This post is Part 2 in our series "Help, we’ve been hacked! How do I respond to a data breach?" written by Sam Hartridge and Sophie Frankum. Part 1 looked at general steps to contain a privacy breach. Part 3 will look at other notification obligations that can apply to Australian businesses. Part 4 will examine the vexed question of paying ransoms in the event of ransomware attacks. Finally, Part 5 surveys some key international breach notification requirements.
In this post, we look at the Notifiable Data Breach (NDB) scheme found in the Privacy Act 1988. This Act regulates the collection, use and disclosure of personal information. This means that, despite the name, the NDB scheme applies to privacy breaches. (In part 1 of this series, we talked about privacy breaches and data breaches and explained that there was a some overlap between the two, and that sometimes the terms are used interchangeably).
The NDB scheme covers entities who have existing obligations under the Privacy Act to secure personal information. This includes including businesses that have an annual turnover of more than AUD$3 million, as well as private sector healthcare, and credit agencies. It also covers any business that trades in personal information and tax file number recipients.
Identifying a data breach
As the name suggests, NDB scheme requires businesses to notify affected individuals and the OAIC about data breaches. The scheme defines a data breach as occurring when ‘personal information that an entity holds is subject to unauthorised access or disclosure, or is lost.’
Personal information is information about an identified individual or an individual who is reasonably identifiable. To find out more information about what a data or privacy breach is, see Part 1.
However, notification is not necessary for not all unauthorised access, disclosure or loss of personal information. Rather, you are only required to notify in the case of eligible data breaches (EDB). An EDB is a breach that is likely to result in serious harm to the affected individuals. If serious harm is not likely, there are no notification requirements.
So, an EDB occurs when:
- There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur);
- This is likely to result in serious harm to any of the individuals to whom the information relates; and
- The entity has been unable to prevent the likely risk of serious harm with remedial action.
Data breaches can be very harmful to the individuals affected. Breaches can cause a wide range of harm. This includes damage to the physical or mental well-being of affected individuals, their reputation, as well as financial loss.
From the perspective of organisations, a data breach can negatively impact day-to-day business operations and reputation. This then impacts on the organisation’s ability to acquire and retain clients.
Reasonable suspicion
If your business has reason to suspect that it has suffered an eligible data, it is critical to quickly assess the situation. The OAIC advises that an assessment must be reasonable and expeditious, and entities should develop their own procedures for assessing this suspected data breach.
This assessment must be conducted within 30 days after becoming aware of the suspected EDB. This is considered a maximum time limit for completing the assessment and the OAIC expects that the assessment be completed in a shorter timeframe, as the “risk of serious harm to individuals often increases with time.”
In most instances, what constitutes ‘expeditious’ should be measured in hours to days, not weeks. In this respect, it worth noting that the timeframe under the GDPR is 72 hours.
In any event, if there is reasonable grounds to believe that there has been an EDB, the entity must promptly notify affected individuals and the Commissioner about the breach (See below).
How is an assessment done?
The assessment must be reasonable and expeditious. The OAIC expects the amount of time and effort entities will expend in an assessment to be proportionate to the likelihood and severity of the breach.
The suggested assessment from the OAIC is a three-stage process:
- Initiate: decide whether an assessment is necessary and identify who is responsible for completing it.
- Investigate: gather all relevant information about the breach such as:
- how did the unauthorised access, disclosure or loss occur?
- is breach still occurring?
- what types personal information is affected?
- who had or may gain access to the information?
- what are the likely impacts?
- Evaluate: decide, based on the investigation, whether the identified breach is an EDB.
Notifying a Data Breach
If you reasonably believe that an EDB has occurred, you must notify.
Your obligations in notifying a EDB are to notify individuals at risk of serious harm and provide a statement to the Commissioner as soon as practicable. The notification to individuals contains similar information to the statement to the Commissioner. This statement must be provided as soon as practicable and can be provided through an online form on the OAIC website.
Where the police are investigating the breach, it will usually be appropriate to consult the investigating agency before making details of the breach public.
You have three options in notifying. Which one you chose will depend on the nature of the EDB and your relationship with the individuals affected by the breach.
- Notifying all individuals (via telephone, SMS, physical mail, social media or in-person).
- Notifying only the individuals at risk of serious harm (via telephone, SMS, physical mail, social media or in-person).
- Publishing a widespread notification (via a published copy of the statement prepared for the Commissioner on its website and taking reasonable steps to publicise the contents – such as making an announcement on social media).
A notification can be tailored in an way an entity wishes – however, it must include the following information:
- the identity and contact details of the entity;
- a description of the eligible data breach that the entity reasonably believes to have happened;
- the kinds of information concerned; and
- recommendations about the steps that individuals should take in response to the eligible date breach.
When don’t you need to notify
There are some exceptions to the Notifiable Data Breaches Scheme reporting requirements. These are:
- EDBs of other organisations;
- EDBs in the context of law enforcement activities;
- where a notification is inconsistent with the government secrecy provisions such as the Protective Security Policy Framework;
- where a declaration has been made by the OAIC that notifcation is not to be undertaken; and
- data breaches already notified under s 75 of the My Health Records Act.
Other reporting obligations
Your business will also need need to consider whether the circumstances of a data breach triggers other requirement. For example, it may be appropriate to seek advice from organisations such as the Australian Taxation Office (for a data breach that involves tax file numbers).
We cover this in more depth in our next post in this series.