Australian privacy and information security laws are complex. In particular, we find many of our clients struggle with understanding when the Notifiable Data Breach (NDB) scheme under the Australian Privacy Act applies to their business. It is essential to learn not only when the NDB scheme applies but also how to prevent and mitigate data breaches in the event they occur.
What is the Privacy Act?
The Privacy Act1 (the Act) regulates the way organisations handle, disclose, use and market individual's personal information. The Act primarily regulates Australian Government agencies and organisations with an annual turnover greater than $3 million, but some small businesses such as those who opt into the scheme, or deal with health data and credit reporting are also covered.
What is the NDB Scheme?
Any organisation regulated by the Privacy Act must notify their affected individuals and the Office of the Australian Information Commissioner (OAIC) when an information data breach is likely to result in serious harm to an individual.
A data breach occurs when personal information held by an organisation is lost or subjected to access or disclosure. Most commonly, this regulates data information hacking and accidental disclosure (such as releasing personal information to the wrong person).An organisation that suspects an eligible data breach may have occurred must act quickly to assess the incident.
We recommend you have a legal expert assess whether or not a data breach falls within the NDB scheme, thereby mandating its reporting to the OAIC and affected individuals. If you get this wrong the implications can be significant.
What happens if I have an NDB incident?
In the event that a notifiable data breach incident occurs, you should complete an Eligible Data Breach Statement within thirty (30) calendar days of the data breach. This statement is available online on the OAIC website. Then, using the Eligible Data Breach Statement content, you should prepare and send out a notification separately to those affected by the breach. We recommend having a legal professional draft this notification, and on occasion a public relations or brand reputation expert involved in the communications. Finally, you should consider whether you are required to notify your insurer under any policies of insurance (cyber insurance or otherwise). Early notification can offer significant assistance, particularly in funding legal or cyber advice, and in the preparation of the Eligible Data Breach Statement and subsequent communications.
What happens if I fail to notify the OAIC?
The Australian Information Commissioner has broad powers to enforce penalties against businesses that interfere with an individual's privacy. The maximum penalty for the successful prosecution of this interference may include a civil penalty of up to $402,000 for individuals and $2,100,000 for corporations.
How does my organisation stay protected?
While it is impossible to guarantee that personal information is entirely secure and safe, there are several preventative and response measures your organisation should implement to protect and lessen the impact of a data breach.
To prevent data breaches, there are organisational and personnel prevention methods to deploy within your organisation. To protect the organisation broadly, ensure physical records are stored securely and only accessible to those personnel who require access, that you use up to date adequate security software, conduct regular cybersecurity risk assessment audits and encrypt and back up sensitive data. To protect individual personnel, conduct staff training to raise and awareness and implement data security organisational policies such as a password policy to force personnel to have robust, secure and unique passwords which are changed often.
We also highly recommend preparing a comprehensive data breach response plan. This should outline your organisation's strategy for identifying, containing, assessing and managing a data breach incident. These plans help limit the consequences of a data breach and support the confidence customers or client's will have in your ability to manage their information.
This plan should cover what constitutes a data breach so that identification is timely, a strategy for containing, assessing and managing data breaches, the roles and responsibilities of key personnel within the organisation, how to document the data breach and the review evaluation of how to prevent a similar breach in the future.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.