If you are a small business owner, you may have to comply with certain privacy obligations regarding personal information. Since 2018, the Notifiable Data Breaches (NDB) scheme applies to certain businesses who must report data breaches that pose a serious risk of harm. This article explains whether your small business needs to comply with the NDB scheme and how to manage data breaches.
Do I Need To Comply with the Australian Privacy Principles?
You have to comply with the NDB scheme if the Australian Privacy Principles (APPs) apply to you. The APPs apply to businesses that have an annual turnover of over $3 million, who are otherwise known as APP entities. However, you can be an APP entity regardless of annual turnover if you are a:
- business that trade in personal information, such as buying and selling email lists; or
- credit reporting body; or
- health service provider, such as a:
- allied health professional;
- weight loss clinic.
Most small businesses have a turnover of up to $3 million. If your business does not fall under one of the exceptions, you are exempt from complying with the APPs.
However, you may have employed people in your small business. Your employment records would contain individual tax file numbers (TFN). You will have to comply with the NBD scheme applies to TFN information, regardless of whether you are an APP entity. You may also have to comply with other privacy obligations if a data breach compromises the security of the TFNs.
What is a Data Breach?
The NDB scheme sets down rules for APP entitles to report data breaches to the Office of the Information Commissioner (OAIC). A small business may cause a data breach if personal information is accessed or disclosed without authorisation. Loss of personal information also counts as a data breach.
Personal information is information about an identified individual or an individual who can be reasonably identified. Some common examples are:
- date of birth;
- gender; and
- health information.
A data breach is not always caused by computer hackers or by someone illegally accessing the data for criminal or malicious purposes. Human error or IT failures can lead to data breaches. Some examples of data breaches include:
- losing physical devices like laptops, hard drives or paper forms that contain personal information;
- unauthorised access by an employee;
- sending an email to the wrong person by mistake;
- selecting cc instead of bcc in an email; or
- accidentally forwarding information to unauthorised parties.
If a data breach occurs, you must know when you are required to notify affected individuals and the OAIC.
Eligible Data Breach
An eligible data breach for your small business occurs when:
- there has been unauthorised access to, or unauthorised disclosure of, personal information;
- the breach, according to a reasonable person, is likely to result in serious harm to the person or people concerned. The categories of harm include physical, psychological, emotional, financial or reputational harm; and
- your small business cannot prevent the likely risk of serious harm with remedial action.
If you suspect that a data breach has occurred, you should take all reasonable steps to complete an assessment. You must do this within 30 calendar days of becoming aware of the suspected data breach. You should treat these 30 days as the maximum time limit. Aim to complete the assessment as soon as possible. If you cannot assess the breach within that period, you should provide written evidence showing:
- the steps your business has taken within the 30 days to assess the data breach;
- the reasons for the delay; and
- whether the assessment period was reasonable and efficient.
When assessing the data breach, you should:
- decide whether an assessment is necessary;
- assign the person or team that will be responsible for completing it;
- gather all relevant information immediately, focusing on questions like:
- who was involved in the suspected breach;
- if there is any sensitive information that has been compromised;
- where, when and why did the breach occur; and
- what is the likely impact of the breach? and
- evaluate the information and decide whether the identified breach is an eligible data breach.
If you have reasonable grounds to believe there is an eligible data breach, you will need to notify the affected people and the OAIC.
There are three options available when notifying affected individuals. Choose the option that is practical for your small business. Whatever option you choose, your notification should include the following information:
- your contact details;
- a description of the eligible data breach;
- the type of personal information that was involved in the data breach; and
- a recommended way of responding to the data breach, such as cancelling credit cards or changing online passwords.
1. Notify All Individuals
If practical, notify all the individuals whose personal information was part of the eligible data breach. This option is appropriate if you have a data breach that involves multiple people. In that situation, you cannot reasonably assess which particular individuals are at risk of serious harm. Therefore, you should notify everyone as a precaution.
2. Notify only those individuals at risk of serious harm
If practical, notify only those individuals who are at risk of serious harm from the eligible data breach. This option is appropriate if the data breach happens to one person’s personal information or you can identify the multiple people who are at risk of serious harm. If you cannot identify people at risk of serious harm, you should adopt option one.
3. Publish notification
Option one and two are the preferred methods of notification. However, if you cannot contact the individuals for practical reasons, you must publish a statement on your website containing the relevant information. Furthermore, you must proactively publicise the statement, such as sharing the notification on social media.
Notifying the OAIC
You must notify the OAIC for any potential data breaches that pose a risk of serious harm. The OAIC has an electronic form that you can submit to notify the breach. You should include the same information as you would when notifying individuals.
Most small businesses will be exempt from the NDB scheme as they are not APP entitles. However, if you are looking to grow more rapidly, you may become an APP entity and have to comply with the NDB scheme. The key considerations of the NDB scheme for your small business are:
- whether you are an APP entity or TFN recipient;
- if you know what a data breach and eligible data breach are;
- if you know how and when to conduct an assessment to confirm whether a data breach has occurred; and
- if you know how and when to notify affected individuals and the OAIC.
If you need assistance confirming how the NDB scheme may affect your startup, get in touch with LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.