By Naomi Stephens (Paralegal) and Amelia Edwards (Lawyer)
The Notifiable Data Breaches Scheme, established under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), comes into effect on 22 February 2018. The Scheme imposes obligations on entities and organisations which hold personal information in relation to known or suspected data breaches.
Who is caught by the Notifiable Data Breaches Scheme?
The Scheme applies to agencies and organisations which have obligations under the Privacy Act 1988 (Privacy Act) to protect the personal information which they collect and hold. This includes government agencies, not-for-profit and private sector organisations with an annual turnover greater than $3m.
A small business (ie a business with an annual turnover of less than $3m) may also be caught by the Scheme if it falls under one of the exceptions (such as entities which trade in personal information, health services providers, credit reporting bodies, operators of residential tenancy databases etc).
Role of the OAIC
The Scheme is regulated by the Office of the Information Commissioner (OAIC). The OAIC will handle complaints, receive notifications of eligible data breaches, advise organisations and agencies which must comply with the Scheme, and will conduct investigations and take action in relation to instances of non-compliance.
What is an “eligible data breach”?
An eligible data breach occurs where there is actual unauthorised access to (or disclosure of) personal information, or a loss of personal information that is likely to result in unauthorised access or disclosure, AND that unauthorised access or disclosure is likely to cause serious harm to the individual(s) whose personal information is accessed or disclosed.
What constitutes an eligible data breach is not limited to external hacking or a rogue employee providing data to third parties. It includes situations such as the loss or theft of laptops or other devices containing personal information, or where personal information is inadvertently provided to the wrong person. A conservative analysis would also include any unauthorised system or premises access where it cannot be proved that personal information was not accessed.
In assessing whether the breach is likely to cause “serious harm”, consideration must be given to the types of harm which may arise – physical, psychological, financial or reputational. The question is whether a ‘reasonable person’ would consider that serious harm is likely to occur, not whether you personally think it is likely. A breach concerning sensitive information (as defined under the Privacy Act) or exploitable credit card information is, for example, probably more likely to give rise to a risk of “serious harm”, but the term is not otherwise defined and may be interpreted broadly.
What you must do if there is a breach
If you have reasonable grounds to suspect that an eligible data breach has occurred, you must promptly notify the OAIC and (if practical) the individuals affected by the breach – public notice requirements may otherwise apply. Certain information must be provided when making these notifications, and pro forma notices are available on the OAIC website.
You may also have contractual obligations to notify your clients (or notify them before notifying the OAIC or the public) in the event of a data breach.
Non-compliance with the Notifiable Data Breach Scheme may be deemed to be an “interference with the privacy of an individual”, which may result in fines of up to $1.8m. You may also end-up breaching client contracts.
Affected businesses and entities must ensure that they are familiar with their obligations under the Scheme (and under their client or customer contracts), and have a plan in place to deal with suspected or actual data breaches efficiently and effectively. Staff should also be trained on appropriate procedures to follow in the event of a breach.
Speak to us today about privacy compliance training options tailored for your business.
If you have any questions in relation to privacy or spam matters generally, or the Notifiable Data Breaches Scheme specifically, please don’t hesitate to contact me.