This article provides information to businesses that are subject to the Privacy Act regarding their obligations under the Notifiable Data Breach Scheme.
What is the Notifiable Data Breach Scheme?
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) amended the Privacy Act 1988 (Cth) to establish the Notifiable Data Breach scheme (NDB).
What Organisations Does the Notifiable Data Breach Scheme Apply To?
The NDB applies to organisations that are subject to the Privacy Act 1988 (Cth). This includes companies and not-for-profit organisations that have an annual turnover of $3,000,000 or more, and all health care providers, credit reporting agencies, entities that trade in personal information, and those that are recipients of tax file numbers and most Government agencies (Entities).
What Constitutes a Notifiable Data Breach?
The following three elements are required to establish whether an eligible data breach has occurred under the NDB scheme:
- where there has been an unauthorised disclosure of, or unauthorised access to personal information or where personal information is lost;
- where the breach is likely to cause ‘serious harm’; and
- the Entity has not been able to prevent the likely serious harm with remedial action.
What Obligations Does the Notifiable Data Breach Scheme Impose?
The NDB imposes an obligation to report breaches which could result in ‘serious harm‘ to an individual or individuals. Reporting of breaches must be made to the Office of the Australian Information Commissioner (OAIC). Additionally, the NDB requires data breaches to be reported to the individuals whose personal information subjected to the breach.
Section 26WK(3) of the Privacy Act requires that the notice must contain:
- The Entity’s name and contact details;
- The details of the data breach;
- The type of information that was compromised; and
- Recommended steps that affected individuals should take in response to the breach.
What Is The Meaning of ‘Serious Harm’?
The meaning of ‘serious harm’ is not defined in the Privacy Act. However, section 26WG of the Privacy Act sets out ‘relevant matters’ Entities must take into consideration when assessing serious harm. Those relevant matters include the kind of information, the sensitivity of the information, the type of people that could obtain the information, the nature of the harm and if the information is encrypted.
The OAIC also provides guidance on the meaning of serious harm to include serious physical, psychological, emotional, financial, or reputational harm and advises that serious harm be assessed from the perspective of a reasonable person.
What Are Examples of an Eligible Data Breach?
- A database containing subscribers and customers information that is hacked.
- A USB storage device containing peoples’ names and tax file numbers is lost in the street.
- A folder containing a doctor’s patient health records that an employee loses in a public place.
- A laptop without password protection that contains a patient’s psychologist’s mental health diagnosis that is left on a bus.
What is Remedial Action?
Sections 26WF(1) to 26WF(3) of the Privacy Act provides that remedial action may be taken and “as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals.”
For example, if Company A sends an email that attaches a file containing personal information to an unintended recipient (Company X) by misake, Company A may take remedial action by contacting Company X and asking them to delete the file from their system. Provided, of course, that Company A has a relationship with, and trusts Company X has done so.
In such a case, the remedial action means that the ‘serious harm’ element is not enlivened. Therefore, Company A is not required to report the data breach to the OAIC or to the people whose personal information was saved to the file.
When Must An Eligible Data Breach Be Reported?
Relevant organisations must take steps to make a ‘reasonable and expeditious assessment’ to establish whether the data breach constitutes an eligible data breach. Organisations must take all reasonable steps to ensure that the assessment of the data breach is completed within 30 days pursuant to section 26WH(2) of the Privacy Act.
What Can Entities Do If They Cannot Complete The Assessment within 30 Days?
If an Entity cannot complete the assessment of whether the breach constitutes an Eligible Data Breach within 30 days, the OIAC advises that the Entity should document their assessment process to show:
- The reasons for the delay;
- The assessment was reasonable and expeditious; and
- All reasonable steps were taken to complete their assessment within the requisite 30 day period.
What Are The Penalties For Failing To Comply With The Notifiable Data Breach Scheme?
Penalties of up to $2,100,000 may be imposed for failing to comply with the notification requirements under the NDB scheme for corporations. Additionally, Entities can be ordered to review their privacy practices and issue public apologies. A maximum penalty of $420,000 may be imposed upon individuals.
