Notifiable Data Breach Scheme
The Federal Government of Australia passed the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017, which introduced the Notifiable Data Breaches (NDB) scheme.
The NDB became enforceable on the 22nd of February 2018 and applies to all agencies and organisations that collect and hold people’s personal information and are subject to obligations under the Australian Privacy Act 1988.
Companies subject to the scheme no longer have the option of keeping quiet following a data breach, with potential penalties for non-compliance of $420,000 for each director and $2.1 million for the business. The scheme mandates the data breach be investigated, with disclosure of data breach to the regulator as soon as practicable and to all affected persons within 30 days of discovery of the breach.
The amendment is designed to ensure that companies take appropriate measures to protect their customer’s valuable and sensitive data, whilst preventing it from being accessed or stolen and falling into the wrong hands. More importantly, the amendment is designed to enhance and protect an individual’s privacy, affording greater protection of their Personally Identifiable Information (PII) and Financial Data, whilst mitigating identity theft and financial fraud.
If you require any assistance with complying with the NDB scheme, please contact us today and speak with one of our specialists.
What You Need To Know
The below information is provided as guidance only and for more detailed information please contact CAT today, or visit the excellent resources available through the Office of the Australian Information Commissioner (OAIC) website here.
The main point of the NDB scheme is not to protect the company that was breached, but to protect the people whose personal information has been released without their authority. Not advising potentially affected victims of a data breach prevents individuals from being able to act to take proactive measure to protect their data, or seek compensation from the companies.
The NDB scheme will apply to all ‘APP entities’. APP entities are entities that are required to comply with the Australian Privacy Principles under the Privacy Act.
‘APP entities’ includes all businesses with an annual turnover of more than $3 million. However, be advised that ‘APP entities’ also includes small businesses (i.e. businesses with turnovers of less than $3 million) if they are:
- Private sector health service providers (including medical practitioners, pharmacists, gyms and weight loss clinics)
- Complementary therapists, such as chiropractors or psychologists
- Childcare centres, private schools and private tertiary educational institutions
- Businesses that sell or purchase personal information
- Credit reporting bodies
- Related to a business that is an APP entity
If you’re covered under the NDB scheme, you must report any breach of personal information that is “likely to result in serious harm”.
Whilst some may consider the term “serious harm” vague, it can include:
- Physical harm
- Financial/economic harm
- Emotional harm (e.g. embarrassment and humiliation)
- Psychological harm (e.g. marginalisation and bullying)
- Reputational harm
To determine whether a data breach is likely to cause ‘serious harm’ (and is therefore a Notifiable Data Breach), you should consider factors such as:
- The type of information breached
- Whether the information is protected by other security measures and the probability that someone can overcome those measures
- The people who may have access to the information as a result of the breach
- The nature of the harm that might arise from the breach
A ‘data breach’ is defined generally as a situation where ‘personal information held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure or other misuse or interference’.
A ‘Notifiable Data Breach’ arises if:
- There has been an unauthorised access or disclosure of information and it is reasonable to believe that it could result in serious harm to individuals (e.g. if your database has been accessed, compromised or hacked); or
- If information is lost where an unauthorised access is likely and it is reasonable to believe that it could result in serious harm to individuals (e.g. if your employee forgot a folder with clients’ personal information in a public place).
If an APP entity suspects that a data breach has occurred, it must carry out an assessment within 30 days to verify whether the breach occurred and ascertain whether it is a Notifiable Data Breach.
The breach must also be notified to the affected individuals using any reasonable direct method of communication (e.g. phone call, email, SMS, letter in the mail or via your company website).
A notification of a Notifiable Data Breach must include the following information:
- The identity and contact details of the APP entity
- A description of the breach
- The types of information exposed by the breach
- Recommendations about the steps that people should take in response to the breach
If you or your business requires any assistance in investigating a data incident or data breach, contact us today and we will provide you with confidential support, guidance and advice to ensure you investigate and handle the matter in accordance with this legislation.