With the clock now well and truly ticking, we take this opportunity to revisit some of the key issues under the new Notifiable Data Breaches (NDB) scheme, namely:
- Does the NDB scheme apply to me?
- If I have a data breach, who do I have to notify and how do I do it? and
- How much time do I have to notify them?
Does the NDB scheme apply to me?
The NDB scheme applies to all agencies and organisations that have privacy obligations under the Privacy Act 1988 (Cth) (Privacy Act).
Entities caught by the NDB scheme will include all Commonwealth agencies and private sector businesses and not-for-profits with an annual turnover of more than $3 million.
Certain types of private sector businesses will be caught regardless of their turnover, including:
- private sector health service providers;
- credit reporting bodies and credit providers;
- entities that trade in personal information;
- Tax File Number recipients;
- employee associations registered under the Fair Work (Registered Organisations) Act 2009 (Cth); and
- entities providing services to the Commonwealth under contract.
This is not an exhaustive list – if in doubt, seek legal advice as to whether the NDB scheme applies to you.
Who do I have to notify and how do I do it?
If an entity is aware that there are reasonable grounds to believe that there has been an “eligible data breach”, it must notify the Office of the Australian Information Commissioner (Commissioner) and affected individuals.
The statement to be provided to the Commissioner must include the following information:
- the identity and contact details of the entity; and
- a description of the eligible data breach that the entity has reasonable grounds to believe has happened; and
- the kind or kinds of information concerned; and
- recommendations about the steps that individuals should take in response to the eligible data breach.
This statement must also form the basis of the notification to individuals.
The NDB scheme includes quite pragmatic provisions allowing for different ways to notify individuals in the event that there is an “eligible data breach”.
There are three main alternatives:
- notify all individuals to whom the relevant information relates – this method will apply if it is not practicable to separately identify persons who may specifically be affected by the breach;
- notify affected individuals – where you are able to separate out particular individuals who are at risk from the breach; and
- if neither of the above are practicable, you must communicate the breach by publishing a statement on your website (if you have one) and otherwise by taking reasonable steps to publicise it.
How much time do I have to notify them?
Individuals must be notified “as soon as practicable” after you have prepared your statement to the Commissioner.
What does “as soon as practicable” mean?
The Commissioner also uses expressions such as “expeditiously” and “promptly”, but what do these words mean?
To a certain extent, we can look to the US, where similar data breach notification laws have been in place for a number of years, for guidance. In California, where the law requires notification “in the most expedient time possible and without unreasonable delay”, the Office of Privacy Protection recommends notice be given within 10 business days. In reality, statistics collected since the statute commenced in California suggest that affected individuals were notified in 16 days or less in only 25% of cases.
In relation to our Act, consideration needs to be given to the impact of the breach. The more time sensitive the delay, the more stringent will be the relevant notification periods. To put it another way, if a significant means to mitigate harm is to notify individuals quickly so that action can be taken to minimise or eliminate loss and damage, then the notification period should be much shorter – in some cases, measured in hours, rather than days. So the possibly slightly unhelpful answer would appear to be that “as soon as practicable” will mean different things in different scenarios.
The Commissioner has finalised a number of publications aimed at providing guidance around this and other issues.
The Commissioner has also published a draft template Notifiable Data Breach Form which, when finalised will allow statements to be lodged online or completed in hard copy form. The draft template includes an “optional” Part Two in which the Commissioner “encourages entities to voluntarily provide additional information about the eligible data breach”.
What do I need to have ready for 22 February?
We strongly recommend that among other things, all potentially affected entities have in place a data breach response plan by 22 February 2018. If you are caught by the NDB scheme and do not yet have a data breach response plan in place, this should be a key priority for your organisation.