Australia's Notifiable Data Breaches (NDB) scheme comes into effect from 22 February 2018. This article explains what a Notifiable Data Breach is and when to notify the Australian Information Commissioner and individuals whose personal information has been subject to a data breach likely to result in serious harm. Importantly, organisations need to be prepared and ensure that breach response plans are up to date with an appropriate assessment process for suspected eligible data breaches to comply with the NDB scheme.
Notifiable Data Breaches Scheme – comes into effect 22 February 2018
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act) established the Notifiable Data Breaches scheme in Australia. It requires organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm and the Australian Information Commissioner. The NDB scheme comes into effect from 22 February 2018.
The NDB Act and Privacy Act 1988 (Cth) applies to all Australian government agencies, businesses and not-for-profits with an annual revenue of $3 million or more per annum and all health service providers, credit providers, credit reporting bodies, entities that trade in personal information and tax file number recipients.
Monetary penalties and investigation for non-compliance
A failure to comply with the notification requirements is subject to the penalty regime under the Privacy Act, which allows for monetary penalties of up to $1.8 million for organisations and $360,000 for individuals for serious or repeated breaches. A failure to comply can also result in affected individuals filing a complaint with the Commissioner or the Commissioner investigating without a complaint being made. Pursuant to section 52 of the Privacy Act, following an investigation the Commissioner may issue a determination requiring the organisation to:
- Pay compensation for any loss or damage to affected individuals; and/or
- Perform any reasonable act or course of conduct to redress any loss or damage suffered by affected individuals; and/or
- Take specified steps to ensure that an organisation's conduct is not repeated or continued.
What to do about Eligible Data breaches
The NDB scheme applies to data breaches involving personal information that are likely to result in serious harm to any individual affected, which are referred to as 'eligible data breaches'. Once an organisation is aware that there are reasonable grounds to believe that there has been an eligible data breach it must promptly notify affected individuals and the Commissioner about the breach.
Criteria for determining eligible data breaches
The Office of the Australian Information Commission (OAIC) sets out on its Eligible data breach webpage that an eligible data breach arises when the following three criteria are satisfied:
- There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
- This is likely to result in serious harm to one or more individuals; and
- The entity has not been able to prevent the likely risk of serious harm with remedial action.
In respect of criteria 2, 'serious harm' is not defined in the Privacy Act. The OAIC sets out in Eligible data breach that organisations 'should assess the risk of serious harm holistically, having regard to the likelihood of the harm eventuating for individuals whose personal information was part of the data breach and the consequences of the harm.' The NDB scheme includes a non-exhaustive list of 'relevant matters' set out in section 26WG. One of those matters includes whether security technology was used and designed to make the information unintelligible or meaningless to unauthorised persons.
In respect of criteria 3 above, if an organisation takes remedial action so that the data breach would not be likely to result in serious harm, then the breach is not an eligible data breach (see section 26WF(1)-(3)) and notification is unnecessary.
If an organisation has reasonable grounds to believe that it has experienced an eligible data breach, it must promptly notify individuals and the Commissioner about the data breach.
Think you've got an eligible data breach?
In the situation where an organisation suspects that it may have experienced an eligible data breach, it must quickly assess the situation to decide whether or not there has been an eligible data breach and notification is required. OAIC sets out in Assessing a suspected data breach the 'assessment must be reasonable and expeditious, and entities may develop their own procedures for assessing a suspected data breach.'
Timing is critical: assessment within 30 days
An organisation must take all reasonable steps to complete the assessment within 30 calendar days after the day it became aware of the grounds that caused it to suspect an eligible data breach (see section 26WH(2)). The OAIC sets out in Assessing a suspected data breach:
'[t]he Commissioner expects that wherever possible entities treat 30 days as a maximum time limit for completing an assessment, and endeavour to complete the assessment in a much shorter timeframe, as the risk of serious harm to individuals often increases with time. Where an entity cannot reasonably complete an assessment within 30 days, the Commissioner recommends that it should document this, so that it is able demonstrate:
- that all reasonable steps have been taken to complete the assessment within 30 days
- the reasons for the delay
- that the assessment was reasonable and expeditious.'
Notifications to individuals and Commissioner
The NDB scheme requires an agency or organisation that has reasonable grounds to believe an eligible data breach has occurred to promptly notify individuals at likely risk of serious harm and the Australian Information Commissioner (Commissioner). The notification must include: the identity and contact details of the notifying organisation; a description of the data breach; the kinds of information concerned; and recommendations about the steps individuals should take in response to the data breach (see section 26WK(3)).
What must be included in the notifying statement
OAIC sets out it 'expects that the statement will include sufficient information about the data breach to allow affected individuals the opportunity to properly assess the possible consequences of the data breach for them, and to take protective action in response'. Information describing the eligible data breach may include:
- the date of the unauthorised access or disclosure
- the date the entity detected the data breach
- the circumstances of the data breach
- who has obtained or is likely to have obtained access to the information
- relevant information about the steps the entity has taken to contain the breach.
Where serious harm cannot be mitigated through remedial action, the agency of organisation must notify individuals involved in an eligible data breach that is likely to result in serious harm. If it is not practicable to notify each affected individual then the organisation must publish a copy of the statement on the organisation's website (for at least 6 months) and take reasonable steps to publicise the contents of the statements (see section 26WL(2)). The notification must include recommendations about the steps individuals should take in response to the breach to mitigate the serious harm or likelihood of serious harm from the data breach.
OAIC – Commissioner
Notify the Commissioner of eligible data breaches by completing online the Notifiable Data Breach statement — Form or downloading the Word document form [108 KB DOCX].
Where an eligible data breach applies to multiple organisations, only one organisation needs to notify the Commissioner and the individuals at risk of serious harm, and it is up to the organisations to decide who makes the notifications.
Update Data Breach Response Plan
Your organisation's data breach response plan needs to incorporate the requirements of the NDB scheme for assessing suspected eligible data breaches. OAIC has available on its website a Guide for developing a data breach response plan, which includes a useful data breach response checklist. This is important, because [t]'the Commissioner expects that an entity's approach to data breach management, including its data breach response plan, will incorporate the requirements of the NDB scheme for assessing suspected eligible data breaches.
Health Care Providers
If a data breach is required to be notified under s 75 of the My Health Records Act, the NDB scheme does not apply (see section 26WD). This exception is intended to avoid duplication of notices under the NDB scheme and the data breach notification requirements in the My Health Record system. For further about data breach notification requirements of the My Health Records Act see OAIC's Guide to mandatory data breach notification in the My Health Record system.
Notifying other Regulators
Organisations may also need to consider reporting a data breach incident to other authorities and regulators, such as: ASIC, APRA, ATO, The Australian Cyber Security Centre, law enforcement, professional bodies, financial services provider etc.
Organisations that operate in multiple jurisdictions may have notification obligations under other breach notification schemes, such as the EU General Data Protection Regulation (GDPR) – see my article GDPR: Change to European privacy laws and its impact on Australian businesses.
Key take outs and actions
- Ensure your data breach response plan is up to date and complies with the NDB Scheme, including the requirements for assessing suspected eligible data breaches.
- Prompt notification to affected individuals and the Commissioner is required unless remedial action is taken so that the data breach would not be likely to result in serious harm.
- Assessments must be done as quickly as possible and within 30 days.
- Is your organisation ready to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm to affected individuals, and if so, is it ready to make notifications to individuals and the Commissioner? Key considerations include: who is your internal team; do you have sufficient internal or known external resources to deal with a potential significant data breach of personal information, including resources to manage communications to notify affected individuals?
- In the event of a data breach, consider whether your organisation is required to report the data breach to any other authority or regulator or professional body.
- Have you reviewed contracts with service providers to ensure they contain privacy and data breach notification obligations on them that will allow your organisation to comply with the Privacy Act and the NDB Scheme? Who has the obligation to notify affected individuals and the Commissioner?
- Does your organisation have adequate cyber insurance? Have you reviewed the terms and coverage of current policies to assess whether they are adequate, and include cover for liabilities and losses including monetary penalties?
- Does your organisation have a strong privacy culture? Are privacy impact assessments being carried out? Is privacy-by-design being built into systems and processes? Are you able to quickly respond to suspected data breaches and to learn from potential or actual eligible breaches?
- Does your data breach response plan and privacy ecosystem align with a unified information governance framework to ensure the value of information throughout the organisation is maximised and risks and costs of holding information are minimised?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.