Privacy Act 1988 – Notifiable data breach scheme
Who does the Notifiable Data Breach scheme apply to?
The Notifiable Data Breach (NDB) scheme under the Australian Privacy Act commenced on the 22 February 2018. The scheme applies to:
(a) all Australian government agencies, business and non-for-profit organisations that have existing security obligations under Australian Privacy Principle 11.2 to protect personal information under the Australian Privacy Act;
(b) credit providers; and
(c) Tax File Number recipients irrespective of whether or not they have such security obligations [i].
The NDB scheme also applies to Victorian public sector organisations including state and local government where the data breach involves a Tax File Number.
What type of privacy data breaches must be notified?
The scheme requires mandatory notification by organisations of a privacy data breach that is likely to result in “serious harm” to the individual whose personal information held by that organisation has been the subject of an unauthorised access , disclosure of or loss of personal information held by the entity[ii].
There is no definition of what constitutes “serious harm” in the Privacy Act. The OAIC guidelines refer to “serious harm” to the individual as including psychological, reputation, physical and financial harm[iii].
Who must be notified of a privacy data breach?
The data breach notification must be given to the Office of the Australian Information Commissioner (“OAIC”) and also to the individual.
Organisations should also notify their insurer immediately they become aware of a suspected data breach.
Depending on the nature of the breach, police and other agencies, may also need to be notified of the data breach.
How is notification of a privacy data breach made?
The notification of a privacy data breach must be made as soon as practicable after the organisation becomes aware of the breach[iv]. The notification to the Commissioner can be made using the on-line OAIC Notifiable data breach form.
There is no specific method for notifying individuals about the breach. What is important is that the organisation acts quickly to contain the breach and notify the individuals to minimise the risk of harm. Where it is not practicable to contact each individual because of the scale of the breach, the notification can be published on the entity’s website and via the media.
Assessment of a suspected privacy breach
The NDB scheme also requires an organisation to undertake a “reasonable and expeditious” assessment of a suspected data breach to ascertain whether the breach requires notification, within 30 days of becoming aware of the suspected breach[v].
Privacy data breach response plan
As a part of meeting their obligations under the Privacy Act, organisations should have a data breach response plan which enables them to respond to a breach quickly, minimising the impact on the individual and reputational and other damage to the organisation.
The OAIC Guide to managing data breaches in accordance with the Privacy Act 1988(Cth) provides practical guidance to organisations for the preparation of a data breach response plan. OAIC guide recommends 4 key steps to responding to a data breach:
Step 1 – Contain the breach.
Step 2- Assess the breach and the potential harm and risk to the individual and organisation.
Step 3- Notify the data breach to the OAIC, individuals and other relevant authorities.
Step 4 – Review the incident that caused the breach and take steps to improve the information handling processes.
Seek Legal Advice
The legislative framework for the NDB scheme is complex and if an organisation suspects a data breach they should seek legal advice.
Authored by Katarina Klaric, Principal, Stephens Lawyers & Consultants
© Stephens Lawyers & Consultants. September 2018
This Information Sheet is not intended to be a substitute for obtaining legal advice.
For further information contact:
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected]
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[i] Privacy Act 1988 (Cth) S26WE
[ii] Privacy Act 1988(Cth) s 26 WE(2)
[iii] OAIC Data Breach Preparation and Response: A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)
[iv] Privacy Act 1988 (Cth) s26WK
[v] Privacy Act 1988 (Cth) s 26WH.