This article provides information to businesses that are subject to the Privacy Act regarding their obligations under the Notifiable Data Breach Scheme.
What is the Notifiable Data Breach Scheme?
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) amended the Privacy Act 1988 (Cth) to establish the Notifiable Data Breach scheme (NDB).
What Organisations Does the Notifiable Data Breach Scheme Apply To?
The NDB applies to organisations that are subject to the Privacy Act 1988 (Cth). This includes companies and not-for-profit organisations that have an annual turnover of $3,000,000 or more, and all health care providers, credit reporting agencies, entities that trade in personal information and those that are recipients of tax file numbers and most Government agencies (Entities).
What Obligations Does the Notifiable Data Breach Scheme Impose?
The NDB imposes an obligation to report breaches which could result in ‘serious harm‘ to an individual or individuals. Reporting of breaches must be made to the Office of the Australian Information Commissioner (OAIC). Additionally, the NDB requires such data breaches to be reported to the individuals whose personal information is subject to the breach.
Where an Entity has assessed a data breach and believes on reasonable grounds that the data breach constitutes an eligible data breach it should, as soon as practicable notify individuals who are subject to the breach who are at risk of serious harm; and the OAIC.
Section 26WK(3) of the Privacy Act requires that the notice must contain:
- the Entity’s name and contact details;
- details of the data breach;
- the type of information that was compromised; and
- recommended steps that affected individuals should take in response to the breach.
What Constitutes a Notifiable Data Breach?
The following three elements are required to establish whether an eligible data breach has occurred under the NDB scheme:
- where there has been an unauthorised disclosure of, or unauthorised access to personal information or where personal information is lost;
- where the breach is likely to cause ‘serious harm’; and
- the Entity has not been able to prevent the likely serious harm with remedial action.
Businesses are responsible for assessing whether a breach of data constitutes a Notifiable Data Breach. It is recommended that legal advice be sought from lawyers who are experienced in this field.
What Is The Meaning of ‘Serious Harm’?
The meaning of ‘serious harm’ is not defined in the Privacy Act. However, section 26WG of the Privacy Act sets out ‘relevant matters’ Entities must take into consideration when assessing serious harm. Those relevant matters include the kind of information, the sensitivity of the information, the type of people that could obtain the information, the nature of the harm and if the information is encrypted.
The OAIC also provides guidance on the meaning of serious harm to include serious physical, psychological, emotional, financial, or reputational harm and advises that serious harm be assessed from the perspective of a reasonable person.
What Are Examples of an Eligible Data Breach?
- A database containing subscribers and customers information that is hacked.
- A USB storage device containing tax file numbers is lost in the street.
- A customer relationship management (CRM) database that is backed-up to a CSV file that is accidentally made publicly accessible online.
- Patients’ health records that an employee loses in a public place.
What is Remedial Action?
Sections 26WF(1) to 26WF(3) of the Privacy Act provides that remedial action may be taken and “as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals.”
For example, remedial action may include circumstances where a file containing sensitive customer data is sent to the incorrect recipient. If the recipient is a person who is trusted by the sender and is immediately contacted and agrees to delete the data, then it may be concluded that the organisation has taken the necessary remedial action that will not result in serious harm. Therefore, in these circumstances, the breach will not constitute a Notifiable Data Breach.
When Must An Eligible Data Breach Be Reported?
Relevant organisations must take steps to make a ‘reasonable and expeditious assessment’ to establish whether the data breach constitutes an eligible data breach. Organisations must take all reasonable steps to ensure that the assessment of the data breach is completed within 30 days pursuant to section 26WH(2) of the Privacy Act.
What Can Entities Do If They Cannot Complete The Assessment within 30 Days?
If an Entity cannot complete the assessment of whether the breach constitutes an Eligible Data Breach within 30 days, the OIAC advises that the Entity should document their assessment process to show:
- The reasons for the delay;
- The assessment was reasonable and expeditious; and
- All reasonable steps were taken to complete their assessment within the requisite 30 day period.
What Are The Penalties For Failing To Comply With The Notifiable Data Breach Scheme?
Penalties of up to $2,100,000 may be imposed for failing to comply with the notification requirements under the NDB scheme for corporations. Additionally, Entities can be ordered to review their privacy practices and issue public apologies. A maximum penalty of $420,000 may be imposed upon individuals.