data breach

Mandatory notification of data breaches in Australia - what you need to know


Introduction to the New Mandatory Notification Scheme

The Privacy Amendment (Notifiable Data Breaches) Act will upon its introduction on  22 February 2018, result in the Notifiable Data Breach Scheme (NDB Scheme). The amendments are designed to strengthen the protections afforded to the personal information of individuals, as well as improving transparency in the way that organisations respond to serious data breaches. This should give those individuals the opportunity to take steps to minimise the damage that can result from the unauthorised use of their personal information.
The NDB Scheme will apply to businesses, Australian Government agencies, and other organisations that are already required by the Privacy Act 1988 (Cth) (Privacy Act) to keep information secure. Australian Privacy Principle (APP) entities, credit reporting bodies, and tax file number recipients holding information subject to the information security requirements under the Privacy Act, will be subject to the new regime.
The new Act will require relevant entities to implement effective data breach assessment response and notification processes thereby reducing the risk of an “eligible data breach”.
When must you notify?
When there are reasonable grounds of suspicion of there being a data breach that is likely to result in serious harm to any individual to whom the information relates. 
All entities should prepare their data breach plan to ensure that they are able to respond quickly to suspected data breaches.
What must you notify?
Data breaches under the proposed scheme are likely to involve any of the following being compromised:

  • personal information; eg. health information, credit card payment details
  • credit reporting information;
  • credit eligibility; and/or
  • tax file number information.

Two types of eligible data breach
An entity must notify the Commissioner when it becomes aware on reasonable grounds that there has been an eligible data breach. There are two types of eligible data breach:

  • if there is unauthorised access to or unauthorised disclosure of information, and a reasonable person would conclude that the same would likely result in serious harm to any of the individuals to whom the information relates; or
  • if information is lost in circumstances where there is likely to be unauthorised access to, or unauthorised disclosure of the information and – if such access or disclosure were to happen – a reasonable person would conclude it likely to result in serious harm to any of the individuals to whom information relates. 

Examples of an ‘eligible data breach’ include:

  • A cyber intrusion involving the online publication of individuals’ names and credit card numbers;
  • A database containing personal information being hacked;
  • Personal information that is mistakenly provided to the wrong person; and
  • Personal information from a PC or similar device being lost or stolen; 

Each of these examples is likely to lead to an unauthorised access or disclosure, with results likely to occasion serious harm to affected individuals.

Breach likely to result in serious harm
Serious harm to an individual may include serious physical, psychological or emotional harm as well as economic loss and reputational damage.
The determination as to what falls under “serious harm” relies on a “reasonable person test’: whether a reasonable person would conclude that access to or disclosure of the personal information would be likely to result in serious harm to any of the individuals to whom the information relates. The test is satisfied if the harm is caused to any individual whose relevant information has been breached.
When is a breach NOT a breach?
Section 26WF states that an eligible data breach does not occur nor is it taken to occur when:

  • there has been unauthorised access or disclosure but the entity takes action before there is consequent serious harm;
  • there is a loss of information but the entity takes action in relation to the loss before any unauthorised access or disclosure occurs;
  • there is a loss of information, the entity takes action in relation to the loss after there is unauthorised access or disclosure, but a reasonable person would conclude that it would not likely result in any serious harm to any individual. 

Serious harm, whether likely or not to occur and what security measures are to be employed?

Section 26WG contains a non–exhaustive list of relevant matters for assessing whether access or disclosure would be likely or not result in serious harm to occur. These matters include the kind and sensitivity of the information. Should the information be protected by one or more security measures, this Section considers the factors in determining the likelihood as to whether those security measures can  be overcome. If the security measure is encryption, an encryption key is an example of information required to circumvent the security technology.
What does the notification involve?
The entity must notify the Office of the Australian Information Commissioner (OAIC) and all individuals affected by the breach. If it is impractical to notify all affected individuals, the entity must publish a statement on its website with content of the statement detailing the eligible data breach. The notification statement must set out:

  • the identity and contact details of the entity;
  • a description of the eligible data breach; and
  • recommendations about the steps that individuals should take in response to the eligible data breach.

How do you notify?
By form of course!
Click here for the Notifiable Data Breach Form.

Must you always notify?
Not always. There are some exceptions to the obligation to notify including:

  • where you have taken sufficient remedial action in response to the eligible data breach before it causes serious harm to any affected individual;
  • if the eligible data breach affects more than one entity, then only one of the affected entity needs to undertake notification;
  • where the entity is already required to disclose the breach pursuant to the My Health Records Act 2012 (Cth).

When is it necessary to investigate data breaches?
The general rule is that a reasonable and expeditious assessment must be carried out within 30 days of the entity becoming aware of the reasonable grounds for suspicion. All reasonable steps should be taken to ensure that it is completed within this timeframe.
What happens if you fail to notify?
A failure to notify of an eligible data breach (or to carry out an assessment of a suspected eligible data breach) is an ‘interference with the privacy of an individual’ under the Privacy Act and subject to the standard penalty regime for such interferences under that Act. An interference with the privacy of an individual can lead to investigations by the Australian Information Commissioner who has the power to issue determinations, accept enforceable undertakings, bring court proceedings to enforce such determinations or enforceable undertakings or to seek an injunction. Serious or repeated interferences with the privacy of an individual can also give rise to possible civil penalties of up to $1.8 million for companies and $360,000 for individuals.
Where the breach involves overseas entities
An entity who discloses personal information to that overseas entity giving rise to an eligible data breach, is deemed to be accountable.
If a credit provider discloses credit eligibility information to entities that do not have an Australian link, the credit provider is deemed to hold that information and therefore remains accountable if the recipient suffers an eligible data breach.
What do you need to do?

  • Consider whether you are at risk of a data breach and how this might arise?
  • Check any internal privacy or compliance programs or policies.
  • Consider how your policies or programs might enable the escalation of a possible data breach being notified internally?
  • Check data management plans to accommodate your company’s processes in identifying and notifying of eligible data breaches.

David Conti
February 2018

If you have any questions or wish to discuss this article further, don't hesitate to contact us at the following: