What is the NDB scheme?
The Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Privacy Act 1988 (Cth) from 22 February 2018.
The NDB scheme introduces an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Office of the Australian Information Commissioner (OAIC) must also be notified of eligible data breaches.
There can be serious penalties for failing to comply with the scheme, including fines of up to $2.1 million, compensation and apology to those individuals affected, and a requirement to change your organisation's privacy practices.
Who must comply with the NDB scheme?
The NDB scheme will apply to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies (including contracted service providers to government eg under a funding agreement), businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.
Queensland community legal centres (CLCs) will be regarded as ‘relevant agencies’ under the scheme due to funding agreements which obligate CLCs to comply with the Privacy Act. This applies even if the centre’s annual turnover is less than $3 million.
Which data breaches require notification?
The NDB scheme only applies to ‘eligible data breaches’, which arise when:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds, and
- this is likely to result in serious harm to one or more individuals, and
- the entity has not been able to prevent the likely risk of serious harm with remedial action.
Serious harm may include psychological, emotional, physical, reputational, or other forms of harm. The risk must be more likely than not, looking objectively at all the circumstances of the breach, such as:
- the type of information involved (eg personal information, sensitive information and/or health information)
- whether the information was protected by security measures (eg password protection)
- the likelihood of any security measures being defeated
- the vulnerability of the individual/s whose information was breached
- who has accessed (or is likely to access) the information
- how long they have had access
- what they are likely to do with this information
- the nature of the harm etc.
The decision to notify will depend on what's reasonable for your organisation based on the information at the time of the breach, and may involve asking yourself what your clients might expect in the circumstances.
This can be as simple as leaving a client file/USB on a bus, or an employee browsing sensitive client records without any legitimate purpose – it doesn’t necessarily have to be a full-scale data hack from a third party. In fact, many data breaches are due to innocent errors by staff and volunteers. Comprehensive examples and explanations are provided here.
Assessing suspected data breaches
If an entity has reasonable grounds to believe that it has experienced an eligible data breach, it must promptly notify individuals and the Commissioner about the breach, unless an exception applies. There is flexibility in the way you notifiy individuals, but it may include direct communicationt to the individuals affected and/or a public notice on your organisation's website. Notification to the Commissioner is via an online form.
In contrast, if an entity suspects that it may have experienced an eligible data breach, it must quickly assess the situation to decide whether or not there has been an eligible data breach. An assessment must be reasonable and expeditious, and entities may develop their own procedures for assessing a suspected data breach.
An entity must take all reasonable steps to complete the assessment within 30 calendar days after becoming aware or suspecting an eligible data breach. This should be treated as the maximum time limit. The sooner the better, as the longer it’s left, the more likely the harm.
The Data Breach Response Summary Flowchart below provides a detailed summary of suggested steps to take in the event of a breach or suspected breach.
Privacy requirements & preventing data breaches
The Australian Privacy Principles (APPs), which have the force of law under the Privacy Act, are aimed at preventing a data breach in your organisation. The APPs cover collection and management of personal information, use and disclosure of personal information, and integrity, security, access to and correction of personal information. It is essential to be familiar with the principles, provide training to staff and volunteers in your organisation, and conduct a privacy audit of your current privacy policies and practices to ensure compliance.
Charities can be easy targets for data breaches, due to the amount and type of personal data held, so complying with good practice regarding privacy and putting a Data Breach Response Plan in place will help protect your clients, employees, volunteers and management committee members, and help minimise reputational damage to your organisation.
Privacy compliance is not about secrecy and data breaches are not just an IT issue. Organisations must use commonsence and reasonableness, and cultivate a proactive, open and transparent culture. Remember: Prevention is better than cure!
The OAIC also hosted a 1 hour webinar in November 2017, and you can view the recording online by registering here. The webinar outlines the history of the NDB and provides some useful examples.
Justice Connect NFP Law hosted a 1 hour 15 minute webinar on 21 Februrary 2018, which should be available to download shortly (for a small fee, via their website). Justice Connect have also published a helpful Privacy Guide (free to download via their website and below), and have also provided access to Norton Rose Fulbright's Privacy Compliance Manual (free to download via their website via registration). These documents provide general guidance on the Privacy Act and Australian Privacy Principles (APPs).
This page will be updated as more information becomes available.