Notifiable Data Breaches Scheme

Notifiable Data Breaches Scheme

A consolidated guide about the Data breach preparation and response —

The OAIC has released a guide titled Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) (Privacy Act). Find this guide here.

This guide consolidates the information provided in the Data breach notification — A guide to handling personal information security breaches released in 2014, the Guide to developing a data breach response plan released in 2016, and the resources published to assist entities in complying with the Notifiable Data Breaches (NDB) scheme.

In addition to outlining the key requirements relating to data breaches in the Privacy Act, including personal information security requirements and the obligations of the Notifiable Data Breaches scheme, the guide covers other key considerations in developing a robust data breach response strategy. This includes key steps to take when a breach occurs, the capabilities of staff, and governance processes.

Privacy Impact Assessment eLearning Course —

We have listed below new resources including an online course, which takes approximately 1 hour, and a list of FAQ’s, to be referred to in conjunction with all previous content.

This eLearning program complements the OAIC’s Guide to undertaking privacy impact assessments, and aims to give you information on conducting a PIA in an easy-to-understand format so that you can have the confidence to do a PIA in your organisation or agency.

What is the Notifiable Data Breaches Scheme?

The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.

The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.

Agencies and organisations must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result, require notification.

When does the notification obligation arise?

The amended Privacy Act will require APP Entities to provide notice as soon as practicable to the OAIC and affected individuals where there are reasonable grounds to believe that an “eligible data breach” has occurred (unless an exception applies). Relevantly:

  • data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, leaving the information on the bus);
  • an eligible data breach will arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure;
  • serious harm, while undefined, is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation; and
  • serious harm will be likely if such harm is “more probable than not” having regard to a list of relevant matters to be included in Part IIIC. The matters include the sensitivity of the information, any security measures taken (such as encryption) and how easily those security measures could be overcome (for example, if the encryption key has also been accessed).

How to Notify:

This notification obligation will involve at least a two-step process. First, the APP Entity must prepare a statement containing certain prescribed information about the data breach and provide it to the OAIC (ABTechnologies will prepare this on your behalf). The APP Entity (Your Company) must then take steps to notify the affected individuals (staff, customers, etc.). The actual steps required will depend on the circumstances, but will usually include sending the statement to the individual via the usual means of communication between the APP Entity and individual.

The notification to affected individuals and the OAIC must include the following information:

  • The identity and contact details of the organisation.
  • A description of the data breach
  • The kinds of information concerned and;
  • Recommendations about the steps individuals should take in response to the data breach.

If an APP Entity only has reasonable grounds to suspect that an eligible data breach has occurred, the notification obligation will not arise, However, the APP Entity will be required by the new legislation to complete a “reasonable and expeditious” assessment into the relevant circumstances within 30 days. Importantly, shutting one’s eyes will not allow APP Entities to avoid the requirements of the Privacy Act.
For full guide on notifying individuals about an eligible data breach: Who to notify and how to notify them in the instance of a data breach.

Exceptions to the data breach notification requirement

Various exemptions to the notification requirement will be included in the amended legislation.
Perhaps the most interesting exception is that a notification will not need to be given if the APP Entity takes remedial action before any serious harm is caused by the breach.
This exemption demonstrates the value of early detection and action. Importantly, the ability of a company to detect a data breach at the first available opportunity and take action in respect of it will be a function of the organisation’s preparedness for such an occurrence.
In order to be properly prepared, it is likely that a prudent organisation will have in place detailed policies and procedures which outline the steps that are to be taken in response to a serious data breach, regardless of whether that breach has occurred as a result of inadvertence on the part of the organisation and its employees (eg. as a result of personal information being lost) or following a co-ordinated attack by hackers.

Penalties:

A failure to comply with the notification obligations will fall under the Privacy Act’s existing enforcement and civil penalty framework. Accordingly, APP Entities may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties.

What should you do?

  • Sign up to the OAIC newsletter. This will ensure you are updated with the most recent information and resources.
  • Audit your current information security processes and procedures to ensure they are adequate (prevention will soon be much more palatable than the cure); and
  • Prepare a data breach response plan (or update your current plan) to enable the APP Entity to respond quickly, efficiently and lawfully to an actual or suspected data breach.

The OAIC currently operates a voluntary data breach notification scheme and has published various resources to assist APP Entities with their handling of data breaches. Much of that guidance will assist APP Entities in ensuring that they comply with the mandatory data breach notification scheme and it is expected that the OAIC will release new or updated guidance over the coming months.

However, further steps are likely to be necessary in order to ensure that your organisation understands the impact of the scheme and to make the necessary preparations for its introduction.

As the Australian Government releases more information, we will be sure to keep you updated. Please follow our social media pages & contact us if you have any further queries.

Share this post