Australian businesses will soon be required to report data breaches when individuals' personal information is exposed. The new law, which comes into force on February 22, is aimed at increasing data security transparency.
Named the Notifiable Data Breaches (NDB) scheme, any business with an annual revenue of more than $3 million, along with several other business types, must comply.
Penalties for non-compliance can be severe. Fines of up-to $2.1 million can be imposed by the Federal Court. The penalties will vary depending on the significance of the data exposed and the likely harm of the data breach.
The NDB scheme will be managed by the Office of the Australian Information Commissioner (OAIC), who have provided some advice for businesses. Broadly, there are three steps under the NDB scheme:
- Determining if your business is subject to the NDB scheme.
- Determining if a data breach is notifiable under the scheme.
- Actions required and available in the event of a notifiable data breach.
1. Who must comply with the NDB scheme?
Any business or organisation that is already required to comply with the Privacy Act, must also comply with the NDB scheme. Other businesses that must comply include:
"businesses and not-for profit organisations that have an annual turnover of more than $3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients"
2. What is a notifiable data breach?
Breaches where notification is required are called eligible data breaches. There is a three-step test in determining whether a data breach is eligible under the NDB scheme.
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
- this is likely to result in serious harm to one or more individuals; and,
- the entity has not been able to prevent the likely risk of serious harm with remedial action.
These elements are broad and cover a wide range of scenarios and there is no golden rule for identifying eligible data breaches. However, some breaches offer clear indicators. For example, exposure of identifying or financial information is likely to require a notification, such as a passport or drivers licence number, or a tax file number.
Notifiable Data Breaches scheme website (OAIC).
3. What needs to be done in the event of a notifiable data breach?
Four key pieces of information must be disclosed in the event of a data breach:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned and;
- recommendations about the steps individuals should take in response to the data breach
Both the affected individuals and the OAIC Commissioner must receive this information. There is a specific form that must be completed to fulfil this requirement - Notifiable Data Breach Statement Form (draft at time of this publication).
Do businesses need to maintain good data security standards?
Yes. A key aspect of the NDB scheme is that businesses continuously take reasonable steps regarding the handling of personal information. That includes collecting, using, storing and destroying personal information once it is no longer needed.
OAIC recommends establishing processes for handling personal information; an in-depth guide is available here.
What is the actual law?
Part IIIC of the Australian Privacy Act 1988.
From the broad language used in the new law, to the extensive advice offered by the OAIC, it is not entirely clear how the NDB scheme will be applied. There is guidance, but much of how the NDB scheme will come down to how the OAIC applies the law. We will likely only get a clear idea of what the law requires after we have examples of how it is applied.
This is obviously not ideal, and the scheme has been met with criticism. But data breaches continue to be a serious issue, and both the IT industry and government are trying combat the continuing trend of mass breaches of personal information.
Despite scheme's shortcomings, there is a reasonably clear principle it is trying to get across: your business should actively handle personal information with care, and if your business suffers a data breach, every person whose information is affected must be informed.
Following this rule will see your business more easily comply with the NDB scheme.
Where can I learn more?
Information is available at the OAIC website and this ZDNet article is also a useful resource. This article is not legal advice, and if you have any questions regarding the legal aspects of the NDB scheme, we recommend consulting with your legal services provider.
If you have any questions regarding technical aspects of data storage and cloud services, please contact your Sentrian Client Services Manager for further information and materials.
To keep up-to-date with the latest security news and notices, see our Security blog here.