On 29 September, the Office of the Australian Information Commissioner (OAIC) published new draft resources to assist organisations to prepare for the Notifiable Data Breaches Scheme (NDB Scheme), which commences on 22 February 2018. Consultation on the draft resources is open until 23 October 2017.
What is the NDB Scheme?
Under the NDB Scheme, if an eligible data breach has occurred, entities that have information security obligations under the Privacy Act 1988 (Cth) (Privacy Act) must notify the affected individual(s) and the OAIC as soon as practicable, using a statement that includes mandatory information. If the entity is aware of reasonable grounds to suspect that an eligible data breach may have occurred, the NDB Scheme requires an entity to assess whether an eligible data breach has occurred, within 30 days.
An eligible data breach is unauthorised access to or disclosure of, or loss of, personal information which is likely to lead to serious harm to any of the affected individuals. See our joint paper with Commvault on the new law for more details.
What topics do the draft resources cover and how do they affect my organisation?
|Draft resource title||Issues covered||Impact|
|Assessing a suspected data breach||When an entity needs to assess whether an eligible data breach has occurred; how quickly an assessment needs to be done and how to assess a data breach||The OAIC expects entities to have systems in place to promptly identify suspected breaches and assess them.
Although the deadline to complete an assessment is 30 calendar days after becoming aware of the grounds to suspect an eligible data breach, the OAIC expects an entity to aim for a much shorter timeframe.
|What to include in an eligible data breach statement and Notifiable Data Breach statement||The OAIC expands on the items of information that must be included in an eligible data breach statement i.e. the entity’s identity and contact details; description of the eligible data breach; kind(s) of information involved and recommended steps for individuals to take in response.||When preparing an eligible data breach statement, an entity should consult this guide and the template Notifiable Data Breach statement to ensure that its statement provides the level of detail expected by the OAIC.|
|Exceptions to notification obligations||There are some exceptions to the notification requirements in the NDB scheme.
· if an eligible data breach affects more than one entity, only one of those entities needs to notify the OAIC and the individual(s) affected; or
· the Australian Information Commissioner may declare that an entity need not comply with the NDB Scheme notification requirements
|This guide shows that the exceptions will operate in limited circumstances. Notably, the OAIC indicates that the Australian Information Commissioner will only issue a declaration that an entity need not comply with the notification requirements in exceptional circumstances and if the entity seeking the declaration puts forward a “compelling case”.|
|Chapter 9: Data breach incidents||This is a new chapter to the OAIC’s “Guide to privacy regulatory action” on data breach incidents, which explains how the Commissioner will carry out its functions under the NDB Scheme.||This is relevant if an entity wants to find out what factors that the Commissioner will consider when making decisions e.g. a decision as to which notifications the Commissioner will respond to.|
What to do next
Entities covered by the Privacy Act should consider whether they would like to make a submission on the draft resources. Specifically, the OAIC has asked respondents to consider:
- Do the draft resources meet the needs of agencies and organisations in understanding the new requirements under the NDB scheme?
- Are there any topics that the draft resources should cover that have not been covered, or should be covered in greater detail?
- Are there any practical examples respondents could share to help illustrate the operation of the NDB scheme?
- Are there any other ways in which the draft resources could be enhanced?
Another possible submission is whether the draft resources are too onerous and go beyond what is strictly required by the new laws (and the impact, if any, of non-binding guidelines which exceed the strict letter of the law).
In addition, OAIC has made clear that impacted organisations should be investing time in reviewing their practices, procedures and systems for securing personal information in preparation for the NDB scheme as well as preparing and updating their data breach response plan.
With the clock ticking, our Review – Refine – Retest – Respond model and our practical guide to responding to data breaches provide a simple and quick reference framework for organisations needing to prepare for the new NDB scheme.