Last year saw the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 which established the Notifiable Data Breaches (NDB) Scheme – introducing for the first time government guidelines and requirements for cyber security compliance when handling data breaches relating to personal information. The new laws introduce mandatory disclosure of any such data breach to the Office of the Australian Information Commissioner (OAIC), and to those whose personal data was involved, provided certain criteria are met. For more specific information continue reading below.
Protect your ogainsation with our ebook: A complete guide to secure behaviour
Who do the new laws apply to?
Businesses or not-for-profit organisations with an annual turnover of more than $3 million, Australian government agencies, credit reporting bodies, health service providers, and Tax File Number recipients are some examples of those affected by the new laws. Effectively, any entity that is currently covered by the Privacy Act will be required to comply in the event of an eligible data breach.
What comprises an eligible breach?
According to the OAIC a data breach is defined as unauthorised access, unauthorised disclosure or loss of personal information that an entity holds. With this definition in mind, company employees who access personal data without a legitimate reason to do so are committing a data breach. Likewise, accidentally emailing a file containing personal information to someone other than the intended recipient also qualifies. It is worth noting that the term ‘holds’ has a specific meaning in this context that will be outlined in more detail below.
For a data breach to be eligible under the NDB Scheme two prerequisites must first be met, namely -
1. The data breach is likely to result in serious harm to one or more individuals, and
2. The entity responsible is not able to mitigate the risk of likely harm with remedial action
How is serious harm defined?
If there the possibility of physical, psychological, emotional, financial, or reputational harm due to a data breach then it is considered to be potentially seriously harmful. This includes identity theft, financial loss, threats to physical safety, loss of business or employment opportunities, humiliation, damage to reputation or relationships, workplace or social bullying or marginalisation.
The type of information will affect the likelihood of serious harm – for example, ‘sensitive information’ such as information relating to an individual’s health is much more likely to be seriously harmful if compromised compared to basic identifying information, such as names and contact information.
Are there any exceptions?
There are number of circumstances where a data breach may be excepted and notifying the OAIC and the parties affected is not required. For example, if a USB drive containing personal information was lost but the information it contained was encrypted using modern techniques generally accepted to be secure, the breach in question would be excepted as the likelihood of the data being accessed, and serious harm being caused, is very low. Depending on the situation, a number actions may be taken to mitigate any potential harm, thus excepting the breach under the NDB Scheme.
Data breaches that are covered by other Australian privacy acts, such as the My Health Records Act 2013, may also be excepted. This is due to the fact that such breaches may require disclosure according to the specific act they are covered under.
Finally, an enforcement body does not need to notify individuals of a data breach if it is suspected that doing so is likely to prejudice an enforcement related activity. In this circumstance however, the breach must still be reported to the OAIC.
What actions need to be taken for an eligible breach?
Upon a data breach being identified and determined to be eligible under the NDB Scheme, a statement must be provided to any affected individual (for which serious harm is likely) as well as the OAIC. This report should contain details of the incident, including a description of the event, the type of information involved and recommendations on steps that should be taken by the affected parties in response to the breach in order to minimise the potential harm.
If direct contact with affected parties is not possible, then the information must be published to the responsible party’s website and reasonable steps taken to publicise the statement and its contents.
While the changes outlined above are important to be aware of, the real focus of any entity should be the protection of private information according to industry standards. The information provided above is of a general nature, if you have questions in relation to a specific incident it is imperative professional legal advice is sought.
HOW EVOLVE IT CAN HELP?
At Evolve IT, we understand the unique challenges of organisations and have helped a range of business improve their cybersecuirty.