The Office of the Australian Information Commissioner (the OAIC) has released further draft guidance on the notifiable data breach regime in the lead up to the commencement of the new laws on 22 February 2018.
Late last week, the OAIC published further information on the information that must be provided to the Information Commissioner after a notifiable data breach occurs. In particular, the OAIC released the following documents:
- draft guidance on what information should be included when notifying the Information Commissioner of an eligible data breach (which can be found here)
a draft Notifiable Data Breach Statement in word; and
online draft Notifiable Data Breach Statement smart form (which can be found here)
The draft notifiable Data Breach Statement is divided into two parts.
- Part One contains the information that an organisation must provide to the OAIC as well as to individuals when notifying that an eligible data breach has occurred. This includes information such as the description of the breach, the types of information involved and what steps are recommended that the affected individual takes to reduce the risk of experiencing serious harm as a result of the breach.
- Part Two of the statement is optional, and contains information that the OAIC would like to receive to assist in understanding the eligible data breach. This information does not need to be provided to individuals when notifying of an eligible data breach. The information requested in Part Two of the statement relates to the details of a breach such as when it occurred, when it was discovered, its primary cause and how many people were affected. While providing this information is described as being optional the OAIC says that it may contact parties and request further details where Part Two of the statement is not completed.
In our view, key issues for businesses to consider from the OAIC's guidance and draft statement are that:
- In order to provide the required Data Breach Statement organisations will need to have a strong understanding of the specific circumstances of the breach including the types of records compromised, whether other organisations may be impacted and how the underlying security breach event occurred. Organisations may struggle to provide these details unless they quickly engage experts to help manage their incident response.
- The Data Breach Statement includes questions regarding how organisations intend to notify individuals who are likely to be at risk of serious harm due to the breach. Providing this information will require companies to quickly assess what notification provider they intend to engage, and how they propose to manage communication with the individuals who may be impacted by the security event.
- The Data Breach Statement also seeks details about the actions companies intend to take to assist individuals whose personal information was compromised by the data breach. This step will likely require companies to quickly assess the risks and nature of harm individuals may be exposed to and to have sufficient resources available so that they can actively engage with and assist individuals who are notified.
The depth of information which must be provided to the OAIC highlights how important it is to be fully prepared for the notifiable data breach regime. Organisations should be preparing and testing their data breach response plan and ensuring that it contains detailed policies and systems to ensure prompt notification to the OAIC and affected individuals after an eligible data breach.