On February 22, 2018, amendments were made to the Privacy Act to introduce the Notifiable Data Breach Scheme (NDB). All Australian businesses should have an action plan in place to deal with these new compliances. If your business fails to meet its obligations it can be costly. Hefty fines are in place for businesses that fail on the due diligence. With a $360,000 fine for individuals and 1.8 million for companies.
Prior to the introduction of the scheme, reporting of a data breach was voluntary. Now thanks to the NDB, reporting is mandatory.
With more and more businesses collecting customers’ confidential information it’s important to understand what a notifiable data breach is, and how you should deal with it.
It’s worth noting, any sensitive information held and protected by your business, which is viewed by someone not specifically authorised to do so, is said to be a breach. Though whether it is notifiable is dependent o a number of circumstances.
So what exactly is an ‘eligible data’ breach… If your receptionist accidentally cops a glimpse of a client’s file, is that a data breach? Do you really have to notify the OAIC? Or is it reserved for a more serious breach of privacy?
According to the OAIC an ‘eligible data breach’, which triggers notification obligations, is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
This usually occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.
Some examples of a data breach include:
- A database containing personal information being hacked
- A customer’s personal information being mistakenly provided to the wrong person
- Or when a device containing customers’ personal information is lost or stolen.
There are some exceptions to this, but unless you’re working in the field of law enforcement they’re unlikely to apply to you. But are these breaches significant enough to be considered an ‘eligible data breach’?
Some things to consider:
Serious harm’ is not defined, by the Privacy Act, but the Act lists a number of relevant matters to assess whether serious harm is likely, including:
- the kind of information (eg: financial);
- the sensitivity of the information (eg: health information);
- the security protections in place;
- the type of person or people who obtained the information and the nature of the harm.
For most small business owners, the likelihood of committing a serious eligible data breach is slim.
In fact, small business owners should check Privacy business resource 10: Does my small business need to comply with the Privacy Act?. to see whether they will be affected. Generally, SBOs do not have obligations under the APPs unless an exception applies.
Businesses that must comply with the NDB scheme include those that:
- hold health information or provide a health service
- is related to an APP entity
- trade in personal information. That is, the SBO discloses personal information about individuals to anyone else for a benefit, service or advantage; or provides a benefit, service or advantage through the collection of personal information about another individual from anyone else – eg a market research agency, or an accountant.
- is a credit reporting body
- is an employee association registered under the Fair Work (Registered Organisations) Act 2009
- has ‘opted-in’ to APP coverage under s 6EA of the Privacy Act.
If your business falls outside these realms you most likely won’t need to worry too much about the NDB scheme.
Nonetheless, SBOs should put an action plan in place to safeguard their customers’ data and plan to minimise impact should a breach take place.
Should a data breach occur, organisations should take action immediately to attempt to lessen the impact of a breach.
For example, stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, then revoke or change computer access privileges or address weaknesses in physical or electronic security.
Data breach action plan
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
To find out more about the NDB scheme go to www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme