charged to Bright Beginnings.

Loan Agreement

The loan agreement was subsequently drawn up and sent to Bright Beginnings on 28 June 2016. A series of communications pertinent to the dispute then followed:

  • A representation was made to Interim Finance that Bright Beginnings’ solicitor had been engaged to review the loan agreement to make amendments. Bright Beginnings says several steps were taken from 4 July 2016 to progress the loan.
  • Interim Finance alleges receiving a telephone call on 5 July 2016 from a broker seeking a larger amount than the offer made to Bright Beginnings. During the same telephone call Interim Finance became concerned Bright Beginnings was ‘shopping around’ for finance despite the fees having been incurred to draw up the loan agreement.
  • During a telephone call on 8 July 2016 between Bright Beginnings and Interim Finance, Interim Finance raised their concerns Bright Beginnings was ‘shopping around.’ Bright Beginnings alleges its solicitor was merely waiting on amendments to the loan agreement from Interim Finance’s solicitor. Bright Beginnings also asked if Interim Finance was willing to substitute securities in the loan documents for another property, which Interim Finance rejected.
  • On the same day Interim Finance sent Bright Beginnings an email detailing their attempted contact with Bright Beginnings for the signed loan agreement to which they received no response, therefore assuming Bright Beginnings did not wish to proceed with the loan and reinforcing Bright Beginnings’ liability for fees incurred in the mount of $8,100 incl GST with an invoice attached. The invoice demanded payment no later than by 15 July 2016. Instructions were also given on 8 July 2016 to lodge a caveat over the property.
  • On 8 July 2016 Bright Beginnings’ solicitor requested the loan documents for signing which was subsequently rejected by Interim Finance via email shortly thereafter on the same day.
  • On 8 July 2016 Bright Beginnings’ solicitor again requested a copy of the loan documentation to sign as Bright Beginnings had misplaced the original.
  • On 12 July 2016 Bright Beginnings in a telephone conversation with Interim Finance requested to proceed with the loan and noted Interim Finance’s rejection on the basis Interim Finance was uncomfortable proceeding due to inconsistencies in communication.
  • A lapsing notice on the caveat over the property was filed by Bright Beginnings on 9 September 2016.

Parties’ positions and relief sought

Interim Finance maintained the failure of Bright Beginnings to return the signed Loan Agreement was an election not to proceed with the Loan Agreement, or alternatively, Bright Beginnings’ inconsistent communication made Interim Finance change its mind about continuing with the loan. Therefore Bright Beginnings was liable or the fees pursuant to the letter of offer. Interim Finance sought orders stating the property was properly charged to secure payment by way of a caveat for the fees incurred pursuant to s100 of the Civil Procedure Act 2005 (NSW) and for the property to be sold if the fees were not paid within 28 days.

Bright Beginnings maintained it was not liable for the fees as it never elected to discontinue the loan and in fact attempted to complete the loan.  It alleged, rather, Interim Finance repudiated the Loan Agreement and therefore Bright Beginnings was not liable for the fees. Bright Beginnings sought a declaration stating the 8 July 2016 email was a repudiation of the loan agreement by Interim Finance and sought a declaration Interim Finance did not have a caveatable interest over the property.

Judgment

Was Bright Beginnings liable for fees?  No.

Her Honour Ward CJ did not hold Bright Beginnings liable for fees, as none of the occurrences had transpired pursuant to the terms of the letter of offer. Her Honour’s reasons were as follows:

  1. Her Honour was not persuaded Bright Beginnings had elected to discontinue the loan [at 65]. He noted attempts to negotiate amendments to a loan agreement by way of proposing alternate security does not amount to an election to discontinue [at 86].
  2. Nor was Her Honour persuaded Bright Beginnings did not comply with Interim’s requirements, i.e. for the documents to be returned by a specific time, as there was no time specified.
  3. As to whether Interim Finance discovered or was made otherwise aware of an item or issue changing its decision to provide the loan, Her Honour determined it wasn’t made aware of anything which would have changed its decision. Her Honour determined the communications made prior to Interim Finance’s email dated 8 July 2016 were not the basis on which the invoice for fees was predicated [at 88]. Rather, communications prior to the 8 July 2016 email were with the finance broker for a higher loan and with Bright Beginnings’ solicitor for alternate security. These did not amount to items or issues to which Interim Financing were made aware.

Timing to pay fees and the lodged Caveat  – Does not arise

Whilst the issues did not arise as it was found Bright Beginnings was not liable for the fees, Her Honour rejected Interim Finance’s argument it was entitled to immediately lodge a caveat over equitable interests held by debtors who were liable for fees in case the fees became due and owing. Rather, Her Honour determined the consent to lodge the caveat is not operative until the expiry of 5 days after the invoice for fees is produced [at 103] as stipulated by the letter of offer.

Was there repudiation by Interim Finance? Does not arise

The issue of repudiation did not arise because of Her Honour’s findings as to the liability for fees. However HerHonour said he was not convinced the 8 July 2016 email was repudiation by Interim Finance of the loan agreement as the letter of offer stipulated Interim Finance’s liberty to withdraw from the loan at any time.

As a useful reference, Her Honour sets out how the issues rise and fall at paragraph 65 of his judgment.

Lessons Learned

Despite the amount of $8,100 being small and normally subject to the Local Court’s jurisdiction, the caveat on the property caused the matter to be heard in the Supreme Court. Accordingly, it was a costly exercise to litigate and the following lessons can be learned from this matter:

  1. Specify the time period for the return of loan documents, thereby protecting the fees expended in preparation of the loan documents;
  2. If any amendments are proposed by the borrower, specify the time period during which the borrower can propose amendments;
  3. Any correspondence as to a withdrawal from a loan in accordance with a letter of offer must be predicated by correspondence which gives rise to the withdrawal, in order to be eligible for the fees incurred. That is, if you withdraw due to other circumstances, you likely will not be eligible to charge the fees incurred in the preparation of loan documentation.
  4. Do not prematurely register a caveat over an equitable interest in a property until the charging clause becomes operative.

A copy of the entire judgment, can be read here: https://www.caselaw.nsw.gov.au/decision/5a714dece4b074a7c6e1be91

If you would like to engage in further discussion with us about issues within this case, please contact us on (02) 8239 9600.

Shannon McCarthy – Lawyer

DOWNLOAD THIS ARTICLE