The NDBS was established in 2017 under an amendment to the Privacy Act 1988 (the “Act”). It is monitored, regulated and enforced by the Office of the Australian Information Commissioner (OAIC).
Does the NDBS apply to me?
Entities covered by the NDBS include all entities that have existing obligations under Australian Privacy Principle (“APP”) 11 of the Act to protect personal information they hold. They include:
- Australian government entities;
- private sector and not for profit organisations with a turnover in excess of 3 million;
- any business no matter its turnover which trades in personal information; and
any business no matter its turnover which provides a health service to and holds health information about individuals. This is very broad and includes pharmacists, private schools, gyms, weight loss clinics and any allied health care provider.
What is a notifiable data breach?
The NDBS applies to eligible data breaches that occur on or after 22 February 2018.
A notifiable data breach occurs when personal information an organisation or agency holds is lost or subject to unauthorised access or disclosure. Examples include when:
- A device or record containing a client’s personal information is lost or stolen
- A database with personal information is hacked
- Personal information is accidentally given to the wrong person
Examples of personal information include health information, identity documents and financial information. To be personal information the information disclosed must be capable of identifying a person. This may result from combining different types of information to identify an individual.
To be classified as an eligible data breach the following criteria must be met:
- There is unauthorised access to or disclosure of personal information held by an organisation;
- This is likely to result in serious harm to any of the individuals to whom the information relates; and
- The organisation has been unable to prevent the likely risk of harm with remedial action.
What do I do if I suspect a notifiable data breach?
Steps to be taken once a data breach has been identified include:
Take immediate steps to limit any further access to or distribution of the affected person’s information.
- Assess the breach
Consider whether the breach is likely to result in serious harm. Serious harm is very broad and includes harm to a person’s physical or mental well-being, financial loss or damage to their reputation. Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person. Examples of serious harm include:
- Identity theft
- Financial loss
- Threats to safety
- Loss of business or employment opportunities
- Humiliation and reputational damage
- Bullying, victimisation or discrimination
Gather all relevant information with respect to the breach and make an evidenced-based decision about whether serious harm is likely to result from the breach. This process should be documented and completed within 30 days of the breach.
- Take remedial action
Where possible remedial action should be taken to reduce any serious harm occurring. This might involve taking action to recover lost information before it is accessed. Examples of remedial action include:
- Taking steps to recover lost / stolen records
- Shutting down the breached system
- Stopping the unauthorised practice
- Revoking computer access
There is no requirement to notify the affected individual if remedial action is successful.
If you have reasonable grounds to believe that the data breach is likely to result in serious harm after assessing the breach and/or taking remedial action you must notify the affected individual and the OIAC via a Notifiable Breach Form available on its website.
There are 3 options for notifying individuals:
Option 1: Notify all individuals. Should only be used if affected individuals cannot be identified. May result in undue stress and harm to non-affected individuals and reputational damage.
Option 2: Notify only those individuals at risk of serious harm. This is the preferred option if practicable.
Option 3: Publish the statement on your website or advertise the breach in other online and print publications. Least preferred option, unlikely to result in adequate notification and may cause undue stress and harm and reputational damage. Notification must remain on your website for at least 6 months.
Notification to the individual needs to include:
- Your organisation’s name
- A description of the data breach
- Kinds of data breached
- Recommendation about the steps an individual needs to take in response to the data breach
Review the incident and implement strategies to prevent future breaches for example:
- Auditing IT security
- Changing policies and procedures regarding access to personal information
- Revising staff training regarding privacy
Special considerations with respect to overseas activities and joint ownership of information.
Many internet service providers (ISP) host their services in countries other than Australia. By virtue of using an ISP with an overseas hosting platform you need to aware of any data breaches by your ISP. As an Australian entity you are required to take reasonable steps to ensure the overseas recipient of information does not breach any of the APPs in relation to the information.
Any breaches by an overseas recipient may need to be managed under the NDBS.
The proliferation of cloud service providers has also raised issues regarding data breaches involving more than one entity. As an example, you may store or upload your clients’ personal data files to a cloud service. Should that service be compromised, both the service provider who physically holds the records, and the entity which uploaded the records and has physical power to control and access the them, are responsible for managing the breach.
OAIC suggests that in the case of joint ownership of data the entity with the most direct relationship with affected individuals should carry out the management of the breach, compliance and notification requirements. However both entities are generally responsible for complying with the NDBS. It should be noted that compliance with the NDBS by one entity will be taken to be compliance by each of the entities.
What are the consequences for failing to comply with the scheme?
The OAIC has a number of powers to ensure entities meet their obligations under the NDBS including:
- Investigation of any complaint by an individual regarding interference with their privacy including, a complaint for failure to notify the individual of a data breach.
- Accepting and enforcing an undertaking with respect to compliance with NDBS.
- Making a determination and bringing proceedings to enforce a determination.
- Seeking an injunction to prevent ongoing activity or recurrence.
- Applying to a court for civil penalty order.
If you have any questions regarding how the NDBS affects you or your business, contact our client engagement team for an appointment with our privacy lawyers.