What is the Notifiable Data Breach Scheme?
The Notifiable Data Breach scheme applies to organisations with obligations under the Privacy Act 1988
- Australian Government agencies
- All businesses and not-for-profit organisations with an annual turnover of $3 million or more
- Some small business operators, including:
- All private sector health service providers
- Those that trade in personal information
- TFN recipients (if annual turnover is below $3 million, the Notifiable Data Breach scheme will apply only in relation to the TFN information)
- Those that hold personal information in relation to certain activities, for example; providing services to the Commonwealth under a contract.
An eligible data breach occurs when 3 criteria are met:
- There is an unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
- This is likely to result in serious harm to one or more individuals, and
- The entity has not been able to prevent the likely risk of serious harm with remedial action
“Serious harm” can be psychological, emotional, physical, reputational, or other forms of harm. Understanding whether serious harm is likely or not requires an evaluation of the context of the data breach.
When to conduct an assessment
If you suspect a data breach which may meet the threshold of “likely to result in serious harm”, you must conduct an assessment.
- Generally, there is a maximum of 30 days to conduct this assessment. This begins from when you become aware of a potential breach
- Ahead of the NDB scheme, you should review your data breach response framework to ensure relevant personnel will be made aware of a breach as soon as practicable
- It is not expected that every data breach will require an assessment that takes 30 days to complete before notification occurs. You must notify as soon as practicable once you hold the belief an eligible data breach has occurred
What is involved in a Notifiable Data Breach assessment
- The Act says assessments must be “reasonable” and “expeditious”
- It is up to entities to decide what process to follow when conducting an assessment
- Generally, the OAIC suggests that an assessment should cover off the following:
- Initiate: decide whether an assessment is necessary and identify which person or group will be responsible for completing it
- Investigate: quickly gather relevant information about the suspected breach, including, for example, what personal information is affected, who may have had access to the information and the likely impacts
- Evaluate: make a decision, based on the investigation, about whether the identified breach is an eligible data breach
Who to notify
You must notify any individuals that are at likely risk of serious harm as a result of a data breach. You must also notify the Australian Information Commissioner.
Notifying affected individuals
There are 3 options for notification:
- Notify all individuals whose personal information is involved in the eligible data breach
- Notify only the individuals who are at likely risk of serious harm
- Publish your notification and publicise it with the aim of bringing it to the attention of all individuals at likely risk of serious harm.
There is flexibility in the way you notify individuals.
What to include in a statement to the Australian Information Commissioner
Your notification to the Australian Information Commissioner must be in the form of a statement, which includes the following information:
- The identity and contact details of your agency/organisation
- A description of the eligible data breach
- The kind(s) of information involved in the eligible data breach
- What steps your agency/organisation recommends that individuals take in response to the eligible data breach
This statement must be provided to the Commissioner as soon as practicable.
The OAIC has the following form which can be used for this purpose.
Summary
