On 22 February 2017, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) made its way through both Houses of Parliament and received Royal Assent (the NDB Act), meaning that with the twelve month introductory period almost expired, the NDB Act is about to commence imminently in February this year.
In a nutshell, the NDB Act represents the first time in Australia that entities who are subject to the Privacy Act 1988 (Cth) (the Privacy Act) will have a mandatory obligation to report eligible data breaches to both the Office of the Australian Information Commissioner (OAIC) and any individuals who may be potentially affected by a data breach.
We have put together the following FAQs which might help to understand the implications of the changes brought about by the NDB Act and what it means for your business.
When does the NDB Act commence?
Twelve months after receiving Royal Assent, the NDB Act is due to commence from 22 February 2018.
What does the NDB Act do?
The NDB Act amends the Privacy Act by introducing a mandatory data breach notification scheme. Under this scheme, it will be mandatory for entities and agencies subject to the Privacy Act to notify individuals when a data breach occurs which is likely to result in serious harm to those individuals. The OAIC must also be notified of such data breaches.
Who does the NDB Act apply to?
The NDB Act applies to Commonwealth Government agencies and private sector organisations who are currently subject to the Australian Privacy Principles under the Privacy Act.
This includes private sector organisations (including not-for-profit organisations) with annual (group) turnover of more than $3 million, as well as small businesses that may be earning $3 million or less but are (amongst others) health service providers, involved in trading in personal information, contractors that provide services under a Commonwealth contract or credit reporting bodies.
Entities already exempt from the operation of the Australian Privacy Principles will not need to comply with the NDB Act.
For instance, the NDB Act applies to private schools or companies with turnover of more than $3 million per year, but not to local councils or state government agencies.
What are some examples of data breaches that could affect me?
Examples of a data breach include when:
- a device containing customers’ personal information is lost or stolen;
- a database containing personal information is hacked; and
- personal information is mistakenly provided to the wrong person.
However, the obligation to notify the OAIC and affected individuals under the NDB Act is only triggered in circumstances where a data breach constitutes an ‘eligible data breach’, as further described below.
What should I do if I become aware of a data breach?
If you are an entity that is subject to the Australian Privacy Principles in the Privacy Act and you become aware that there are reasonable grounds to believe that there has been an eligible data breach, you are required to promptly notify any individuals at risk of being affected by the data breach and the OAIC about it.
(a) Eligible data breach
An eligible data breach occurs where:
- there is unauthorised access to, or unauthorised disclosure of personal information or personal information is lost in circumstances where unauthorised access to, or unauthorised disclosure of the information is likely to occur; and
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
In this test, ‘likely’ is to be interpreted to mean more probable than not and ‘reasonable person’ is to be taken to mean a person in the entity’s position who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. Importantly, the OAIC’s guidance states that the reasonable person is not to be taken from the perspective of an individual whose personal information was part of the data breach or any other person, and, generally, entities are not expected to make external enquiries about the circumstances of each individual whose information is involved in the breach.
(b) Likely to result in ‘serious harm’
An assessment as to whether an individual is likely to suffer ‘serious harm’ as a result of an eligible data breach depends on, among any other relevant matters:
- the kind and sensitivity of the information subject of the breach;
- whether the information is protected and the likelihood of overcoming that protection;
- if a security technology or methodology is used in relation to the information to make it unintelligible or meaningless to persons not authorised to obtain it - the information or knowledge required to circumvent the security technology or methodology;
- the persons, or the kinds of persons, who have obtained, or could obtain, the information; and
- the nature of the harm that may result from the data breach.
The Explanatory Memorandum for the NDB Act recognises that potential forms of serious harm could include physical, psychological, emotional, economic and financial harm as well as harm to reputation.
(c) Remedial action
The NDB Act contains a number of exceptions to the notification obligation, including importantly where an entity is able to take effective remedial action to prevent unauthorised access to, or disclosure of, information when it is lost or to prevent any serious harm resulting from the data breach. Where such remedial action is taken by an entity an eligible data breach will not be taken to have occurred, and therefore an entity will not be required to notify affected individuals or the OAIC.
(d) Suspicion of an eligible data breach
Where an entity merely suspects that an eligible data breach has occurred but there are no reasonable grounds to conclude that that the relevant circumstances amount to an eligible data breach, the NDB Act requires that an entity undertake a ‘reasonable and expeditious assessment’ of whether there are in fact reasonable grounds to believe that an eligible data breach has occurred.
An entity must take reasonable steps to complete such an assessment within 30 days after the day it became aware of the grounds that caused it to suspect an eligible data breach. We note that the OAIC’s guidance suggests that the 30 days should be treated as a maximum time limit for completing an assessment, and entities should endeavour to complete the assessment in a much shorter timeframe.
Where entities jointly or simultaneously hold the same record of information in respect of which an eligible data breach is suspected to have occurred, only one assessment is required to be undertaken.
Where an entity fails to realise that there are reasonable grounds to suspect that an eligible data breach has occurred, or fails to undertake an adequate assessment, the OAIC may direct the entity to notify individuals affected by the breach.
Who should I notify if I become aware of a data breach and how long have I got after becoming aware of a data breach before I have to notify someone?
Where an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (whether it forms such an awareness following an assessment, as discussed above, or otherwise), the entity must as soon as practicable:
- prepare a statement that, at a minimum, contains:
- its contact details. The identity and contact details of any entity that jointly or simultaneously holds the same information in respect of which the eligible data breach has occurred, for example, due to outsourcing, joint venture or shared services arrangements may also be provided. If this information is included in the statement, that other entity will not need to separately report the eligible data breach (s 26WM the NDB Act);
- a description of the data breach;
- the kinds of information concerned; and
- the steps it recommends individuals take to mitigate the harm that may arise from the breach. (While the entity is expected to make reasonable efforts to identify and include recommendations, it is not expected to identify every possible recommendation that could be made following a breach);
- provide a copy of this statement to the OAIC; and
- take such steps as are reasonable in the circumstances to notify affected or at risk individuals of the contents of the statement. Individuals may be notified by the mode of communication normally used by the entity, or if there is no normal mode of communication, by email, telephone or post. If direct notification is not practicable, the entity must publish the statement on its website and take reasonable steps to publicise its contents.
What constitutes a ‘practicable’ timeframe will vary depending on the time, effort or cost required to comply with the above requirements.
What are the fines that I might be up for if there is an eligible data breach in my organisation?
Where an entity experiences an eligible data breach, the occurrence of that data breach in and of itself is unlikely to result in the entity facing penalties. Rather, a failure to report an eligible data breach will be considered an interference with the privacy of an individual affected by the eligible data breach. Under the Privacy Act, this means that a failure to notify affected individuals of an eligible data breach could be the subject of a complaint to the Privacy Commissioner.
Serious or repeated interferences with the privacy of an individual can give rise to civil penalties of up to $2.1 million. (We note that company directors or management will not be personally liable for such serious or repeated interferences.)
Are there any new rules relating to the security of personal data introduced by the NDB Act?
The NDB Act does not itself impose any new requirements regarding the security of personal data. However, the NDB Act primarily supplements Australian Privacy Principle 11 which requires entities who hold personal information to take reasonable steps to protect personal data from misuse, interference and loss, and from unauthorised access, modification or disclosure.
What sort of policies should I have in place to demonstrate my compliance with the NDB Act?
The OAIC recommends that entities have an up-to-date data breach response plan in place to ensure that they are able to respond to suspected data breaches quickly.
The OAIC’s Data breach notification — A guide to handling personal information security breaches and Guide to developing a data breach response plan (which the OAIC are currently updating) provide handy guidance in managing suspected data breaches and developing policies.
What are other companies doing about these new data breach rules to get themselves ready?
Many entities are getting to know what data they have and where it is kept. It is important to know what data your company captures, who it relates to and where it is kept to ensure that you are complying with your legal and regulatory obligations relating to that data.
They are also looking at their existing types of policies and procedures to make sure that they are in a position to respond appropriately in the event of a data breach. This could mean the development of a new data breach response plan or modifying an existing plan.
It is also important that personnel are aware of the incoming NDB Act. Personnel should know how to identify when an eligible data breach may have occurred and how to follow an entity’s policies and procedures on what to do next. Importantly, teams such as IT, legal, public relations, and management will need to know how to work effectively together to investigate, manage and remediate a data breach.
Some entities are looking at their relationships with suppliers who process personal information on their behalf and bulking up their privacy clauses. These privacy clauses should ensure that a supplier provides assistance if there is a data breach which is on the supplier’s side or systems. They are also developing polices that are supplier facing in relation to the NDB Act to ensure that suppliers understand their role and what is expected of them in the event of a data breach.
Finally, some entities are auditing and strengthening their cybersecurity strategies and tools to avoid and prevent data breaches.