Australia: New Notifiable Data Breaches (NDB) Scheme: Is Your Data Breach Response Plan Up To Date?

Australia's Notifiable Data Breaches (NDB) scheme comes into effect from 22 February 2018. This article explains what a Notifiable Data Breach is and when to notify the Australian Information Commissioner and individuals whose personal information has been subject to a data breach likely to result in serious harm. Importantly, organisations need to be prepared and ensure that breach response plans are up to date with an appropriate assessment process for suspected eligible data breaches to comply with the NDB scheme.

Notifiable Data Breaches Scheme – comes into effect 22 February 2018

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act) established the Notifiable Data Breaches scheme in Australia. It requires organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm and the Australian Information Commissioner. The NDB scheme comes into effect from 22 February 2018.

The NDB Act and Privacy Act 1988 (Cth) applies to all Australian government agencies, businesses and not-for-profits with an annual revenue of $3 million or more per annum and all health service providers, credit providers, credit reporting bodies, entities that trade in personal information and tax file number recipients.

Monetary penalties and investigation for non-compliance

A failure to comply with the notification requirements is subject to the penalty regime under the Privacy Act, which allows for monetary penalties of up to $1.8 million for organisations and $360,000 for individuals for serious or repeated breaches. A failure to comply can also result in affected individuals filing a complaint with the Commissioner or the Commissioner investigating without a complaint being made. Pursuant to section 52 of the Privacy Act, following an investigation the Commissioner may issue a determination requiring the organisation to:

  • Pay compensation for any loss or damage to affected individuals; and/or
  • Perform any reasonable act or course of conduct to redress any loss or damage suffered by affected individuals; and/or
  • Take specified steps to ensure that an organisation's conduct is not repeated or continued.

What to do about Eligible Data breaches

The NDB scheme applies to data breaches involving personal information that are likely to result in serious harm to any individual affected, which are referred to as 'eligible data breaches'. Once an organisation is aware that there are reasonable grounds to believe that there has been an eligible data breach it must promptly notify affected individuals and the Commissioner about the breach.

Criteria for determining eligible data breaches

The Office of the Australian Information Commission (OAIC) sets out on its Eligible data breach webpage that an eligible data breach arises when the following three criteria are satisfied:

  1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
  2. This is likely to result in serious harm to one or more individuals; and
  3. The entity has not been able to prevent the likely risk of serious harm with remedial action.

In respect of criteria 2, 'serious harm' is not defined in the Privacy Act. The OAIC sets out in Eligible data breach that organisations 'should assess the risk of serious harm holistically, having regard to the likelihood of the harm eventuating for individuals whose personal information was part of the data breach and the consequences of the harm.' The NDB scheme includes a non-exhaustive list of 'relevant matters' set out in section 26WG. One of those matters includes whether security technology was used and designed to make the information unintelligible or meaningless to unauthorised persons.

In respect of criteria 3 above, if an organisation takes remedial action so that the data breach would not be likely to result in serious harm, then the breach is not an eligible data breach (see section 26WF(1)-(3)) and notification is unnecessary.

If an organisation has reasonable grounds to believe that it has experienced an eligible data breach, it must promptly notify individuals and the Commissioner about the data breach.

Think you've got an eligible data breach?

In the situation where an organisation suspects that it may have experienced an eligible data breach, it must quickly assess the situation to decide whether or not there has been an eligible data breach and notification is required. OAIC sets out in Assessing a suspected data breach the 'assessment must be reasonable and expeditious, and entities may develop their own procedures for assessing a suspected data breach.'

Timing is critical: assessment within 30 days

An organisation must take all reasonable steps to complete the assessment within 30 calendar days after the day it became aware of the grounds that caused it to suspect an eligible data breach (see section 26WH(2)). The OAIC sets out in Assessing a suspected data breach:

'[t]he Commissioner expects that wherever possible entities treat 30 days as a maximum time limit for completing an assessment, and endeavour to complete the assessment in a much shorter timeframe, as the risk of serious harm to individuals often increases with time. Where an entity cannot reasonably complete an assessment within 30 days, the Commissioner recommends that it should document this, so that it is able demonstrate:

  • that all reasonable steps have been taken to complete the assessment within 30 days
  • the reasons for the delay
  • that the assessment was reasonable and expeditious.'

Notifications to individuals and Commissioner

The NDB scheme requires an agency or organisation that has reasonable grounds to believe an eligible data breach has occurred to promptly notify individuals at likely risk of serious harm and the Australian Information Commissioner (Commissioner). The notification must include: the identity and contact details of the notifying organisation; a description of the data breach; the kinds of information concerned; and recommendations about the steps individuals should take in response to the data breach (see section 26WK(3)).

What must be included in the notifying statement

OAIC sets out it 'expects that the statement will include sufficient information about the data breach to allow affected individuals the opportunity to properly assess the possible consequences of the data breach for them, and to take protective action in response'. Information describing the eligible data breach may include:

  • the date of the unauthorised access or disclosure
  • the date the entity detected the data breach
  • the circumstances of the data breach
  • who has obtained or is likely to have obtained access to the information
  • relevant information about the steps the entity has taken to contain the breach.

Individuals

Where serious harm cannot be mitigated through remedial action, the agency of organisation must notify individuals involved in an eligible data breach that is likely to result in serious harm. If it is not practicable to notify each affected individual then the organisation must publish a copy of the statement on the organisation's website (for at least 6 months) and take reasonable steps to publicise the contents of the statements (see section 26WL(2)). The notification must include recommendations about the steps individuals should take in response to the breach to mitigate the serious harm or likelihood of serious harm from the data breach.

OAIC – Commissioner

Notify the Commissioner of eligible data breaches by completing online the Notifiable Data Breach statement — Form or downloading the Word document form [108 KB DOCX].

Where an eligible data breach applies to multiple organisations, only one organisation needs to notify the Commissioner and the individuals at risk of serious harm, and it is up to the organisations to decide who makes the notifications.

Checkpoint

Update Data Breach Response Plan

Your organisation's data breach response plan needs to incorporate the requirements of the NDB scheme for assessing suspected eligible data breaches. OAIC has available on its website a Guide for developing a data breach response plan, which includes a useful data breach response checklist. This is important, because [t]'the Commissioner expects that an entity's approach to data breach management, including its data breach response plan, will incorporate the requirements of the NDB scheme for assessing suspected eligible data breaches.

Health Care Providers

If a data breach is required to be notified under s 75 of the My Health Records Act, the NDB scheme does not apply (see section 26WD). This exception is intended to avoid duplication of notices under the NDB scheme and the data breach notification requirements in the My Health Record system. For further about data breach notification requirements of the My Health Records Act see OAIC's Guide to mandatory data breach notification in the My Health Record system.

Notifying other Regulators

Organisations may also need to consider reporting a data breach incident to other authorities and regulators, such as: ASIC, APRA, ATO, The Australian Cyber Security Centre, law enforcement, professional bodies, financial services provider etc.

Organisations that operate in multiple jurisdictions may have notification obligations under other breach notification schemes, such as the EU General Data Protection Regulation (GDPR) – see my article GDPR: Change to European privacy laws and its impact on Australian businesses.

Key take outs and actions

  • Ensure your data breach response plan is up to date and complies with the NDB Scheme, including the requirements for assessing suspected eligible data breaches.
  • Prompt notification to affected individuals and the Commissioner is required unless remedial action is taken so that the data breach would not be likely to result in serious harm.
  • Assessments must be done as quickly as possible and within 30 days.
  • Is your organisation ready to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm to affected individuals, and if so, is it ready to make notifications to individuals and the Commissioner? Key considerations include: who is your internal team; do you have sufficient internal or known external resources to deal with a potential significant data breach of personal information, including resources to manage communications to notify affected individuals?
  • In the event of a data breach, consider whether your organisation is required to report the data breach to any other authority or regulator or professional body.
  • Have you reviewed contracts with service providers to ensure they contain privacy and data breach notification obligations on them that will allow your organisation to comply with the Privacy Act and the NDB Scheme? Who has the obligation to notify affected individuals and the Commissioner?
  • Does your organisation have adequate cyber insurance? Have you reviewed the terms and coverage of current policies to assess whether they are adequate, and include cover for liabilities and losses including monetary penalties?
  • Does your organisation have a strong privacy culture? Are privacy impact assessments being carried out? Is privacy-by-design being built into systems and processes? Are you able to quickly respond to suspected data breaches and to learn from potential or actual eligible breaches?
  • Does your data breach response plan and privacy ecosystem align with a unified information governance framework to ensure the value of information throughout the organisation is maximised and risks and costs of holding information are minimised?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Kott Gunning
Thynne & Macartney
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Kott Gunning
Thynne & Macartney
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions