The Notifiable Data Breach Scheme and the Importance of Keeping Personal Info Private

A reminder that the Notifiable Data Breaches (NDB) scheme has been law in Australia from 22 February 2018. The NDB scheme applies to all organisations with security obligations relating to personal information under the Australian Privacy Act 1988.

What does this mean for your organisation?

The NDB scheme introduced a legal obligation on affected entities to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm to the individual. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner must also be notified of eligible data breaches. Failures to comply with the NDB scheme can attract fines of up to $2.1 million.

Who must comply with the NDB scheme?

The NDB scheme applies to organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes businesses and not-for-profit organisations that have had an annual turnover of more than $3 million in any financial year since 2001. It also applies to credit reporting bodies, health service providers and TFN recipients, among others.

The rules are complicated and we suggest that you consult with your solicitor if you have any doubts about whether or not the rules apply to you. There are many special circumstances where the scheme applies regardless of turnover, for example, entities providing health services or businesses providing services to the Commonwealth under a contract.

Which data breaches require notification?

The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’. There are a few exceptions which may mean notification is not required for certain eligible data breaches.

A data breach means unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information.

  • Unauthorised access is not just access by an external third party (e.g. “hacker”) but may be by an employee of the entity, or an independent contractor.
  • Unauthorised disclosure occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity, and releases that information from its effective control. For example, an employee of an entity accidentally publishes a confidential data file containing the personal information of one or more individuals on the Internet.
  • Loss refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure. An example is where an employee of an entity leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) on public transport.

In the context of a data breach, ‘serious harm’ to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

Some kinds of personal information may be more likely to cause an individual serious harm if compromised. Examples of this kinds of information include:

  • Information about an individual’s health
  • Documents commonly used for identity fraud (e.g. Medicare card, Driver Licence, and Passport details)
  • Financial information

The specific circumstances of the data breach are relevant when assessing whether there is a risk of serious harm to an individual. This may include consideration of the following:

  • Whose personal information was involved in the breach
  • How many individuals were involved
  • How long the information has been accessible
  • What parties have gained or may gain unauthorised access to the personal information

In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harms that may follow a data breach. Examples include:

  • Identity theft
  • Significant financial loss by the individual
  • Threats to an individual’s physical safety
  • Loss of business or employment opportunities
  • Humiliation, damage to reputation or relationships
  • Workplace or social bullying or marginalisation

The NDB scheme provides a further incentive for all organisations to assess or re-assess their data security policies and procedures. All organisations need to have a risk management plan including strategies to mitigate the risk of data security breaches, and a response and recovery plan in place to deal with any breaches. The response plan should include a framework to assess whether any breach should be reported to the Australian Information Commissioner.

Staff training and cyber insurance are key elements in protecting all organisations from the risk of data breaches. Given the importance of this topic, we will be including further articles on these topics in upcoming posts.

For further information, you can access the website for the Office of the Australian Information Commissioner by clicking here.

If you wish to discuss any of the above issues, please feel free to contact us and ask for David Downie, Partner.

Allworths
Allworths

Related posts

September 29, 2022

120% deduction for skills training and technology costs

Read more
September 29, 2022

Acquiring collectibles in your SMSF

Read more
September 29, 2022

How to sell your business

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *