Notifiable Data Breach Scheme

This article informs businesses subject to the Privacy Act regarding their obligations under the Notifiable Data Breach Scheme.

What is the Notifiable Data Breach Scheme?

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) amended the Privacy Act 1988 (Cth) to establish the Notifiable Data Breach scheme (NDB). 

What Organisations Does the Notifiable Data Breach Scheme Apply To?

The NDB applies to organisations subject to the Privacy Act 1988 (Cth).  This includes companies and not-for-profit organisations with an annual turnover of $3,000,000 or more, all health care providers, credit reporting agencies, entities that trade in personal information, and those that are recipients of tax file numbers and most Government agencies (Entities).

What Constitutes a Notifiable Data Breach?

The following three elements are required to establish whether an eligible data breach has occurred under the NDB scheme:

1. where there has been an unauthorised disclosure of or unauthorised access to personal information or where personal information is lost;
2. where the breach is likely to cause ‘serious harm’; and
3. The Entity has been unable to prevent the severe likely harm with remedial action.

What Obligations Does the Notifiable Data Breach Scheme Impose?

The NDB imposes an obligation to report breaches that could result in ‘serious harm‘ to an individual or individuals. Data breaches must be reported to the Office of the Australian Information Commissioner (OAIC). Additionally, the NDB requires data breaches to be reported to the individuals whose personal information is subjected to the breach.

Section 26WK(3) of the Privacy Act requires that the notice must contain:

1. The Entity’s name and contact details;
2. The details of the data breach;
3. The type of information that was compromised; and
4.  Recommended steps affected individuals should take in response to the breach.

What Is The Meaning of ‘Serious Harm’?

The Privacy Act does not define the meaning of ‘serious harm’. However, section 26WG of the Privacy Act sets out ‘relevant matters’ Entities must consider when assessing serious harm. Those relevant matters include the kind of information, the sensitivity of the information, the type of people that could obtain the information, the nature of the harm and if the information is encrypted.

The OAIC also provides guidance on the meaning of serious harm to include serious physical, psychological, emotional, financial, or reputational harm and advises that serious harm be assessed from the perspective of a reasonable person.

What Are Examples of an Eligible Data Breach?

• A database containing subscribers’ and customers’ information that is hacked.
• A USB storage device containing peoples’ names and tax file numbers is lost in the street.
• A folder containing a doctor’s patient health records that an employee loses in public.
• A laptop without password protection that contains a patient’s psychologist’s mental health diagnosis is left on a bus.

What is Remedial Action?

Sections 26WF(1) to 26WF(3) of the Privacy Act provide that remedial action may be taken and “as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals.”

For example, suppose Company A sends an email that attaches a file containing personal information to an unintended recipient (Company X) by mistake. In that case, Company A may take remedial action by contacting Company X and asking them to delete the file from their system. Provided, of course, that Company A has a relationship with and trusts Company X has done so.

In such a case, the remedial action means the ‘serious harm’ element is not animated.  Therefore, Company A is not required to report the data breach to the OAIC or the people whose personal information was saved to the file.

When Must An Eligible Data Breach Be Reported?

Relevant organisations must take steps to make a ‘reasonable and expeditious assessment’ to establish whether the data breach constitutes an eligible data breach. Organisations must take all reasonable steps to ensure the data breach assessment is completed within 30 days under section 26WH(2) of the Privacy Act.

What Can Entities Do If They Cannot Complete The Assessment within 30 Days?

Suppose an Entity cannot complete the assessment of whether the breach constitutes an Eligible Data Breach within 30 days. In that case, the OIAC advises that the Entity should document its assessment process to show the following:

1. The reasons for the delay;
2. The assessment was reasonable and expeditious; and
3. All reasonable steps were taken to complete their assessment within the requisite 30-day period.

What Are The Penalties For Failing To Comply With The Notifiable Data Breach Scheme?

This penalties section will be updated soon.