Does this article refer to you? It does if:
Your business has a yearly turnover more than $3M OR
You have employees OR
You are a private health sector provider.
Then please take the time to read this important information –
Notifiable Data Breaches
As of the 22 February 2018 the new mandatory data breach notification or notifiable data breaches amendments to the Privacy Act 1988 (“provisions”) will come into effect. However, even by then a significant number of private sector organisations and a number of Federal Government agencies will still not be ready for/able to fully comply with the provisions. In addition to general compliance concerns, failure to have a privacy management program and data breach response plan in place could attract possible fines of up to $1.8m and ‘compensation’ per individual affected of around $10,000 (if there has been a privacy compliance failure)
The NDB scheme applies to organisations with obligations under the Privacy Act 1988.
- Australian Government agencies
- All businesses and not-for-profit organisations with an annual turnover of $3 million or more
- Some small business operators, including:
All private sector health service providers
Those that trade in personal information
TFN recipients (if annual turnover is below $3 million, the NDB scheme will apply only in relation to TFN information). If you pay wages to employees, then you are likely to hold your employees TFN & so you need to comply with this legislation. For more information regarding The Privacy of Tax File Numbers please refer to the following link: The Privacy (Tax File Number) Rule 2015 and the protection of tax file number information (Privacy Act).
Those that hold personal information in relation to certain activities, for example: providing services to the Commonwealth under a contract.
What is a data breach?
A data breach is when personal information held by an entity is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Examples of a data breach are when a device containing personal information of clients is lost or stolen, an entity’s database containing personal information is hacked or an entity mistakenly provides personal information to the wrong person (eg, emailing personal information to the wrong person).
‘Eligible data breaches’ under the NDB scheme
An eligible data breach occurs when three criteria are met:
- There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
- This is likely to result in serious harm to one or more individuals, and
- The entity has not been able to prevent the likely risk of serious harm with remedial action.
- ‘Serious harm’ can be psychological, emotional, physical, reputational, or other forms of harm.
- Understanding whether serious harm is likely or not requires an evaluation of the context of the data breach.
- If you take remedial action that prevents the likelihood of serious harm occurring, then the breach is not an eligible data breach.
- For breaches where personal information is lost, the remedial action is adequate if it prevents the unauthorised access or disclosure of personal information.
If you suspect a data breach which may meet the threshold of ‘likely to result in serious harm’, you must conduct an assessment
- Generally, there is a maximum of 30 days to conduct this assessment. This begins from when you become aware of a potential breach
- Ahead of the NDB scheme, you should review your data breach response framework to ensure relevant personnel will be made aware of a breach as soon as practicable
- It is not expected that every data breach will require an assessment that takes 30 days to complete before notification occurs. You must notify as soon as practicable once you hold the belief an eligible data breach has occurred.
Why do you need a data breach response plan?
All entities should have a data breach response plan. Your actions in the first 24 hours after discovering a data breach are often crucial to the success of your response. A quick response can substantially decrease the impact on the affected individuals. High profile data breaches, both in Australia and overseas, highlight the significant disruption caused by a breach of personal information. Research suggests that the cost to an organisation for a data breach can be significant. Implementing a data breach response plan can assist in mitigating these costs.
Having a Guide to developing a data breach response plan and a response plan checklist is part of establishing robust and effective privacy procedures and having clear roles and responsibilities is part of a good privacy governance. A plan can also help you:
- Meet your obligations under the Privacy Act – an entity must take reasonable steps to protect personal information that it holds, those reasonable steps may include having a data response plan.
- Protect an important business asset – the personal information of your customers and clients as well as your reputation.
- Deal with adverse media or stakeholder attention from a breach or suspected breach.
- Instil public confidence in your capacity to protect personal information by properly responding to the breach.
If there are reasonable grounds to believe that the data breach is likely to result in serious harm to any individuals whose information is involved, the person responsible must notify the individual concerned and the Australian Government Office of the Australian Information Commissioner of the eligible data breach.
In determining whether it is so likely to result in serious harm, you must have regard to:
- the kind of information
- its sensitivity
- whether the information is protected by security measures
- whether any security measures that are in place to protect the information could be compromised
- who has obtained or could obtain the information
- whether a person could have obtained information or knowledge which could circumvent the relevant security technology or methodology
- the nature of the harm
Who to Notify
You must notify any individuals that are at likely risk of serious harm as a result of a data breach. You must also notify the Australian Information Commissioner.
Notifying affected individuals
There are three options for notification:
- Notify all individuals whose personal information is involved in the eligible data breach
- Notify only the individuals who are at likely risk of serious harm; or
- Publish your notification, and publicise it with the aim of bringing it to the attention of all individuals at likely risk of serious harm.
There is flexibility in the way you notify individuals.
Non-compliance could result in heavy penalties.
We recommend you assess your need to comply with this legislation & obtain further information from the links provided in this article, including the Australian Government Office of the Australian Information Commissioner (OAIC).