Australian privacy and information security laws are complex. In particular, we find many of our clients struggle with understanding when the Notifiable Data Breach (NDB) scheme under the Australian Privacy Act applies to their business. It is essential to learn not only when the NDB scheme applies but also how to prevent and mitigate data breaches in the event they occur.
What is the Privacy Act?
The Privacy Act[1] (the Act) regulates the way organisations handle, disclose, use and market individual’s personal information. The Act primarily regulates Australian Government agencies and organisations with an annual turnover greater than $3 million, but some small businesses such as those who opt into the scheme, or deal with health data and credit reporting are also covered.
What is the NDB Scheme?
Any organisation regulated by the Privacy Act must notify their affected individuals and the Office of the Australian Information Commissioner (OAIC) when an information data breach is likely to result in serious harm to an individual.
A data breach occurs when personal information held by an organisation is lost or subjected to access or disclosure. Most commonly, this regulates data information hacking and accidental disclosure (such as releasing personal information to the wrong person).
An organisation that suspects an eligible data breach may have occurred must act quickly to assess the incident.
We recommend you have a legal expert assess whether or not a data breach falls within the NDB scheme, thereby mandating its reporting to the OAIC and affected individuals. If you get this wrong the implications can be significant.
What happens if I have an NDB incident?
In the event that a notifiable data breach incident occurs, you should complete an Eligible Data Breach Statement within thirty (30) calendar days of the data breach. This statement is available online on the OAIC website. Then, using the Eligible Data Breach Statement content, you should prepare and send out a notification separately to those affected by the breach. We recommend having a legal professional draft this notification, and on occasion a public relations or brand reputation expert involved in the communications. Finally, you should consider whether you are required to notify your insurer under any policies of insurance (cyber insurance or otherwise). Early notification can offer significant assistance, particularly in funding legal or cyber advice, and in the preparation of the Eligible Data Breach Statement and subsequent communications.
What happens if I fail to notify the OAIC?
The Australian Information Commissioner has broad powers to enforce penalties against businesses that interfere with an individual’s privacy. The maximum penalty for the successful prosecution of this interference may include a civil penalty of up to $402,000 for individuals and $2,100,000 for corporations.
How does my organisation stay protected?
While it is impossible to guarantee that personal information is entirely secure and safe, there are several preventative and response measures your organisation should implement to protect and lessen the impact of a data breach.
To prevent data breaches, there are organisational and personnel prevention methods to deploy within your organisation. To protect the organisation broadly, ensure physical records are stored securely and only accessible to those personnel who require access, that you use up to date adequate security software, conduct regular cybersecurity risk assessment audits and encrypt and back up sensitive data. To protect individual personnel, conduct staff training to raise and awareness and implement data security organisational policies such as a password policy to force personnel to have robust, secure and unique passwords which are changed often.
We also highly recommend preparing a comprehensive data breach response plan. This should outline your organisation’s strategy for identifying, containing, assessing and managing a data breach incident. These plans help limit the consequences of a data breach and support the confidence customers or client’s will have in your ability to manage their information.
This plan should cover what constitutes a data breach so that identification is timely, a strategy for containing, assessing and managing data breaches, the roles and responsibilities of key personnel within the organisation, how to document the data breach and the review evaluation of how to prevent a similar breach in the future.
Our team has extensive knowledge in the privacy and data handling legal sector. If you or your business needs advice on a potential notifiable data breach that may have occurred or would like us to prepare a comprehensive data breach response plan for your organisation, please don’t hesitate to contact a member of our Intellectual Property team.
[1]1988 (Cth).
This article was written by Ben Gouldson, Director. For further information please contact Ben Gouldson, Director.
The assistance of Harry Bligh, Law Clerk in researching this article is gratefully acknowledged.
Time periods for development approvals extended