Notifiable Data Breaches Scheme now in effect22 February 2018
The long-awaited Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Scheme) came into effect today, meaning Australian Privacy Principle (APP) entities are now legally required to notify individuals of eligible data breaches. Here are the key things you need to know—in case you aren't familiar with the legislation—including how it will impact you and what you need to do immediately to meet your legal obligations.
Who does the legislation apply to?
The NDB Scheme applies to all APP entities (subject to certain exceptions), including:
- Commonwealth Government agencies
- businesses and not-for-profit organisations with an annual turnover of $3 million or more
- private sector health services providers, and
- entities that handle credit information and tax file numbers.
What is an eligible data breach?
Generally speaking, an APP entity must now notify affected individuals if an eligible data breach occurs in line with s 26WE(2) of the NDB Scheme.
There are two key elements to an eligible data breach, namely:
- where there is unauthorised access to, or unauthorised disclosure of or loss of information, and
- a reasonable person would conclude that the access, disclosure or loss of information would likely result in serious harm to any of the individuals to whom the information relates.
What is serious harm?
The likelihood of serious harm is an objective test based on the reasoning of a reasonable person. Although it is not defined in the legislation, the NDB Scheme's Explanatory Memorandum explains that serious harm:
"...could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity's position would identify as a possible outcome of the data breach."
Section 26WG of the NDB Scheme also sets out a number of considerations for determining whether a reasonable person could conclude that a data breach would or would not likely result in serious harm.
What if you are not sure if there has been an eligible data breach?
If an entity suspects there may have been an eligible data breach under s 26WH of the NDB Scheme, it must carry out a reasonable and expeditious assessment, taking all steps to ensure the assessment is completed within 30 days of becoming aware of the circumstances that might amount to an eligible data breach.
Statements and notifications
If an APP entity has reasonable grounds to believe an eligible data breach has occurred, it must prepare a statement for issue to affected individuals and give a copy to the Office of the Australian Information Commissioner (OAIC). The requirements of the notice to affected individuals are set out in s 26 WK.
What you should do to get up to speed
The OAIC has a number of guidelines to assist APP entities meet their notification obligations under the NDB Scheme, which can be accessed on their website here.
Entities should also check out the Australian Signals Directorate's "Essential Eight", which shares practical tips entities can use to make their networks more secure and avoid breaches.
The OAIC particularly encourages entities to have a data breach response plan in place. Its website sets out what is required in a data breach response plan, including determining responsibility for identifying the breach, assessing the likelihood of serious harm, identifying members of the response team and the responsibility of communicating and dealing with the OAIC after a breach. The training of staff is also a key part of the response plan.
If you haven't already, now is the time to audit your compliance with the legislation, ensure you only hold information reasonably required to conduct business and that personal information is effectively secured. If you do not have a data breach response plan yet, it would be prudent to download the OAIC guideline and begin developing a plan.
Look out for a more detailed summary of the legislation and discussion on how to meet your obligations in the upcoming March issue of Insurance Matters. Alternatively you can read more about this topic on our website.