Notifiable Data Breach Scheme – compliance and protection
From 22 February 2018, the new Notifiable Data Breach (NDB) scheme came into effect in Australia. The NDB scheme requires the investigation,…
From 22 February 2018, the new Notifiable Data Breach (NDB) scheme came into effect in Australia. The NDB scheme requires the investigation, notification and reporting of data breaches involving personal information, where the breach is likely to result in serious harm to the individual. Reporting of the breach to the Privacy Commissioner is required in certain circumstances.
Penalties for failure to comply with the Notifiable Data Breach Scheme are up to $2.1 million for businesses or $420,000 for individuals. With penalties this high, can your business afford to be unprepared?
Who must comply?
Businesses that are required to comply with the Privacy Act must also comply with the Notifiable Data Breach Scheme. This includes:
- Australian Government agencies
- Businesses and not for profit organisations with an annual turnover of $3 million or more
- A small business with less than $ 3 million turnover but which is related to a larger business
- Credit reporting bodies and credit providers
- Health service providers (ie medical practices, pharmacists, child care centres and gyms)
- Businesses that provide services under Commonwealth contracts
- Entities that trade in personal information (ie buy/sell mailing lists) or that operate a residential tenancy database
For purposes of the NDB Scheme, the new requirements also apply to any organisations that are tax file number (TFN) recipients.
Has a breach occurred?
A data breach occurs when:
- There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds; and
- This is likely to result in serious harm to one or more individuals; and
- The entity has not been able to prevent the likely risk of serious harm with remedial action
- A lost or stolen USB, portable hard drive or laptop
- Malicious or criminal action
- Personal data stolen from an unsecured recycling/shredding bin
- Human error such as an email inadvertently sent to the wrong person
- ‘Water cooler’ conversation about someone where a third party overhears what is being said
A data breach without these three elements is not required to be reported. An example provided by The Privacy Commissioner is:
A data file, which includes the personal information of numerous individuals, is sent to an incorrect recipient outside the entity. The sender realises the error and contacts the recipient, who advises that the data file has not been accessed. The sender has an ongoing contractual relationship with the recipient, and regards the recipient as reliable and trustworthy. The sender then confirms that the recipient has not copied, and has permanently deleted the data file. In the circumstances, the sender decides that there is no likely risk of serious harm.
What is serious harm?
The NDB scheme applies to data breaches involving personal information that are likely to result in ‘serious harm’ to any individual affected. These are referred to as ‘eligible data breaches’.
Serious harm can be physical, psychological, emotional, financial or reputational harm and the term ‘likely to occur’ means “the risk of serious harm to an individual more probably than not (rather than possible)” according to the Privacy Commissioner.
Factors to consider when assessing the level of risk include:
- The kind of information
- The sensitivity of the information
- The person/s who have obtained, or who could obtain the information
- The potential intent of the cause harm from the information
- The potential nature of the harm
Where the risk of serious harm is not present, the business may still have to undertake remedial steps with any affected individuals.
And if there has been an eligible data breach?
If there has been a data breach and you believe it could meet the ‘likely to result in serious harm’ threshold, you are required to conduct an assessment, undertake remedial action and report the incident to the Privacy Commissioner and any other relevant law enforcement agency. This must occur within 30 days of becoming aware of the breach.
The requirements and responsibilities involved in this process are onerous and complex. We recommend you read the overview and detailed guidelines from the Privacy Commissioner.
Preventing an eligible data breach
Prevention is better than cure. A recent IBM study found that 48% of data breaches come from malicious or criminal attacks. These include malware infections, criminal insiders, phishing scams and SQL injections.
If your IT systems are not managed and monitored correctly, you are opening the door to possible data breaches. To mitigate the risk it’s recommended that you regularly review these essential aspects of your IT systems:
- Anti-virus software is installed on all devices and is automatically updated
- Always update every device with the latest version of software as it comes available
- Monitor spam and increase spam protection
- Use secure and complex passwords right across your business, and change them regularly
- Educate your team on potential threats including the identification of phishing emails