In preparation for the introduction of the mandatory notification of data breach law that comes into effect in February 2018, the Office of the Australian Information Commissioner (OAIC) published on 2 June three draft resources which are open to public comment until 14 July.
Even in their draft format they are useful guidelines for companies bound by the Privacy Act.
The three resources are:
Identifying eligible data breaches;
Notifying individuals about an eligible data breach; and
The Australian Information Commissioner’s role in the NDB Scheme.
Identifying eligible data breaches
In relation to the fundamental task of determining whether an incident meets the threshold requirement of being an eligible data breach, the Guide gives some further clarity around what the phrases “unauthorised access”, “unauthorised disclosure” and “loss” mean.
It also considers how an organisation should approach determining whether there is a “serious risk of harm” to an individual or individuals as a consequence of the breach and confirms that the entity needs to determine this from the position of a reasonable person in the position of the entity, not in the position of the particular individual or individuals involved.
The guide also considers the circumstances and provides some examples of remedial action that may mitigate the risk of serious harm. These examples will be useful to businesses as they navigate these new obligations.
Notifying individuals about an eligible data breach
This guide considers the obligations to either notify all individuals, notify only those who are considered at risk of serious harm from the breach, and the third option where it is impractical to notify individuals, to publish notification.
The guide outlines the risks and benefits of different approaches and sets out the relevant considerations for the three options. The guide also provides one example of a data breach involving more than one organisation. This is an issue that is likely to be of concern for businesses where there is more than one organisation in the service supply chain and contracts between them do not deal with how they will jointly deal with a data breach that affects both of their reputations. This is something that most organisations will need to revisit in the near future.
Australian Information Commissioner’s role in the NDB Scheme
This brief guide gives background about the role of the Commissioner in terms of receiving notifications and enforcing compliance with the scheme. It also provides a very short section on the powers that the Commissioner has to make a declaration that notification need not be made or may be delayed in certain circumstances. It is hoped that more information on this may become available in the future.