The ‘Notifiable Data Breach Scheme’ imposes mandatory obligation on Australian organisations to notify individuals if a data breach that discloses their personal information occurs, and such disclosure is likely to result in ‘serious harm’. The Commissioner must also be notified of such data breaches. Organisations must comply with these notification obligations to avoid facing investigations and fines of up to $1.8 million.
From 22 February 2018, the Notifiable Data Breaches (‘NDB‘) scheme will come into effect requiring any agencies and organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (‘Commissioner‘) must also be notified of eligible data breaches.
Agencies and organisations (‘APP Entities‘) that already have obligations under the Australian Privacy Act 1988 (Cth) (‘Privacy Act‘) to secure personal information must comply with NDB scheme.
This includes:
Generally small business operators (any business who has not had an annual turnover of more than $3 million in any financial year since 2001) do not have to comply with these obligations unless they fall within one of the following categories:
A data breach arises where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.
An eligible data breach will arise where a reasonable person would conclude that there is a likely risk of “serious harm” to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure. “Serious harm”, while undefined, is likely to include the following types of serious harm:
Whether the harm caused to an affected individual can be categorised as “serious” will depend on a list of relevant matters which may include:
If an entity is unsure whether an eligible data breach has occurred, it must carry out a reasonable and expeditious assessment and take no longer than 30 days to make this determination.
Once it has been confirmed that an eligible data breach has occurred, an entity must:
This must be done as soon as practicable following completion of the statement. Further, the notification to affected individuals and the Commissioner must include the identity and contact details of the organisation, a description of the data breach, the kinds of information concerned and recommendations about the steps individuals should take in response to the data breach.
Failure to comply with the notification regime is considered an “interference with the privacy of an individual” under the Privacy Act’s existing enforcement and civil penalty framework. APP Entities may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties of up to $1.8 million.
APP Entities should audit their current information security processes and procedures to ensure they are adequate.
For example it is crucial to:
The information above is general in nature. If you want to learn more about how the NDB scheme might impact you, please contact us below.