The Notifiable Data Breach Scheme (NDB Scheme) came into force on 22 February 2018, resulting in various changes to Australia’s privacy law. In previous posts, we have considered the nature and contents of notification statements, and how to identify which data breaches need to be notified.
Those posts set out the notification requirements where an organisation has reasonable grounds to believe it has experienced an eligible data breach? This post considers a preliminary step, namely, the approach to be taken when an organisation only suspects that it has experienced an eligible data breach.
Suspected data breach
A key take-away from this post is that it is important to understand that obligations arise under the NDB scheme not only where there is a known data breach, or where an organisation reasonably believes there is a data breach, but also where it is suspected that one might have occurred.
What constitutes knowledge, belief and suspicion in this context is not defined under the scheme. This, along with tight timeframes and potentially significant penalties, makes obtaining early legal advice vital.
Assessment of suspected data breaches
Where an eligible data breach is suspected, the organisation must quickly assess the situation to determine whether or not the breach is reportable.
The assessment of a suspected breach should follow a three stage process:
- Identify the persons responsible for completing the assessment;
- Gather all relevant information about the suspected breach (e.g. what personal information was affected, who had access, what are the foreseeable consequences and what remedial action is possible); and
- Evaluate whether it is a notifiable data breach.
The assessment should be completed within 30 calendar days and organisations should not unreasonably delay investigations (e.g. by waiting for Board approval or executive discussion).
Each stage of the process should be well documented. In particular, the reasons for the ultimate conclusion or for any delay in the assessment process, must be recorded.
Incident Response Plan
To ensure they comply with their new obligations, organisations to which the NDB scheme applies should prepare an Incident Response Plan (IRP) that they can refer to if a data incident occurs. The IRP should clearly specify the roles and responsibilities of those tasked with managing a suspected breach.
A key advantage of preparing an IRP in advance of an incident is that it can be prepared in a relaxed and thoughtful manner, rather than during a crisis when urgency is high and pressure is on. The IRP will greatly assist in coordinating a rapid response, which can serve to limit the consequences of any breach. Don’t forget to keep a hard-copy of your IRP as you may not be able to access the electronic version depending on the type of data incident that occurs.
If your organisation would like assistance with preparing an IRP that complies with the requirements of the NBD Scheme, you should consider seeking legal advice.