Notifiable Data Breach scheme

The NDB scheme is a recent amendment to the Privacy Act 1988, which establishes requirements for entities in responding to data breaches.

Entities now have an obligation to notify any individual whose personal information has been involved in a breach, if the breach is likely to result in serious harm.

The NDB scheme strengthens protections for personal information, providing affected individuals with an opportunity to take steps to protect their personal information following a breach.

The transparency supported by the scheme encourages greater personal information security capability across Australian industries. Over time, this transparency will build consumer and community confidence in the handling of personal information.

• The NDB scheme came into effect on 22 February 2018.

What types of entities does this scheme relate to?

The broad range of entities that need to understand the requirements of this scheme, and have measures in place to protect their clients’ data, are:

• Australian Government agencies
• All business and not-for-profit organisations with an annual turnover of $3 million or more
• Some small business operators.

Small business operations may include:

• All private sector health service providers
• Those that trade in personal information
• Tax File Number (TFN) recipients (if annual turnover is below $3 million, the NDB scheme will apply only in relation to TFN information)
• Those that hold personal information in relation to certain activities, for example, those providing services to the Commonwealth under a contract.

What is an eligible data breach?

An eligible data breach occurs when three criteria are met:

1. There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
2. It is likely to result in serious harm to one or more individuals
3. The entity has not been able to prevent the likely risk of serious harm with remedial action.

‘Serious harm’ can be psychological, emotional, physical, reputational or other forms of harm. Understanding whether serious harm is likely or not requires an evaluation of the context of the data breach.

What are the types of data breaches that could occur?

Data breaches can take many forms, both online and offline, including when:

• Client information is accessed or extracted from databases or customer relationship management systems (CRMs), triggered by bypassing external network security (firewalls are hacked), a malicious link in an email or on a website (phishing or mining attack) or obtaining logon credentials to gain unauthorised access to systems (Internal or cloud-based)
• A client’s personal information is emailed to the wrong recipient
• A laptop, tablet, smartphone or USB drive containing client information is lost, stolen or accessed
• The publication of personal information to external websites (facebook, twitter, company website)
• Sending the wrong documents to a client via regular mail
• Sending a fax to the wrong recipient.

What happens if I act quickly?

If you take remedial action that prevents the likelihood of serious harm occurring, then the breach is not an eligible data breach. For breaches where personal information is lost, remedial action is adequate if it prevents the unauthorised access or disclosure of personal information.
Examples of suitable remedial action include when:

• Documents are mailed to the wrong client, at which point you are notified of the error and the documents are returned by post with confirmation that no copies were made
• A smartphone containing company emails and client information is lost or stolen and an IT staff member sends a wipe command to the device to erase all the data and can confirm this has occurred
• A USB drive containing client financials and staff payroll information is lost or stolen but because the USB drive has previously been encrypted with a strong password and you are confident the data cannot be accessed or decrypted.

How do I assess a data breach?

If you suspect a data breach may meet the threshold of ‘likely to result in serious harm’, you must conduct an assessment. There is a maximum of 30 days to conduct an assessment, which begins when you become aware of a potential breach. You must notify both the client(s) and Australian Information Commissioner (AIC) as soon as is practicable, once you know an eligible data breach has occurred. The Act requires assessments to be ‘reasonable’ and ‘expeditious’.

How do I notify clients and the AIC?

You must notify any individuals that are at likely risk of serious harm as a result of a data breach, as well as the AIC. Suitable communications methods for this notification include:

• Email
• SMS message
• Telephone
• Social media and website (for larger breaches)

Notification can go to just the individuals at risk of serious harm, or all clients that have been involved in an eligible data breach if you are unsure of the exact details surrounding the breach. A written statement is required when notifying the AIC, containing the information breached, the individuals impacted and how you are responding to the breach.

What are the penalties?

The following civil penalties can apply should the AIC investigate a data breach and find that your company has been in breach of the Privacy Act:

• Compensation to the affected individuals and a formal apology
• $340,000 fines for individuals
• $1.7 million fines for businesses.

The AIC also has the power to publish the findings of an investigation that they have undertaken, which may result in reputational damage for any entity implicated.

“Good data security measures include the use of two-factor authentication, regular changing of passwords, encrypting portable devices including USB drives and business grade firewalls along with increasing cyber security awareness with staff,“ said Jason Farr, IT Manager, Bentleys SA.

For further guidance, ask your Bentleys Advisor or visit: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme