Notifiable Data Breach Scheme
The long-awaited Notifiable Data Breach Scheme (the NDB Scheme)
came into effect on 22 February 2018, following changes to the
Privacy Act 1988 (Cth) (the Act).
The Scheme applies to health service
providers
The Scheme applies to all government agencies and organisations
with personal information security obligations under the Act. This
includes all Australian government agency health service providers
and all private sector health service providers, whether the
services provided relate to physical or psychological health, and
include providers of aged care, palliative care and disability care
(s 6FB(3) of the Act).
The health care sector is a prime target for cyber attacks because of the highly valuable personal information held by those entities.
What information is covered by the
Scheme?
The NDB Scheme applies to "personal information", which
is any information about an identified individual (or an individual
who is reasonably identifiable), regardless of whether the
information is true or not. The information does not have to be
recorded in material form (s 6).
An eligible data breach happens if:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity, and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
An eligible data breach can be the result of any incident ranging from an accidental loss of a physical file to a sophisticated cyber attack on a network holding personal information.
The grey area is what is meant by "significant harm". Section 26WG of the Act sets out a number of relevant matters to be considered in assessing whether there is significant harm, but does not define the term.
The best guide to the meaning of that term is from the words found in the Explanatory Memorandum to the NDB legislation, which says serious harm "could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity's position would identify as a possible outcome of the data breach..."
If uncertain as to whether there has been an "eligible data breach" organisations have up to 30 days to undertake a reasonable and expeditious assessment to determine if there has been such a breach.
What to do following a breach
In the event of an eligible data breach, the organisation must
report the details of the breach to those individuals affected and
to the Office of the Australian Information Commissioner
(OAIC).
Sparke Helmore's Cyber Insurance team has written extensively about mandatory notification of cyber breaches. You can read more about it on our website.
The Commissioner said: "Notification provides individuals with the opportunity to reduce their chance of experiencing serious harm through protective action, and it reinforces organisations' accountability for the security of the personal information entrusted to them". Notification is therefore important because the risk of serious harm arising from a breach might be reduced by something as simple as affected users changing their passwords on accounts.
Can it happen to you?
The OAIC has published its first quarterly report detailing the
notifiable breaches reported to the OAIC between 22 February 2018
and 21 March 2018. In that period of a little more than five weeks,
there were 63 eligible data breaches reported. Of the 63 reported
breaches, almost one-quarter (15 breaches) involved health service
providers.
Given state-based health agencies are not covered by the Privacy Act, there is a significant potential for health service providers to experience an eligible data breach in their organisations.
What can you do?
Training of staff is paramount. While malicious and criminal
attacks are a known problem, one-half of the 63 reported eligible
data breaches reported to OAIC were caused by human error.
There a number of ways organisations can build a defence to deal with human error as well as external factors to seek to reduce the potential of eligible data breaches occurring. A starting point is the Essential Eight strategy published by the Australian Signals Directorate. Organisations should also ensure their cyber security platform is effective and ensure staff understand the significance and impacts of the NDB legislation.
The OIAC strongly encourages all entities to have an effective data breach response plan, so if a breach occurs, organisations are best armed to respond to it.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.