When running your business, you will have many privacy obligations to consider, one of these being how to handle a notifiable data breach (NDB). An NDB occurs when an individual’s data is lost or susceptible to unauthorised access. This kind of infringement requires your business to notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals. In this article, we look at:

  • what a data breach is; 
  • what makes a data breach “serious”;
  • your business’ reporting obligations; and 
  • how your business can limit the impact of a breach. 

Application of the NDB Scheme 

The OAIC introduced the Notifiable Data Breaches Scheme (NDB Scheme) in February 2018.

The NDB Scheme outlines a business’ responsibilities if a data breach occurs, and applies to: 

  • businesses with an annual turnover of over $3 million;
  • credit reporting bodies;
  • businesses that trade in personal information; 
  • health service providers; and 
  • tax file number recipients.

If the NDB Scheme applies to you, you will need to comply with its reporting obligations.

What Does a Notifiable Data Breach Look Like? 

A data breach occurs when:

  1. personal information is lost, or there is unauthorised access or disclosure of information to a third party;
  2. the loss, disclosure or access could result in serious harm; and
  3. your business is not able to reduce this harm.

The breach is notifiable if you have met all three conditions. Therefore, if the harm is not serious or if you can implement steps to reduce the harm, then it may not be notifiable.

The OAIC website has many resources to help you determine whether a data breach is notifiable.

What Makes the Harm of a Data Breach Serious? 

Whether a data breach could result in “serious harm” is based upon the perspective of a “reasonable person” in the position of your business. This will consider several factors, including:

  • whether the harm is financial, physical, psychological or reputational; 
  • whether the information lost, disclosed or accessed is sensitive;
  • who has obtained or could obtain the information; or
  • whether effective security measures were in place to protect the information.

For example, an online marketplace has been hacked by an untrustworthy third-party, revealing customers’ personal information and credit card details. This could lead to financial loss or identity theft.

Your Reporting Obligations

Once you have determined that an NDB has occurred, you must report the breach to the OAIC and any affected individuals. You should first prepare a statement of events to be submitted to the OAIC, including:

  • a summary of how the breach occurred;
  • what data was lost, disclosed or accessed;
  • the effect of the breach; and
  • your business name and contact details.

You can report a breach to the OAIC using this form.

Similarly, it is crucial to directly notify the individuals who are at risk of harm. If you cannot contact them directly, you should publish a statement on your website. The notification should:

  • summarise the events of the breach;
  • outline the potential impact; and
  • detail the actions you are taking to mitigate any risks.

Limiting the Impact of a Data Breach

Prevention is vital when it comes to data breaches. You can implement technological features to minimise the risk of breaches, including the:

  • use of reputable cybersecurity software; 
  • storage of documents and passwords in secure locations; and
  • use of email delay functions to quickly recall emails that your employees should not have sent. 

In addition, you can minimise human error by:

Regardless of any precautions you take, you should still ensure that you prepare for a data breach occurring due to factors outside your control. You can limit the impact of a breach by implementing a Data Breach Response Plan (DBR Plan). Your plan should set out:

  • who in the business is responsible for dealing with the breach; and 
  • what actions they must take if a breach occurs. 

After a breach occurs, containing the breach should be your primary focus. This involves limiting the impact of the breach by:

  • recovering lost records; 
  • remotely deleting files; 
  • shutting down the system that resulted in the breach; and 
  • removing certain individual’s access to the system.

Key Takeaways

Notifiable data breaches are a threat to every business, particularly as more and more information is transmitted electronically. If the NDB Scheme applies to your business, make sure that you are prepared for a data breach and can respond appropriately by: 

  • containing the breach; and
  • notifying the OAIC and affected individuals if necessary. 

If you are looking for advice on your privacy obligations or for a team of experts to draft your policy documents, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Our Awards

  •  Top 20 Startups in Australia - 2018 LinkedIn Startups List Top 20 Startups in Australia - 2018 LinkedIn Startups List
  • NewLaw Firm of the Year – 2019 Australian Law Awards NewLaw Firm of the Year – 2019 Australian Law Awards
  • Law Firm of the Year Finalist – 2018 Australasian Law Awards Law Firm of the Year Finalist – 2018 Australasian Law Awards
  • AFR Fast 100 List – 2018 Australian Financial Review AFR Fast 100 List – 2018 Australian Financial Review
  • NewLaw Firm of the Year – 2017 Australian Law Awards NewLaw Firm of the Year – 2017 Australian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer Most Innovative Law Firm - 2019 Australasian Lawyer

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy