The Notifiable Data Breach Scheme (NDB Scheme) came into force on 22 February 2018, resulting in various changes to Australia’s privacy law. In this post, we look at how to identify which data breaches are “eligible data breaches” and need to be notified to the OAIC and affected individuals under the NDB Scheme.
Which data breaches require notification
An organisation must notify under the NDB scheme if it experiences (or has reasonable grounds to believe that it has experienced) a data breach in which:
- there is unauthorised access, unauthorised disclosure or loss of personal information; and
- the data breach is likely to result in serious harm to one or more individuals affected.
This is described as an eligible data breach.
Unauthorised access, unauthorised disclosure or loss
Unauthorised access occurs when an individual accesses personal information they were not supposed to. This can happen in a variety of ways and is not limited to an external hacker. For example, an employee viewing personal information without proper cause can constitute unauthorised access.
Unauthorised disclosure is similar to unauthorised access, but occurs when the information is made accessible or visible to others. For example, an entity publishing names of its customers in a public forum may be unauthorised disclosure.
Loss occurs when the entity loses personal information they were holding, in circumstances where it is likely to result in the information being accessed by or disclosed to unauthorised persons. By way of example, losing an unencrypted USB containing personal information on public transport is likely to constitute loss.
Even if there is unauthorised access, unauthorised disclosure or loss, the data breach isn’t necessarily notifiable. The entity needs to consider whether any of the individuals impacted by the breach are likely to experience serious harm.
“Likely to result in serious harm” has no special meaning. It simply means that the risk that an affected individual suffers serious harm is more probable than not. Assessing whether serious harm is likely to occur can be difficult. The NDB Scheme suggests the following factors should be taken into account:
- the kinds of information affected and its sensitivity;
- whether the information is protected by one or more security measures and the likelihood the measure or measures could be overcome;
- the persons, or the kinds of persons, who have obtained, or who could obtain, the information; and
- the nature of the harm.
If a data breach occurs, organisations should assess the risk holistically, having regard to the consequences for the individuals whose personal information was part of the data breach and the likelihood of harm occurring. If, taking into account the above, the risk of serious harm to affected individuals is likely, your organisation needs to notify the OAIC and affected individuals.
For information about what to include in a notification statement read our previous blog, which sets out the requirements.
It is important to note that an organisation is not required to conduct investigations into the personal circumstances of the individuals affected when determining whether a breach will likely cause those individuals serious harm.
If your organisation has experienced a breach and is unsure whether it is notifiable, it may be necessary to seek legal advice.