Out-Law Legal Update | 23 Feb 2018 | 3:10 pm | 5 min. read
The Privacy Amendment (Notifiable Data Breaches) Act 2017 was introduced into law in February 2017, but it only took effect on 22 February 2018. The legislation introduced a mandatory data breach notification regime into Australian law (NDB scheme). It applies to certain breaches of personal information.
The NDB scheme will affect:
Australian entities subject to the NDB scheme may also be responsible for notifying data breaches experienced by data processors they use that are based overseas where those overseas recipients experience an eligible data breach. In those circumstances the NDB scheme treats the Australian entity as if it had held the information and suffered the data breach themselves. Australian entities will therefore not escape the NDB scheme simply because the information is held, or the data breach occurs, offshore.
Obligation to notify
Under the NDB scheme, organisations must notify affected individuals and the information commissioner of "eligible data breaches". A data breach is considered 'eligible' where all of the following conditions are satisfied:
While 'serious harm' is not defined in the legislation, the explanatory memorandum to the Act states that it should be broadly construed and is a term that could be considered to include any or all of physical, emotional, economic, financial and reputational damage. Whether this is likely to occur should be decided from the perspective of a reasonable person in the position of the holder of the information, not the person about whom the information related. The explanatory memorandum further notes that 'likely' means probable, rather than possible.
Factors to be considered in assessing whether a data breach constitutes an eligible data breach include:
What do you have to do if you suspect there has been an eligible data breach?
When organisations become aware of a data breach but are unsure whether they have an obligation to notify under the NDB scheme, then they must carry out an assessment/investigation of the breach. This must be performed in an expeditious manner and, in any event, within 30 days of becoming aware of the potential eligible data breach.
If there has been, or there are reasonable grounds to believe that there has been, an eligible data breach, then organisations must notify in accordance with the NDB scheme.
When notifying, organisations must:
Where it is not practical for organisations to notify all affected individuals, they must publish a copy of the statement on their website and take reasonable steps to publicise the content of the statement.
Failure to notify an eligible data breach is an "interference with the privacy of the individual" under Australia's Privacy Act and can give rise to civil penalties.
Entities will be exempted from the notification requirements where:
Failure to comply with the NDB scheme could result in exposure to material civil penalties, which currently stand at AUS$360,000 ($281,000) for individuals and AUS$1.8m ($1.41m) for corporate entities. In addition, failure to comply will expose organisations to risks of reputational and/or other associated commercial damage, including a loss of trust.
What should businesses do?
Adherence to information security policies and the implementation of information security measures will be fundamental in preventing breaches, as well as in ensuring that entities are prepared in the event of a breach. Prevention will be vital in limiting reputational harm to entities.
Implementing security measures will make it less probable that a data breach will be likely to cause serious harm to an individual and therefore less the likelihood that it would be subject to notification requirements.
Entities should implement security technology such as encryption and/or two-factor authentication with respect to both electronic devices and portable information storage devices like USBs and external hard drives.
A data breach response plan will be fundamental in enabling entities to quickly and effectively respond to and manage a data breach. A data breach response plan is a process and framework setting out the procedures to be followed in the event of a data breach.
The response plan should include, among other things: