In February 2018 the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) came into effect, introducing new mandatory reporting requirements for Australian entities that must comply with the Privacy Act 1988 (Cth) (Privacy Act). This brought in some much-needed accountability with regards to the collection and handling of personal information. The amendment also applies the obligations of the Notifiable Data Breach Scheme to all entities that hold Tax File Numbers, not previously subject to the Privacy Act. Combined with enforcement powers granted to the Information Commissioner to issue civil penalties up to $420,000 for individuals and $2.1 million for organisations, these changes in legislation mean that now more than ever, it is critical for Australian organisations to be aware of what personal information they hold, where it flows and how they secure it.
Meeting the obligations of the Notifiable Data Breaches scheme (NDB scheme) requires understanding three key concepts from the legislation. The first is that of an eligible data breach. In short, an eligible data breach occurs if personal information held by an entity is subject to unauthorised access, disclosure, or loss, and a reasonable person (in the position of the entity) would conclude that serious harm to the individual(s) is likely to result.
Following from this, the second concept is that of the reasonable person. Law requires people in general to behave reasonably, taking reasonable precautions where there are reasonably foreseeable risks. Similarly, the third concept of serious harm must be read in line with the concept of a reasonable person. It is an objective assessment determined from the view of a reasonable person in the position of the entity, and may include serious physical, psychological, emotional, financial, or reputational harm.
A fundamental implication of these definitions is that entities must be able to detect data breaches, quickly determine whether those data breaches qualify as eligible under the NDB scheme, and then be ready to respond appropriately. The problem for many businesses (especially smaller ones), is that they lack the expertise and capacity to implement the systems, procedures, and practices that are necessary to adequately prepare. Even knowing where to start can be a challenge.
The first step that an entity must take is to identify and classify all the information in their possession, including information which has been entrusted to third parties (e.g. cloud service providers). Implicitly, contractual agreements with third party service providers should be scrutinised to ensure appropriate safeguards and accountability are in place.
Secondly, the entity must undertake a privacy impact assessment (PIA) to determine how the information in their possession could impact the privacy of individuals in the event of a breach. The results of the PIA are critical to evaluating the likelihood of serious harm when a breach is detected. However, the PIA also provides valuable insight as to what sort of remedial action may be taken to prevent the occurrence of serious harm and possibly escape the necessity to report a breach.
Thirdly, having the right processes, training, and technology controls in place to not only prevent data breaches, but to detect and react when they happen enables quick and effective response. In some cases, having the right controls in place beforehand can prevent the likelihood of serious harm even after the breach has occurred – a lost smartphone with remote wipe capabilities enabled is far less of a risk than one without.
Being prepared to respond to a data breach can be the difference between being required to make a notification or not. It is therefore critical that businesses be able to quickly and accurately assess the nature and extent of a breach to determine this likelihood. Perhaps more importantly, having a well-documented response plan, and the capability to implement effective mitigating tactics and strategies can reduce the likelihood of serious harm after the breach has occurred, negating the requirement to issue a notification at all.
If you have any queries, please feel free to contact: