Today marks the commencement of the Notifiable Data Breach (NDB) Scheme under the Privacy Act 1988 (Cth). All businesses must now be aware of their new obligations under the Privacy Act and more importantly, understand how to comply with them in order to prevent and deal with a data breach.
In the lead up to the start of the NDB Scheme, the Office of the Australian Information Commissioner (OAIC) released a new 64-page guide "Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)" (Data Breach Guide). This guide provides a useful starting point to understanding the NDB Scheme, preparing a data breach response plan and responding to any data breaches.
The NDB scheme applies to business with the following attributes:
- those with an annual turnover of more than $3 million
- TFN recipients - any entity or person who is in possession or control of a record that contains TFN information
- entities that disclose personal information overseas
- entities that disclose credit eligibility information to other entities who do not have an Australian link
- credit reporting bodies
- credit providers
An eligible data breach is one which meets the following criteria:
- there is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur)
- this is likely to result in serious harm to any of the individuals to whom the information relates
- the entity has been unable to prevent the likely risk of serious harm with remedial action
All three of these criteria must be satisfied to make the data breach eligible for reporting to the OAIC. Examples of an eligible data breach may include loss of portable devices containing customers' personal information; a database containing personal information being hacked, or personal information being mistakenly provided to the wrong customer. Even an employee who is able to access and browse sensitive customer records without any legitimate employment purpose could be a data breach as they do not have authorised access.
If you suspect a data breach has occurred, your business must within 30 days assess the breach to determine if it is likely to cause serious harm. Although not explicitly defined, serious harm is related to the type or types of personal information involved in the breach; the circumstances of the data breach; and the nature of harm that may result from the data breach. Serious harm includes serious physical, psychological, emotional, financial or reputational harm.
Finally, if your business has reasonable grounds to believe that an eligible data breach has occurred, you must notify all individuals affected by the breach and you must also notify the OAIC. Remember that the financial penalties imposed for non-compliance are not insignificant, with penalties of $2.1 million for organisations and $420,000 for individuals.
The Australian Privacy Commissioner stated, "the success of an organisation that handles personal information or a project that involves personal information depends on trust. People have to trust their privacy is protected, and be confident that personal information will be handled in line with their expectations", meaning it is more important than ever to implement a data breach response plan to notify affected individuals and the OAIC of any notifiable data breaches.
Don't forget that if you do suspect a data breach has occurred, you should also undertake an assessment to determine if the data breach represents a Significant Breach of your AFS licence, particularly in respect of your risk management and adequate IT resource obligations.
How CompliSpace can help
CompliSpace assists its clients to unravel the NDB Scheme, providing a full suite of Privacy services. Our team of compliance professionals and lawyers combine extensive expertise alongside practical technology-enabled solutions to simplify the complexity of the financial services regulatory environment to allow clients to focus on allocating resources toward improving financial performance.
Please contact Brooke Benson to discuss your Privacy requirements further.