Every year an untold number of organisations are affected by data breaches. These can be accidental or inadvertent (eg leaving an external hard drive of sensitive information on the train), but are more frequently malicious attempts by external parties to obtain sensitive information (eg hacking).
From 22 February 2018, organisations affected by an “eligible data breach” will be required to notify the Office of the Australian Information Commissioner (OAIC), and any affected individuals, of the breach. The OAIC has released draft resources to assist organisations to prepare for these new requirements.
What is the law?
On 22 February 2017, the Australian Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017. This act amends the Privacy Act 1988 (Cth) to introduce a scheme (the NDB Scheme) whereby, if an “eligible data breach” occurs to an organisation regulated by the Act, that organisation must notify any affected individuals and the OAIC of the breach.
Why has the NDB Scheme been introduced?
It is not uncommon to hear reports of large organisations being significantly affected by major data breaches compromising the personal information of hundreds of thousands or millions of people. On multiple occasions, the affected organisations have delayed in revealing that the data breach has occurred or the scope of the data breach. For example:
- In 2012, LinkedIn reported a data breach compromising 6.5 million user accounts. In May 2016, it was discovered that a further 100 million user accounts may have been compromised as a result of the 2012 data breach.
- In September 2016, Yahoo reported a data breach which occurred two years earlier (in 2014) which had compromised over 500 million user accounts. In December 2016, Yahoo reported that an even earlier breach (in August 2013) had compromised over 1 billion user accounts.
The NDB Scheme has been introduced to establish a mandatory reporting scheme for data breaches.
What is an “eligible data breach”?
An eligible data breach occurs if:
- there is unauthorised access to or disclosure of personal information (or the information is lost in circumstances where this is likely to occur); and
- it is likely that the persons to whom that information relates will be seriously harmed as a result of the unauthorised access or disclosure.
Examples of what is likely to constitute a data breach include:
- theft or loss of a device (eg an external hard drive);
- hacking or other breaches of electronic security measures; and
- inadvertent wrongful disclosure (eg disclosing information to the wrong person).
However, not every data breach may be an eligible data breach. This will depend on factors including the quantity and sensitivity of the lost information, and the prospect and seriousness of the harm which may come to an affected person as a result of the loss.
How must organisations react to an eligible data breach under the NDB Scheme?
If an organisation becomes aware that an eligible data breach may have occurred, the organisation must notify the OAIC and the affected individuals.
The notice must include:
- the identity and contact details for the organisation;
- a description of the eligible data breach which has (or is suspected to have) occurred;
- the information lost as a result; and
- recommendations about the steps that affected individuals should take in response.
What organisations must comply with the NDB Scheme?
In general, any individual, company, partnership, association or trust which collects or holds personal information, and has an annual (gross) turnover of more than $3 million, must comply with the Privacy Act and therefore the NDB Scheme.
Some exceptions apply including if the entity is a health service provider, operates a residential tenancy database, carries on a credit reporting business, or is an employee association under the Fair Work Act.
On 2 June 2017, The OAIC released draft resources to assist organisations to comply with the NDB Scheme. These resources include guidance on: