Summary
- The “Notifiable Data Breaches” scheme requires a range of businesses to notify individuals and the Office of the Australian Information Commissioner when certain data breaches occur.
- Fines for failing to comply with the NDB Scheme are up to $2.1 million.
- Businesses can minimise their potential liability by implementing a Data Breach Response Plan, ensuring that their Privacy Policy is up to date and reviewing contracts with suppliers and other third parties.
The importance of data security
It’s easy to underestimate the importance of data security to your business. In a recent report published by PricewaterhouseCoopers, it was estimated that 74% of customers in the professional services sector would change providers in the event of a data breach.
Amendments to the Privacy Act 1988 (Act) came into force earlier this year and have introduced new obligations which apply to a range of businesses in relation to the way they handle personal information. These obligations form what is known as the “Notifiable Data Breaches” scheme (NDB Scheme).
Does the NDB Scheme apply to my business?
The NDB Scheme applies to a broad spectrum of organisations, including businesses with an annual turnover of $3 million or more.
Certain small businesses operators (SBOs) may also be affected, including any SBO that:
- is related to an entity that must comply with the NDB Scheme;
- holds health information and provides a health service;
- trades in personal information (e.g. discloses personal information about individuals to anyone else for a service or benefit); or
- has “opted-in” under section 6EA of the Act.
In addition, if a SBO carries on certain activities, it must comply with the NDB Scheme insofar as it handles personal information for the purpose of, or in connection with, those activities.
Such activities include:
- providing services to the Commonwealth under a contract;
- handling records that contain tax file numbers (e.g. records maintained by employers); and
- reporting under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
What is an ‘Eligible Data Breach’?
Businesses are now required to notify affected individuals, as well as the Office of the Australian Information Commissioner (OAIC), about any ‘eligible data breach’ as soon as possible (and within 30 days) after a breach occurs.
Three criteria must be satisfied for a data breach to be classified as ‘eligible’.
Firstly, there must have been unauthorised access, disclosure or loss of information about an identifiable individual. This might include health records, identification documents, and business or financial records.
Secondly, the breach must result in a likelihood of ‘serious harm’. Whether the harm is considered to be ‘serious’ depends on a number of factors, including the number of affected individuals, the likelihood that the harm will occur and the nature of the party responsible for the breach. ‘Serious harm’ might include identify theft and financial or reputational damage.
Thirdly, efforts to take immediate remedial action to minimise the harm of the breach must have been unsuccessful.
Avoiding the notification requirement: immediate remedial action
If your business suffers a data breach, you may be able to avoid the notification requirements if immediate action is taken that prevents unauthorised access to, or disclosure of, the personal information subject to the breach.
Consider the example of an employee misplacing a company phone or laptop during their morning commute. In this case, adequate remedial action might include remotely accessing the missing phone or laptop and deleting any personal information stored on its hard drive. However, if it is possible that the data has already been accessed by a third party, the remedial action is unlikely to be adequate.
Contracts with third parties
Businesses who engage third party service providers may be exposed to additional risk where a third party service provider has access to personal information stored by your business or stores personal information on your business’ behalf. If that third party suffers a data breach, both the service provider and your business will be responsible for responding to that breach.
It is highly recommended that you review all contracts with third party service providers to ensure that adequate provision is made for responding to data breaches.
How can my business prepare for a breach?
Firstly, it is essential to conduct an audit of your data handling procedures, which will involve:
- updating your Privacy Policy, data breach procedures and employee training programs;
- identifying the third parties that have access to the personal information held by your business, or that store personal information on your business’ behalf, and the conditions under which that information may be accessed; and
- addressing deficiencies that your business has in protecting personal information.
Secondly, you should ensure that your business maintains a clear, transparent and up-to-date Privacy Policy. It is important that your Privacy Policy reflects the most recent amendments to the Act and complies with the Australian Privacy Principles. If you have not updated your privacy policy in the last six months, it is strongly recommended that you do so as soon as possible.
Liability may also be limited through the implementation of an effective Data Breach Response Plan (DBRP). A DBRP is an internal document which details the steps that your business will take in assessing, containing and managing a suspected or actual data breach. An effective DBRP will not only assist in meeting your obligations under the Act, but can also limit the serious reputational and economic harm that your business may suffer from a data breach.
An effective DBRP will cover:
- specific strategies for containing, assessing and managing a data breach;
- the roles and responsibilities of staff in responding to a data breach;
- processes for notifying affected individuals and the OAIC; and
- procedures for reviewing incidents that arise.
Finally, you should ensure that you have a written agreement with third party service providers that clearly outlines the rights and responsibilities of each party if a data breach occurs. It is recommended that your business enters into a data access deed with each provider that entitles your business to:
- be notified of a data breach immediately;
- control the response to that breach;
- notify affected individuals and the OAIC; and
- limit how the provider handles data.
Pigott Stinson regularly advises clients on privacy-related matters. We can assist your business with any of the solutions discussed above, including updating your Privacy Policy, developing and implementing an effective DBRP or reviewing and amending existing contractual arrangements with third party service providers.
Please contact Leonie Kyriacou (l.kyriacou.pigott.com.au) or Nigel Salmons (n.salmons@pigott.com.au).
This Article is produced by Pigott Stinson. It is intended to provide general information only. The contents of this Article do not constitute legal advice and should not be relied upon as legal advice. Formal legal advice should be sought from us in respect of the matters set out in this Article. Liability limited by a scheme approved under Professional Standards Legislation.