The ‘Notifiable Data Breach Scheme’ imposes mandatory obligation on Australian organisations to notify individuals if a data breach that discloses their personal information occurs, and such disclosure is likely to result in ‘serious harm’. The Commissioner must also be notified of such data breaches. Organisations must comply with these notification obligations to avoid facing investigations and fines of up to $1.8 million.

Introduction

From 22 February 2018, the Notifiable Data Breaches (‘NDB‘) scheme will come into effect requiring any agencies and organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (‘Commissioner‘) must also be notified of eligible data breaches.

Who must comply with the NDB scheme?

Agencies and organisations (‘APP Entities‘) that already have obligations under the Australian Privacy Act 1988 (Cth) (‘Privacy Act‘) to secure personal information must comply with NDB scheme.

This includes:

• Australian Government agencies;
• businesses and not-for-profit organisations that have an annual turnover of more than $3 million;
• private sector health service providers;
• credit reporting bodies and credit providers; and
• entities that trade in personal information and tax file number (‘TFN‘) recipients.

Generally small business operators (any business who has not had an annual turnover of more than $3 million in any financial year since 2001) do not have to comply with these obligations unless they fall within one of the following categories:

• entities related to an APP Entity;
• entities that ‘opt-in’ to APP coverage under s 6EA of the Privacy Act;
• entities that provide any health or credit reporting services;
• entities that trade in personal information – that is, entities that disclose personal information about individuals to anyone else for a benefit, service or advantage;
• entities that provide a benefit, service or advantage to collect personal information about another individual from anyone else;
• employee associations registered under the Fair Work (Registered Organisations) Act 2009 (Cth); or
• entities that carry on the following activities:
  • providing services to the Commonwealth under a contract;
  • operating a residential tenancy data base;
  • reporting under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth);
  • conducting a protected action ballot; or
  • information retained under the mandatory data retention scheme, as per Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (Cth).

Which data breaches require notification?

A data breach arises where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.

An eligible data breach will arise where a reasonable person would conclude that there is a likely risk of “serious harm” to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure. “Serious harm”, while undefined, is likely to include the following types of serious harm:

• physical;
• psychological;
• emotional;
• economic;
• financial; and
• reputational.

How serious is “serious”?

Whether the harm caused to an affected individual can be categorised as “serious” will depend on a list of relevant matters which may include:

• the sensitivity of the information;
• any security measures taken (e.g. encryption); and
• how easily those security measures could be overcome.

Assessing suspected data breaches

If an entity is unsure whether an eligible data breach has occurred, it must carry out a reasonable and expeditious assessment and take no longer than 30 days to make this determination.

Notification

Once it has been confirmed that an eligible data breach has occurred, an entity must:

• prepare a prescribed statement and provide a copy to the Office of the Commissioner as soon as practicable after becoming aware of the occurrence of an eligible data breach; and
• if it is practicable to do so, take reasonable steps to notify the contents of the statement to individuals to whom the information relates, or to those at risk from the eligible data breach. If neither option applies, the statement should be published on the organisation’s website and reasonable steps taken to publicise the contents of the statement.

This must be done as soon as practicable following completion of the statement. Further, the notification to affected individuals and the Commissioner must include the identity and contact details of the organisation, a description of the data breach, the kinds of information concerned and recommendations about the steps individuals should take in response to the data breach.

Penalties

Failure to comply with the notification regime is considered an “interference with the privacy of an individual” under the Privacy Act’s existing enforcement and civil penalty framework. APP Entities may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties of up to $1.8 million.

Be prepared: proactive steps to consider

APP Entities should audit their current information security processes and procedures to ensure they are adequate.

For example it is crucial to:

• ensure hacks or data breaches cannot happen in the first place; and
• prepare a data breach response plan (or update their current plan) so as to enable the APP Entity to respond quickly, efficiently and lawfully to an actual or suspected data breach.

The information above is general in nature. If you want to learn more about how the NDB scheme might impact you, please contact us below.