With Facebook, Cambridge Analytica and the Australian Government’s My Health Record dominating headlines throughout 2018, one could be forgiven for thinking that issues of data security are reserved exclusively for Government and multi-national organisations. However, recent amendments to the Privacy Act 1988 (Act) have placed a range of new obligations on entities bound by the Act (including most registered clubs) to handle data and respond to data breaches in a prescribed way. These obligations form what is now called the “Notifiable Data Breaches” scheme (NDB Scheme).
The NDB Scheme requires entities to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) about any ‘eligible data breach’ that occurs.
When has an ‘eligible data breach’ occurred?
Under the Act, several criteria must be met for a data breach to be classified as an ‘eligible data breach’.
Firstly, there must be unauthorised access, unauthorised disclosure or loss of “personal information”. “Personal information” is information or an opinion about an identified individual, or an individual who is reasonably identifiable.
Secondly, there must be a likelihood of ‘serious harm’ resulting from that access, disclosure or loss. Several matters will be relevant in assessing the likelihood of ‘serious harm’, including the nature and sensitivity of the information involved, the strength of any security measures in place, the nature of the person(s) that have acquired the information, as well as the nature of the harm itself.
Thirdly, efforts to take immediate remedial action to minimise the harm of the breach must have been unsuccessful.
What can my club do?
It is crucial that your club is prepared and ready to respond to a breach if one occurs.
A first step is to carry out an audit of your club’s existing privacy and data controls. An audit should identify:
- the policies, procedures and training your club has in place;
- who has access to the personal information your club holds and the condition upon which that access is granted; and
- any deficiencies your club has in managing and protecting data.
The OAIC also recommends that organisations have a Data Breach Response Plan (DBRP). A DBRP is essentially a step-by-step guide for your club to follow in the event of a data breach (including a suspected data breach). It is an internal document that will assist the officers and employees of your club to respond to a data breach in accordance with the statutory obligations imposed under the Act and as quickly as possible with a view to mitigating the serious financial and reputational loss that may be suffered as a result of a breach.
The OAIC recommends that a DBRP covers specific issues, including how your club will:
- detect and contain a data breach;
- assess and evaluate the potential harm that may arise from a data breach;
- notify affected individuals and the OAIC;
- review its internal procedures to reduce the risk of any future data breach; and
- otherwise respond quickly and efficiently.
As it is likely that your club engages a number of third party service providers that have access to date held by your club (e.g. in connection with its IT and gaming operations), these arrangements should be reviewed. These engagements pose a number of additional risks to your club because if a third party service provider suffers a data breach that involves your club’s data, your club will also be liable for responding to that breach.
Your club’s contract with a third party service provider (which contract may be oral or in writing) should be amended to include specific rights that will assist your club in this regard.
We recommend that your club enters into a deed with each of its third party service providers that entitles your club to:
- be notified of data breaches;
- control the response to a data breach;
- notify affected individuals (which are likely to be your club’s members); and
- limit how the provider may handle your club’s data.
Consideration should also be given to whether your club has adequate insurance to cover the costs flowing on from a data breach.
This article is intended to provide general information in summary form on a legal topic, current at the time of publication. The contents do not constitute legal advice and should not be relied on as such. Formal legal advice should be sought in specific circumstances.