Has your business been hacked? You may need to comply with the new Notifiable Data Breach scheme

From 22 February this year your company may be required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if personal information held by your company is accessed, lost or disclosed in circumstances that are likely to result in serious harm to the individuals affected.

What are the changes?

Under the new Notifiable Data Breach scheme (NDB), agencies and organisations with existing personal information obligations under the Privacy Act 1988 (the Act) will be required to alert the OAIC and all affected persons if personal information is involved in a data breach.

What are data breaches involving personal information?

Personal information is defined under s 6(1) of the Act as:

‘Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

1. whether the information or opinion is true or not; and
2. whether the information or opinion is recorded in a material form or not’

There are various types of personal information recognised under the Act including ‘sensitive information’ (e.g. information or opinion about an individual’s racial or ethnic origin, political opinions, religious beliefs, sexual orientation) ‘health information’, ‘credit information’, ‘employee record information’ amongst others.

Who does it apply to?

The NDB scheme will apply to businesses, Australian Government agencies, and not-for-profit organisations with an annual turnover of $3 million or more and businesses which trade in personal information, among others (APP Entities).

When do I need to disclose a data breach?

Under the new scheme, APP Entities are required to provide notice as soon as practicable to affected individuals and the OAIC where there are reasonable grounds to believe that an “eligible data breach” has occurred (unless an exception applies).

This may occur in three main circumstances including:

• where there is unauthorised access to or disclosure of personal information, or a loss of personal information, that an entity holds. For example, if your business is hacked;
• where a reasonable person deems this is likely to result in serious harm to one or more individuals. A ‘reasonable person’ means a person in the entity’s position. Although ‘serious harm’ is not defined under the Act, this may include serious physical, psychological, emotional, financial, or reputational harm; and
• the entity has not been able to prevent the likely risk of serious harm with remedial action. Remedial action may include ensuring the leaked data has not be accessed by any person, and taking steps to ensure it will never be accessed by any person. For more examples see here.

How do I notify?

When an APP Entity has reasonable grounds to believe an eligible data breach has occurred, they must promptly notify any affected individuals at risk of serious harm, and the Commissioner of the OIAC should be notified via a Notifiable Data Breach form.

For more information on what to include in an eligible data breach statement see here.

What if I don’t notify?

APP Entities that do not comply with the notification obligations will be subject to the Privacy Act’s existing enforcement and civil penalty framework, which range from investigations to substantial civil penalties.

VML Tips

Some steps your company can take to reduce the risk include:

• ensuring that personal information is held securely, including an audit of security processes and procedures; and
• developing and implementing a clear response plan in the event of a data breach to allow an entity to respond efficiently and quickly and take remedial action.

An effective response plan is an important tool for companies which collect personal information.  If your company is successful in taking remedial action before any serious harm is caused it may be able to avoid the notification requirement and a penalty under the Act.

Additionally, consider the following strategies:

• Encrypt your data
• Use strong passwords
• Audit third parties who have access to your network
• Have a back-up system and test it regularly
• Introduce policies regarding any devices brought into the premises whether by staff or visitors
• Run training sessions for staff on the importance of security
• Implement a policy covering devices brought in by staff and visitors

The OAIC’s Data breach notification — a guide to handling personal information security and Guide to developing a data breach response plan provides a best practice model. The OAIC also has a comprehensive Guide to securing personal information.

Ensure your business is protected today – get in touch with a professional at von Muenster Legal to ensure you comply with the new laws.