The Notifiable Data Breaches scheme (NDB scheme) takes effect in Australia in less than a month – organisations must comply with the scheme from 22 February 2018.
In preparation for the introduction of the NDB scheme, the Office of the Australian Information Commissioner (OAIC) has provided an update and published its fact sheets in final form. While the OAIC has mostly made stylistic changes to its fact sheets it has also provided additional guidance in some areas. This blog will update you on the changes.
Entities covered by the NDB scheme
The NDB scheme applies to entities that have obligations under Australian Privacy Principle (APP) 11 of the Privacy Act 1988 (Cth) (Privacy Act). These entities are known as ‘APP Entities’. The OAIC has clarified that although small business operators are generally not included (turnover of less than $3 million per year), businesses of any size may be APP Entities. These include entities that trade in personal information; and organisations that provide a health service to and hold information about individuals.
The OAIC has also published additional guidance noting that overseas entities that are either incorporated, carry on business, or collect and hold personal information in Australia are also covered by the NDB scheme.
Identifying eligible data breaches
In deciding whether an eligible data breach has occurred, it is necessary to consider whether the data breach will likely result in serious harm to an individual whose personal information was compromised as part of the data breach. The OAIC has published guidance that reassures entities that they are not expected to make external enquiries about the personal circumstances of each individual.
The OAIC has also suggested that the time between when the data breach occurred, and discovery of the breach, is relevant to an entity’s consideration of whether serious harm is likely to occur. The OAIC’s view is that if personal information has been publically accessible for a significant period before the entity’s discovery of the breach, it may be more likely that the information has been accessed in ways that will result in serious harm to the affected individuals.
Exceptions to notification obligations
The OAIC has indicated its position that entities that report data breaches under the My Health Records Act 2012 (Cth) do not have to report under the NDB scheme.
Information held jointly
In its previous fact sheet, the OAIC included commentary about information held by more than one entity in its ‘Exceptions to notification obligations’ fact sheet. The OAIC has now published a more comprehensive fact sheet that provides information about entities that hold personal information jointly.
The OAIC’s position is that both entities should demonstrate that they are meeting the requirements of the NDB scheme. While the NDB scheme does not prescribe which entity should conduct an assessment of a suspected data breach or notify the affected individuals, the OAIC suggests that the entity with the most direct relationship with individuals should be responsible for notifying the breach. Furthermore, the OAIC considers that entities should establish clear procedures for complying with the NDB scheme when entering into service agreements or other relevant contractual arrangements. Organisations should consider what compliance framework should be built into existing and contemplated contracts.
Notifying individuals about a data breach
The OAIC has published additional commentary about the options for notifying individuals at risk of serious harm. If an entity does not have up to date contact details for individuals, it can publish a copy of the statement on its website, ensuring that the statement does not enable anyone to identify any of the affected individuals. While the NDB scheme doesn’t specify the period of time that the statement should be published, the OAIC considers that it should be published for a period of at least six months.
Further, the OAIC has published additional information about recommendations that entities should make to individuals in the event that their information has been compromised as a result of a data breach. The OAIC considers that the recommendations may be tailored to an individual’s personal circumstances, or may be general to apply to all individuals. If an entity does not have the knowledge or capacity to provide advice to affected individuals, the OAIC considers that entities should seek specialist advice or assistance.
The statement may also include details about the proactive steps that the entity has taken, such as suspending an individual’s account.
Eligible data breach statements
The OAIC has clarified that it does not expect entities to identify the specific individuals who have accessed information unless this is relevant to the steps the entity recommends that individuals take. The OAIC has also made clear that where additional information becomes available after the statement is provided to the OAIC and individuals, the entity may provide this to OAIC.
The OAIC’s role in the NDB scheme
The OAIC has noted that although not required by the Privacy Act, entities may provide additional supporting information to the OAIC such as technical information. This will assist the OAIC to decide whether to make further inquiries, to take any further action, or to prepare statistical reports. If a breach affects more than one entity, the entity that prepares the statement may also choose to include the identity and contact details of the other entities involved. The OAIC has also revealed that it will regularly publish de-identified statistical information about data breaches notified under the scheme.
The OAIC has flagged that the Data Breach Notification Guide to Handling Personal Information Security Breaches and Guide to Developing a Data Breach Response Plan will be updated in early 2018. NRF will provide you with further updates when those guides are published by the OAIC.
The cyber team at Norton Rose Fulbright can assist your organisation to comply with the NDB scheme. Please feel free to reach out to your contact at Norton Rose Fulbright for more information.