The Australian Government is introducing The Notifiable Data Breaches’ (NDB) scheme on 22 February, 2018. This new legislation aims to strengthen personal data protection and improve organisational transparency regarding data breaches.
What is the Notifiable Data Breaches (NDB) scheme?
The NDB scheme outlines the requirements that entities need to be aware of when responding to data breaches within their organisation. Entities will have new data breach obligations, which involve notifications of breaches that are likely to result in serious harm to any individual whose personal information is involved in the breach.
Who must comply with the NDB scheme?
Entities that already have obligations under the Privacy Act 1988 to secure personal information must comply with the NDB scheme. This includes Australian Government agencies, businesses and not-for-profit organisations that have an annual turnover of more than $3 million. As well as, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.
Which data breaches require notification?
The NDB scheme applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’. There are a few exceptions which may mean notification is not required for certain eligible data breaches.
An objective assessment is required to determine whether a data breach is likely to result in serious harm. This assessment is carried out by a reasonable person in the entity’s position.
What is an eligible data breach?
An eligible data breach arises when:
- There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
- It is likely to result in serious harm to one or more individuals, and
- The entity has not been able to prevent the likely risk of serious harm with remedial action.
However, not all data breaches are eligible. For example, if an entity acts quickly to remediate a data breach, it is not likely to result in serious harm. Therefore there is no requirement to notify any individuals or the Australian Information Commissioner. There are also exceptions to notifying in certain circumstances.
Assessing suspected data breaches within your organisation
Examples of a data breach may include:
- Data or records containing customers’ personal information that is lost or stolen
- Database containing personal information is hacked
- Cyber-attack results in personal information being disclosed
- Personal information is mistakenly provided to the wrong person.
Entities that suspect that an eligible data breach has occurred, must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected. This assessment must be conducted expeditiously and, where possible, within 30 days. Should it not be done within 30 days, it must be documented listing the reason why.
The steps to take when a data breach occurs:
When an organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.
The notification to affected individuals and the Australian Information Commissioner must include the following information:
- The identity and contact details of the organisation
- A description of the data breach
- The kinds of information concerned and;
- Recommended steps individuals should take in response to the data breach.
The NDB scheme provides three options for notifying individuals at risk of serious harm, depending on what is ‘practicable’ for the entity. Whether a particular option is practicable involves a consideration of the time, effort, and cost of notifying individuals at risk of serious harm in a particular manner. These factors should be considered in light of the capabilities and capacity of the entity. The options include: notify all individuals; notify only those individuals at risk of serious harm; publish notification.
If you have any questions on the new NDB scheme, contact Vishal Modi at Hill Rogers.
The office of the Australian Information Commissioner has published various resources in relation to this NDB scheme and includes:
Guide to securing personal information
Data breach notification — A guide to handling personal information security breaches
Guide to developing a data breach response plan
What to do after a data breach notification