The new Notifiable Data Breaches Scheme arrives 22 February 2018. Your business must comply with this scheme if it also has to comply with the Privacy Act. However, not every business needs to comply. Businesses that must comply include:

  • those with an annual turnover of more than $3 million;
  • credit reporting bodies,
  • health service providers; and
  • those that receive tax file numbers from people.

If your business fits into one of these categories, you will need to report a notifiable data breach to both the affected individuals and the Office of the Australian Information Commissioner (OAIC). This article explains when your business needs to report a data breach.

What is a Notifiable Data Breach?

You need to report a data breach if:

  • there is unauthorised access to, or unauthorised disclosure of, personal information, or a loss of personal information, that your business has collected;
  • the access or disclosure is likely to result in serious harm to one or more individuals; and
  • your business has not been able to prevent the likely risk of serious harm with remedial action.

However, all factors must be present. For example, if you quickly act to contain the data breach, you do not need to report.

Identifying a Data Breach

Broadly, a data breach is:

  • unauthorised access to personal information;
  • unauthorised disclosure of personal information; or
  • loss of personal information.

The new laws do not define these situations. However, OAIC has provided some guidance on what a data breach may look like.

 

Type of Data Breach Explanation
Unauthorised access of personal information Where the information is accessed by someone who is not permitted to have access including employees, contractors and external third parties.
Unauthorised disclosure of personal information Where the information becomes visible to external third parties but in a way that is not permitted under the Privacy Act.
Loss of personal information Where the information is lost and that loss may result in unauthorised access or disclosure.

 

Personal information is information that identifies a person. For example, their name or address.

Identifying Serious Harm

Your business only needs to report a data breach if it is likely to result in serious harm. ‘Likely’ means to have at least a 50% chance. ‘Serious harm’ can include psychological, physical, emotional, financial or reputational harm to the individuals involved.

You judge this from the perspective of a person in your business’ position. This means that your business must consider many different factors when determining if serious harm has occurred:

 

Serious Harm Factor Explanation
Type of information A release of names only would likely not cause serious harm.
The sensitivity of the information Some types of information, such as medical records, are sensitive.
Whether you protected the information with security measures If you protected the information with passwords, it may indicate that release of the information could cause serious harm.
Whether you removed personal details from the information or made it unintelligible If you made the information unintelligible, for example by removing important details or encoding the information, this could help the information stay secure even after a  breach, preventing serious harm.
Who obtained the information The breach is more likely to cause serious harm if the information was widely distributed.
The likelihood that people who obtained the information could cause harm to the individuals If criminals obtained the information, the breach is more likely to cause serious harm.
The likelihood that any security measures could be overcome If the security measures were not strong enough, this would indicate that serious harm was likely to occur.
If your business could have obtained any security technology to minimise the risk of the harm If your business could have stopped the breach, but did not, serious harm is more likely.

Key Takeaways

To prepare for the NDB scheme, you need to be able to identify:

  • when a data breach occurs;
  • when it is a data breach that could result in serious harm; and
  • ways to take remedial action for these data breaches.

By taking action, you can prevent serious harm, avoiding the need to report a data breach.

If you need assistance in complying with the NDB scheme, call LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Sam Auty
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
Would you like to get in touch with Sam about this topic, or ask us any other question? Please fill out the form below to send Sam a message!