The day has arrived. 22 February 2018. After years of debate and plentiful discussion, Australia now has a notifiable data breach scheme (NDB Scheme).
As a result there are various changes to privacy law in Australia and it is important for all organisations to know whether the new laws impact their business and how to respond to a suspected data breach.
While there are many different aspects of the NDB Scheme, in this blog we focus on notification statements.
If your organisation reasonably believes an eligible data breach has occurred, it must:
- contain the breach
- prepare a notification statement
- provide a copy of the notification statement to the OAIC, and
- quickly notify individuals with a likely risk of serious harm.
What is in a notification statement?
The OAIC has indicated that organisations are free to customise a notification statement, so long as it includes the following information:
- the identify and contact details of the organisation, which a requirement to use the name most recognisable to impacted individuals (e.g. company name or trading name)
- a description of the data breach, including the date of the breach, when the organisation detected the breach, the circumstances (e.g. whether there is a known cause), who obtained the data (e.g. an external third party) and relevant remedial action taken by the organization
- the kind of information compromised, such as whether it was individual’s names, addresses or telephone numbers. Your organisation should state clearly if sensitive information was compromised (e.g. health information, credit card details or passport numbers), and
- recommended steps for affected individuals to mitigate the harm of risk (e.g. cancel credit cards or offer credit monitoring service).
It is essential that as part of a notification statement, your organisation does not disclose personal information of affected individuals.
If your organisation is subject to a data breach, individuals should be notified as soon as practicable after the statements are prepared, unless cost, time and effort are excessively prohibitive.
Depending on the circumstances of a data breach, it may be appropriate to:
- contact all individuals affected, or
- contact only individuals at risk of serious harm, or
- publish the notification in a public place.
Method for notification can include mail, email, telephone calls, SMS, social media, newspaper or in-person meeting. It is important to consider the most appropriate method for each data breach.
The OAIC has indicated that if an organisation elects a public notification, the notification should be clearly displayed in a prominent location so it can be viewed by as many affected individuals as possible. Although not specified in the Privacy Act, the OAIC expects that publications will exist for at least six months.
When it comes to preparing a notification statement and the notification of affected individuals, it is critical for organisations to carefully consider each option and if necessary seek legal advice.