If you are a startup founder, you are probably overwhelmed with the different rules and regulations that your new business has to follow. If your business collects personal information, you may be required to comply with a new regulation: the Notifiable Data Breaches (NDB) scheme. Coming into effect on 22 February 2018, the NBD scheme established obligations for Australian Privacy Principle (APP) entities. This article explains whether or not your startup needs to comply with the NDB scheme and what to do if you are affected by a data breach.
Do I Need to Comply With the NDB Scheme?
The first step in determining how the NDB scheme will affect your startup is figuring out whether the APPs will apply to you. If you are an early-stage startup, you may not have considered your privacy obligations yet. The APPs (and, subsequently, the NDB scheme) will apply if you are considered an APP entity. An APP entity is any sole trader, partnership, trust, company or unincorporated association that has:
- an annual turnover of over $3 million; or
- less than $3 million in turnover but falls under certain exceptions.
Most early-stage startups may find themselves outside the scope of the APPs given that they are likely to have less than $3 million in annual turnover. If this is true for your business, it is still worth familiarising yourself with the APPs and the NDB scheme. This is so you are prepared if you undertake rapid growth in the future.
You may also choose to become an APP entity voluntarily to strengthen your pitch to potential investors and high profile clients.
Tax File Number Recipient
If you have hired employees, you should be in possession of their tax file numbers (TFN). If so, you will need to comply with the NBD scheme and other privacy obligations in case a data breach causes the TFNs to be compromised.
So, if you are not yet an APP entity, but have hired or are close to hiring others, you will need to be aware of the NDB scheme below.
What is a Data Breach?
The NDB scheme places additional obligations on APP entities to report data breaches to the Office of the Australian Information Commissioner (OAIC). A data breach occurs when personal information held by your startup is accessed or disclosed without authorisation. It also occurs if you lose this personal information.
“Personal information” is information about an identified individual or an individual who is able to be reasonably identified. Some common examples are:
- date of birth;
- gender; and
- health information.
When you hear the term “data breach”, you might immediately think of a computer hack. It is crucial to note that a data breach does not need to involve malicious or criminal intent. It may also arise by human error or a failure in your IT system. Some examples of data breaches include:
- losing physical devices like laptops, hard drives or paper forms that contain personal information;
- unauthorised access by an employee;
- sending an email to the wrong person by mistake;
- selecting cc instead of bcc in an email; or
- accidentally forwarding information to unauthorised parties.
If a data breach occurs, the next step is to determine whether it is eligible for mandatory notification to the OAIC.
Eligible Data Breach
An eligible data breach arises when:
- there has been unauthorised access to, or unauthorised disclosure of, personal information;
- a reasonable person would conclude that this breach would likely result in serious harm to any of the individuals that the information relates. This includes physical, psychological, emotional, financial or reputational harm; and
- the entity has not been able to prevent the likely risk of serious harm with remedial action.
How to Assess if the Data Breach Has Occurred
If you suspect that a data breach has occurred, but are uncertain, then you will need to take all reasonable steps to complete an assessment. You must do this within 30 calendar days of becoming aware of the suspected data breach. You should treat this 30 day period as the maximum time limit, and try to complete the assessment as soon as possible.
However, if you cannot reasonably complete the assessment within that time, you should have documented evidence which outlines:
- that all reasonable steps have been taken to complete the assessment within 30 days;
- the reasons for the delay; and
- that the assessment was reasonable and efficient.
There are three recommended steps for assessing whether a data breach has occurred. You must:
- decide whether an assessment is necessary and assign the person or team that will be responsible for completing it;
- gather all relevant information immediately, focusing on key questions like:
- who was involved in the suspected breach;
- what information may have been compromised;
- where, when and why did the breach occur; and
- what is the likely impact of the breach? and
- evaluate the information and decide whether the identified breach is an eligible data breach.
If you have reasonable grounds to believe that an eligible data breach has occurred, you will need to notify both the affected individuals and the OAIC.
There are three options available when notifying affected individuals. You should consider each option in light of what is practicable for your startup. Whatever option you choose, your notification should include the following information:
- your startup’s business and contact details;
- a description of the eligible data breach;
- the type of personal information that was involved in the data breach; and
- a recommended way of responding to the data breach. For example, cancelling credit cards or changing online passwords.
1. Notify All Individuals
If practicable, you can notify all the individuals whose personal information was part of the data breach.
This option may be the simplest method. It may also be appropriate when more than one person’s information has been breached and you are unable to assess which individuals are at risk of serious harm.
2. Notify Only Those at Risk of Serious Harm
If it is practicable, you can choose to notify only those individuals who are at risk of serious harm from the data breach.
However, the eligible data breach may have involved multiple people’s personal information. Therefore, you are unable to identify who is actually at risk of harm. If so, you should exercise option one.
3. Publish Notification
While options one and two are the preferred methods of notification, in some circumstances, they may not be practicable. If so, then you must publish a statement on your website that outlines relevant information on the breach. Further, you must proactively publicise the statement and its contents.
Notifying the OAIC
If you are aware of a potential data breach that has a risk of serious harm, you must notify the OAIC. For your convenience, the OAIC has an electronic form that you can submit to notify the breach. You should include the same information as you would when notifying individuals.
Most early-stage startups will be exempt from the NDB scheme as they are not APP entities. However, if you are looking to grow rapidly, it may only be a matter of time before you become an APP entity and compliance with the NDB scheme becomes mandatory. Alternatively, you may have chosen to become an APP entity voluntarily. The key considerations of the NDB scheme for your startup are:
- whether you are an APP entity or TFN recipient;
- if you know what a data breach and eligible data breach are;
- if you know how and when to conduct an assessment to confirm whether a data breach has occurred; and
- if you know how and when to notify affected individuals and the OAIC.
If you need assistance confirming how the NDB scheme may affect your startup, get in touch with one of LegalVision’s startup lawyers today on 1300 544 755 or fill out the form on this page.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.