The Notifiable Data Breach (NDB) Regime – What you need to know

Martin Le Marchant

Director at Bishop Collins Chartered Accountants

Audit and Assurance Expert.

Specialising in Clubs, Not for Profit and Aged Care.

 
Computer data breach

The Notifiable Data Breach (NDB) Scheme – What you need to know

The Notifiable Data Breach (NDB) scheme commenced on 22 February 2018. The scheme requires the reporting of eligible data breaches occurring on or after this date to the Office of the  Australian Information Commissioner (OAIC). Who does it apply to? The NDB scheme applies to agencies and organisations where the Privacy Act requires you to take steps to secure personal information. These include Australian Government agencies, Businesses and not for profit organisations, with an annual turnover of $3 million or more. What is a data breach? A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. What is a notifiable data breach? A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates. An eligible data breach arises when the following three criteria are satisfied:
  1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
  2. This is likely to result in serious harm to one or more individuals, and
  3. The entity has not been able to prevent the likely risk of serious harm with remedial action
computer folders on computer screen opened data breach Example of data breaches A data breach may include:
  • Unauthorised access: for example a computer network is compromised by an external attacker resulting in personal information being accessed without authority.
  • Unauthorised disclosure: for example the intentional or unintentional disclosure of personal information by an employee of the entity to third parties
  • Loss: for example an employee of an entity leaves personal information contained on a portable storage devices on public transport.
If a data breach is suspected, deciding if it is eligible for reporting  involves examining, from the perspective of a reasonable person, whether the data breach would be likely to result in serious harm to the individual whose personal information was part of the data breach. A ‘reasonable person’ means a person in the entity’s position, who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. In the context of a data breach, serious harm to an individual may include:
  • Physical,
  • Psychological,
  • Emotional,
  • Financial, or
  • Reputational harm.
Examples include:
  • Identity theft
  • Significant financial loss by the individual
  • Threats to an individual’s physical safety
  • Loss of business or employment opportunities
  • Humiliation, damage to reputation or relationships
Preventing “serious harm” with remedial action. The NDB scheme provides entities with the opportunity to take positive steps to address a data breach in a timely manner, and avoid the need to notify. If an entity takes remedial action so that the data breach would not be likely to result in serious harm, then the breach is not an eligible data breach for that entity or for any other entity. Who needs to be notified of a breach? Once an entity experiences a data breach they are required to contain the breach as soon as possible and take remedial action. In short, there are three options for notifying individuals at risk of serious harm. Option 1: Notify all individuals: That is notify all individuals whose personal information was part of the eligible data breach, regardless of whether they will experience “Serious harm” from the breach. Option 2: Notify only those individuals at risk of serious harm: If an entity identifies that only a particular individual, or a specific subset of individuals, involved in an eligible data breach is at risk of serious harm, and can specifically identify those individuals, only those individuals need to be notified. This avoids distress to individuals who are not at risk. Option 3: Publish Notification: If neither option 1 or 2 above are practicable, for example, if the entity does not have up-to-date contact details for individuals, then the entity must:
  • publish a copy of the statement on its website if it has one
  • take reasonable steps to publicise the contents of the statement
Entities must take proactive steps to increase the likelihood that the eligible data breach will come to the attention of individuals at risk of “serious harm”.
Notifiable Data Breach Response Plan

The above diagram provides an overview of a typical data breach response, including the requirements of the NDB scheme. This diagram is a summary, and should be read with reference to the more detailed information in this article.

My organisation does not turnover more than $3 million per annum. Am I off the hook? In short, no. Certain organisations are still required to comply. These include:
  • Entities that provide health services. Including traditional health service providers, complimentary therapists, such as naturopaths and chiropractors, gyms and weight loss clinics, child care centres and private schools.
  • Entities that trade in personal information – For example Credit providers, credit reporting bodies and tax file number (TFN) recipients
Ensuring your entity is secure before a data breach occurs is the best way to safeguard against causing serious harm and needing to notify the Commissioner. A public notification of an NDB is a process you will want to avoid at all costs. There are also significant financial and operational benefits to ensuring your risk of a data breach are minimised. These benefits equally apply to entities exempt from complying with the Notifiable Data Breach scheme. Our Audit and Assurance team can help you review existing protocols, identify risk exposures and set up processes to ensure your risks of a Notifiable Data Breach are reduced.