If your business has obligations to comply with the Privacy Act 1988 (Cth) (Privacy Act), it must soon also comply with the Notifiable Data Breaches scheme (NDB scheme). Coming into force on 22 February 2018, the scheme requires businesses to report serious breaches of privacy to the Office of the Australian Information Commissioner (OAIC). Businesses must also notify the individuals affected by the breach. This article provides an overview of the NDB scheme and explains how to prepare your business for compliance.
Determining if the Notifiable Data Breaches Scheme Applies to Your Business
The NDB scheme is an amendment to the Privacy Act. Businesses that must comply with the Privacy Act include:
- those with an annual turnover of more than $3 million;
- credit reporting bodies;
- health service providers; and
- tax file number recipients.
However, any business can opt into the Privacy Act. Therefore, if your small business has opted in, you may have to comply with the NDB scheme as well.
The Privacy Act concerns how a business deals with personal information it collects from people. ‘Personal information’ is information that identifies the individual to whom it relates. Credit card details and addresses are common examples of personal information.
Deciding if a Notifiable Data Breach has Occurred
A notifiable data breach occurs when three criteria are satisfied. First, when your business:
- loses personal information (e.g. misplacing a laptop);
- discloses personal information to an unauthorised third person (e.g. an email sent to the wrong address); or
- an unauthorised third party accesses the information (e.g. a database is hacked).
Secondly, when the loss, access or disclosure is likely to result in serious harm to a person. And thirdly, when your business has not been able to prevent the likely risk of serious harm.
The occurrence of a data breach in itself is not enough to make it eligible for reporting. All three criteria must be satisfied. For example, you do not need to report a data breach if you can remedy the breach and therefore prevent the likelihood of serious harm occurring.
Continue reading this article below the formAssessing Whether a Data Breach is Likely to Result in Serious Harm
Within 30 days of a suspected data breach occurring, your business must assess the breach to determine if it is likely to cause serious harm. The NDB scheme lists relevant matters that can assist a business to determine whether the data breach would result in serious harm. Some of these matters include:
| Relevant Matter | Explanation |
| Sensitivity of the information | Disclosure of sensitive information such as medical records or sexual orientation is much more likely to cause serious harm |
| Type of information | Even if the information is not ‘sensitive’, certain types of information such as credit card details, Medicare numbers or drivers licences may be more likely to result in serious harm |
| Whether security matters protect the information | If the information remains encrypted, and those who can now access it cannot break the encryption, release of the information may not have caused serious harm |
| The nature of the harm | Releasing credit card details will have immediate and serious consequences, whereas releasing only a person’s name will not |
However, ‘serious harm’ is not limited to financial loss. It can also include identity theft, loss of employment opportunities, workplace bullying and reputational damage. Therefore, your assessment procedure must consider all possible types of harm.
Reporting Notifiable Data Breaches
If your business has reasonable grounds to believe that an eligible data breach has occurred, you must notify all individuals affected by the breach. For example, by sending them an email. You must also notify OAIC. Your notifications must include:
- the business and its contact details;
- a description of the data breach;
- the kinds of personal information that were disclosed; and
- your recommendations about the steps the individuals should take in response to the breach (e.g. changing their password).
Preparing for the Notifiable Data Breaches Scheme
Your business should prepare for the NDB scheme in two ways. First, by updating your privacy policy and privacy procedures to ensure they reference the new reporting obligations. OAIC also recommends that businesses prepare a data breach response plan.
Secondly, you should review any IT contracts under which your business discloses or receives personal information. As part of this review, you should seek control over determining whether a notifiable data breach has occurred (i.e. not leave it to the other party to make the assessment). Specific contract negotiation points will be:
- who has the right to then determine whether the data breach is likely to result in serious harm;
- which party must complete an OAIC assessment within the 30 days period; and
- which party will pay for the assessment.
If you are a customer of IT services, you should also ensure that your contracts state that:
- the supplier informs you of any possible data breach;
- the supplier immediately remedies the data breach and complies with your directions when dealing with a data breach; and
- you have control over notices to OAIC and affected individuals.
Key Takeaways
If your business has obligations under the Privacy Act, it is important that it prepares for the Notifiable Data Breaches scheme. You should create assessment procedures to determine if a data breach is notifiable, draft a data breach response plan and review IT contracts.
If your business needs assistance in complying with the Notifiable Data Breaches scheme, call LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.
We appreciate your feedback – your submission has been successfully received.
