AUSTRALIA: OAIC call out for comments – draft resources for businesses and agencies regarding the Notifiable Data Breach Scheme

By Sinead Lynch, Jessica Noakesmith

On 2 June 2017, the Office of the Australian Information Commissioner (OAIC) released 4 draft resources for businesses and agencies regarding the Notifiable Data Breach scheme (NDB) scheme. Direct links to the draft resources are below:

These draft resources provide guidance to the NDB scheme with examples of how to prevent serious harm and avoid notification requirements with remedial action, examples of data breaches, definitions of unique terms and a practical approach to the requirements. The OAIC has noted that any information provided by entities can be requested to be confidential (and the OAIC will liaise with entities in case of an Freedom of Information (FOI) request).

The draft resources note ‘serious harm’ may include serious physical, psychological, emotional, financial or reputational harm. Unfortunately, the resources do not address some of the concerns around assessing when “suspected data breaches arises. The OAIC has confirmed however its plans to release a further guideline – “Assessing a suspected data breach – which it confirms will ” provide guidance about the process to follow when carrying out an assessment of ‘whether there are reasonable grounds to suspect that there may have been an eligible data breach of the entity’”.

Please see our key points below for further details on these 4 resources.

The OAIC is asking for any comments by 14 July 2017. You can make a submission here.

We are advising a number of our clients in this area. If you / your organisation would like any support or assistance in commenting on the draft resources, please do let us know.

The OAIC has posed some key questions to consider:

  • Are the draft resources clear, relevant and practical?
  • Do the draft resources meet the needs of agencies and organisations in understanding the new requirements under the NDB scheme?
  • Are there any topics that you believe the draft resources should cover that have not been covered, or should be covered in greater detail?
  • Are there any practical examples you could share to help illustrate the operation of the NDB scheme?
  • Are there any other ways in which the draft resources could be enhanced?

Key points

Entities covered by the NDB scheme

  • Notes that generally, agencies and entities that are covered by the Privacy Act 1988 (Cth) (the Privacy Act) must comply with the NDB scheme.
  • Outlines the applicability of the NDB scheme to Australian Privacy Principles (APP) entities, credit reporting bodies, credit providers and TFN recipients, and outlines the exceptions for the NDB scheme to apply to small business operators.
  • Defines ‘holding’ personal information disclosed overseas for the purposes of assessing an eligible data breach.

Identifying eligible data breaches

  • Notes that the NDB scheme requires entities to notify particular individuals and the OAIC about ‘eligible data breaches’.
  • Gives examples of how to prevent serious harm with remedial action and examples of data breaches.
  • Includes definitions of unauthorised access, unauthorised disclosure, loss and:
    • ‘Eligible data breach’ (objectively, from the viewpoint of a reasonable person in the entity’s position) is:
      • the unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an entity holds (including internal, independent contractors, hackers etc.);
      • that is likely to result in serious harm to one or more individuals; and
      • the entity has not been able to prevent the likely risk of serious harm with remedial action.
    • ‘Serious harm’ may include serious physical, psychological, emotional, financial or reputational harm. Section 26WG lists ‘relevant matters’ that entities may use in an assessment of the likelihood of serious harm. Entities should consider the types of personal information, the circumstances of the data breach and the nature of the harm (the resource expands these) when making this assessment. The resource does not define serious harm.
    • ‘Reasonable person’ means a person in the entity’s position who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. This definition can be influenced by relevant standards and practices and is also discussed in general terms in the APPs.
    • ‘Likely to occur’ means more probable than not (rather than possible).

Notifying individuals about an eligible data breach

  • Notes that when an entity experiences an eligible data breach it must provide a statement to the Commissioner and notify individuals at risk of serious harm of the contents of the statement as soon as practicable after completing the statement prepared for notifying the Commissioner. If the breach applies to multiple entities only one entity needs to comply, and the entities decide who. The Commissioner suggests the entity with the most direct relationship with the individuals at risk of serious harm should undertake the notification. If none of the entities do, each may have breached.
  • Defines ‘as soon as practicable’ to include considerations of cost, time and effort. The Commissioner expects expeditious notification.
  • Explores the three options to ‘notify’ individuals (notify all individuals affected, notify those at risk of serious harm or publish notification to website). An entity can use any reasonable method to notify individuals (call, SMS, mail, social media, in-person etc.). If it’s not practical to notify individuals, the entity must publish a copy of the statement on their website and take reasonable steps to bring this to the attention of the individuals at risk of serious harm. ‘Reasonable steps’ might include:
    • ‘ensuring that the webpage on which the notice is placed can be located and indexed by search engines’
    • ‘publishing an announcement on the entity’s social media channels’
    • ‘ taking out a print or online advertisement in a publication or on a website the entity considers reasonably likely to reach individuals at risk of serious harm’

Australian Information Commissioner’s role in the NDB scheme

  • The Commissioner acknowledges it will take time to become familiar with the NDB scheme and during the first 12 months operation of the NDB scheme the primary focus will be on working with entities to ensure they understand, and are working in good faith to implement, the NDB scheme. The priority is to offer advice and guidance to entities and provide assistance to individuals at risk of serious harm, however the Commissioner may make inquiries or take regulatory action.
  • Notes that entities may request that the information provided be confidential, and if an FOI request is made, the Commissioner will consult with the entity (or transfer the request if it is an agency).
  • Describes the content included in a notification statement. The OAIC comments that although the Privacy Act does not require it, entities may provide additional information to the Commissioner e.g. circumstances and further detail about the entity’s response.
  • Outlines the powers of the Commissioner under to NDB scheme to:
    • accept an enforceable undertaking (section 33E) and bring proceedings to enforce an enforceable undertaking (section 33F)
    • make a direction to notify
    • declare that notification need not be made or that it can be delayed (in exceptional cases) after a detailed application by an entity
    • make a determination (section 52) and bring proceedings to enforce a determination (sections 55A and 62)
    • seek an injunction to prevent ongoing activity or a recurrence (section 98)
    • apply to court for a civil penalty order for a breach of a civil penalty provision (section 80W), which includes any serious or repeated interference with privacy
  • Notes that the requirement under section 36 of the Privacy Act to investigate a complaint made by an individual about an interference with that individual’s privacy includes a failure to notify an individual under the NDB scheme.

For further information and commentary on the Notifiable Data Breach scheme generally see our post here.