Australia’s mandatory data breach notification laws will come into effect on 23 February 2018. In a previous article, we outlined the key obligations under the Notifiable Data Breach scheme.
The scheme will take effect on 22 February 2018, and require organisations regulated by Australia's Privacy Act 1988 (Cth) to notify any individuals likely to be at risk of serious harm due to a data breach.
The Office of the Australian Information Commissioner (OAIC) recently published several draft resources that will help an organisation comply with their obligations under the Notifiable Data Breach framework. These drafts include the Notifiable Data Breach statement form that the OAIC requires an organisation to file if it suffers an eligible (or notifiable) data breach.
What is an eligible data breach?
Not all data breaches are classed as "eligible data breaches" which require notification.
An eligible data breach occurs where:
- there is unauthorised access to, disclosure of, or loss of personal information held by an entity;
- it is likely to result in “serious harm” to one or more people; and
- the entity has not been able to reduce this risk of “serious harm”.
For instance, if a financial advisory firm realised that, due to an IT error, a database containing the personal information of its clients was made available online, then an eligible data breach may have occurred.
When must a suspected data breach be assessed?
If an organisation believes it has experienced an eligible data breach, it will be required (under the Privacy Act) to notify the affected individuals and the Commissioner of the breach. There are certain exceptions to this, which are outlined below. However, where an organisation believes that it may have experienced a data breach, it must assess whether the data breach is likely to result in serious harm to any individual to whom the information relates. A ‘reasonable and expeditious’ assessment is required, generally within 30 days of becoming aware of the potential breach.
If the organisation's assessment determines an eligible data breach has occurred, then the organisation must give a Notifiable Data Breach statement to the Commissioner.
What needs to be included in an eligible data breach statement?
The draft Notifiable Data Breach statement provided by the OAIC is separated into two parts. The first is compulsory and must provide:
- the organisation or company name, the organisation's contact details, and any trading name;
- a description of the breach;
- a description of the kind of information involved; and
- recommendations for the affected individuals as to what steps they should take in response to the breach.
The second part of the statement is optional. The statement may include:
- if the breach affected more than one entity, the identity and contact details of the other entities involved;
- the date/s when the breach occurred and when it was discovered;
- descriptive information, such as the cause of the breach and how it occurred;
- the number of individuals whose personal information is involved; and
- details of the actions undertaken by the organisation to assist affected individuals and to prevent further breaches.
The organisation must provide the Commissioner with a copy of its Notifiable Data Breach statement 'as soon as practicable' after becoming aware of the breach.
The organisation must also notify affected individuals about the contents of its Notifiable Data Breach statement, or if this is not practicable, publish a copy of the statement on the organisation's website and take reasonable steps to publicise the contents of the statement. In a further article, we will discuss notifying individuals about an eligible data breach.
Are there any exceptions to the notification obligations?
There are very few exceptions, being:
- Where a data breach relates to information held by two or more organisations, only one of the entities is required to notify the Commissioner and impacted individuals.
- An enforcement body (such as the Australian Federal Police or the Department of Immigration and Border Protection) must notify the Commissioner of a notifiable data breach in their organisations. It is not required to notify the impacted individuals if the Chief Executive Officer has reasonable grounds to believe that this may harm an 'enforcement related activity'.
- Where there are Commonwealth secrecy laws regulating the use of such information, a notice to individuals and the Commissioner is not required.
- The Commissioner may make a declaration that an organisation need not comply with the notification requirements.
The Government has confirmed that statistics associated with the notifiable data breach scheme will be collected and published. If this occurs, it would give rise to concerns about commercial confidentiality. However, the OAIC has undertaken steps to respect the commercial and operational sensitivity of information provided. Additionally, part two of the Notifiable Data Breach statement allows an entity to request the provided information be held in confidence.
Public comments welcome
The draft Notifiable Data Breach statement and other draft resources have been published on the OAIC website. Public comment is due by Monday 23 October 2017.