The NDB Scheme and cloud providers07 December 2018
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Scheme) came into effect on 22 February 2018 requiring Australian Privacy Principle (APP) entities to notify individuals if an eligible data breach has occurred. The NDB Scheme applies to cloud providers as well as the entity that originally collected the personal information.
Almost one-third of Australian businesses now use commercial cloud computing services. In 2016, the second-largest healthcare insurer in the USA suffered a data breach that affected 80 million customers. Investigators analysing the breach found hackers smuggled data out in a cloud-based file sharing service. The incident illustrates the potential for cloud-related breaches as well as the risk when data is unsecured.
Cloud providers are considered to hold personal information if it has in its possession, or control of, a record that contains personal information, such as dates of birth and credit card details.
Cloud computing is one of many examples where one or more entities may hold the same information. Where more than one entity holds the same record of personal information, both are responsible for complying with the NDB Scheme for the records held. Even though both entities have the responsibility to notify, only one of the entities jointly holding the information need comply with the NDB assessment—whether or not there has been an eligible data breach—and notify the individuals to whom the information relates.
The NDB Scheme, however, does not specify which entity should conduct the assessment of the data breach and notify affected individuals. For this reason, where information is held jointly such as through a cloud computing arrangement, entities holding the information should establish clear procedures in a service agreement or other contractual documents as to who notifies the affected individuals. A sensible rule of thumb is that the entity with the most direct relationship with the individuals at risk is best placed to handle the notification responsibility and deal with the regulator.
In addition to clarifying who will be responsible for notifying affected individuals, there are a number of matters to be considered when dealing with a cloud provider. The entity should be satisfied the provider’s data handling framework is certified to a relevant Australian or international standard. Wherever possible, relevant data should be encrypted before it is disclosed, rather than relying on the cloud provider to solely safeguard the information. It is also important to know whether the cloud provider intends to use any of the information for its own purposes, if it intends to sub-contract its services to other parties and which notification regimes the cloud provider is required to comply with in its host jurisdiction.
An entity subject to the NDB Scheme that discloses personal information to an overseas recipient will remain accountable for an offshore eligible data breach, even if that entity is not responsible for the breach.
Entities cannot avoid the NDB Scheme by outsourcing the handling or storage of personal information to cloud providers or other third-party suppliers. Companies should review their cloud and other outsourcing contracts to ensure responsibilities are clearly defined.