With mandatory Data Breach Notification legislation coming into effect in February 2018 the Information Commissioner releases draft Notifiable Data breach guidelines and puts retailers on notice about their obligations.

November 6, 2017 |

It is less than 6 months before the mandatory data breach notification laws take effect.  February 22 2018 to be precise.  It will impact all organisations and agencies covered by the Privacy Act and may  require them to report data breaches of personal information.  This has been the norm in 48 states of the United States for some time.  In the United States receiving notices under whichever data breach legislation is in operation, if not common, then not unusual.  That is an indicator of the frequency and impact of data breaches on business and government.  Cyber crime for profit and malicious hacking is a chronic problem.  In Australia there has been no requirement to notify individuals whose personal information have been accessed through a data breach.  There have been self reported data breaches to the Information Commissioner, sometimes because of good corporate practice but more often because the breach had been publicised.

The Australian legislation is far from the gold standard. It is complex and quite imprecise. It will require considerable care by organisations and agencies to develop policies as early as possible to properly comply with the legislation when there is a data breach.  There is little point trying to comply while dealing with a data breach.  Notifications must be made within 30 days from the date the breach is detected.  That is the outer limit.  While the time frame seems generous, given the detail contained in the Guide, set out below, organisations which will need to deal with the data breach itself could easily find themselves running out of time and running afoul of their obligations. There are many issues that spring to life out of a data breach; the technical issues surrounding fixing the breach and assessing the damage to the site, insurance claims that may need to be made, contractual claims involving third party providers and notification to parties other than the Information Commissioner.  Unfortunately the default position for many organisations will be to scramble and sometimes do little, or less, when they are hit by a data breach. Then it will be a matter for the Information Commissioner to deal with non compliance.

Today the Australian Information Commissioner put out a media release regarding mandatory data breach notification laws for retailers.  It provides:

Australians increasingly provide personal information to retailers to purchase products online, or to gain rewards — almost three quarters of Australians are signed up to a store loyalty program.

Earlier this year, legislation was introduced to add to existing protections for personal information in the Australian Privacy Act. From 22 February 2018, retail businesses with an annual turnover of $3 million or more, or that trade in personal information, will be required to comply with the Notifiable Data Breaches (NDB) scheme.

Under the NDB scheme, these organisations must notify individuals affected by a data breach which is likely to result in serious harm. The Australian Information Commissioner must also be notified.

Failure to comply with the NDB scheme will fall under the Privacy Act’s existing enforcement and civil penalty framework.

‘Serious harm’ may include serious physical, psychological, emotional, financial, or reputational harm. Understanding whether serious harm is likely or not will generally rely on an evaluation of the context of a data breach — including the types of personal information involved, who has access to it, whether the data breach can be contained, and more.

In the context of retail for example, the disclosure of customers’ credit card details may be likely to result in serious financial harm. Notifying customers of this data breach provides them with the opportunity to take protective action, including cancelling credit cards.

The Information Commissioner has released a draft notifiable data breach resources. While it is in draft form it is likely to be substantially the same in its final form.

It provides:

What is the Notifiable Data Breaches scheme?

The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia.

The NDB scheme requires organisations covered by the Australian Privacy Act 1988 (Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach.

This notice must include recommendations about the steps that individuals should take in response to the data breach. The Australian Information Commissioner (Commissioner) must also be notified.

Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.

What is a Notifiable Data Breach?

A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.

A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

Examples of a data breach include when:

  • a device containing customers’ personal information is lost or stolen
  • a database containing personal information is hacked
  • personal information is mistakenly provided to the wrong person.

Why is the NDB scheme important?

The NDB scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that organisations respond to serious data breaches.

This in turn supports consumer and community confidence that personal information is being respected and protected.

It also gives individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.

When does it take effect?

The NDB scheme will commence on 22 February 2018. It only applies to eligible data breaches that occur on, or after, that date.

Resources to prepare for the NDB scheme

We recommend that all organisations review their practices, procedures and systems for securing personal information in preparation for the scheme. The OAIC has a comprehensive Guide to securing personal information to assist you with this.

Organisations should also prepare or update their data breach response plan to ensure that they are able to respond quickly to suspected data breaches. The OAIC’s Data breach notification — A guide to handling personal information security breaches and Guide to developing a data breach response plan provide a best practice model, and will be updated in consultation with stakeholders ahead of the commencement of the NDB scheme.

Our privacy management framework sets out the steps that the OAIC expects organisations to take to ensure good privacy governance and compliance with the Privacy Act.

Who must comply with the NDB scheme

The NDB scheme will apply to businesses, Australian Government agencies, and other organisations that are already required by the Privacy Act to keep information secure.

Which data breaches are notifiable

Not all data breaches are notifiable — the NDB scheme only requires organisations to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates. Exceptions to the NDB scheme will apply for some data breaches, meaning that notification to individuals or to the Commissioner may not be required.

Assessing suspected data breaches

Organisations that suspect an eligible data breach may have occurred are required to undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm.

How to notify

Where an organisation becomes aware that there are reasonable grounds to believe an eligible data breach has occurred, they are obligated to notify individuals at likely risk of serious harm and the Commissioner as soon as practicable. This notification must set out:

  • the identity and contact details of the organisation
  • a description of the data breach
  • the kinds of information concerned and;
  • recommendations about the steps individuals should take in response to the data breach.

The role of the OAIC in NDB scheme regulation

The Commissioner will have a number of roles under the NDB scheme. These include:

  • receiving notifications of eligible data breaches
  • encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance
  • offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.

Keep informed

To keep up-to-date on the latest privacy news, sign up to our Privacy Professionals’ Network (PPN). The OAIC regularly holds events across the country for members of the PPN.

Other resources include:

Draft of entities covered by the NDB scheme:

Key points

  • In general terms, agencies and organisations (entities) that are already covered by the Privacy Act 1988 (Cth) (‘Privacy Act’) must comply with the Notifiable Data Breaches (NDB) scheme.
  • More precisely, the scheme applies to those entities that the Privacy Act requires to take steps to secure certain categories of personal information. Namely, Australian Privacy Principle (APP) entities, credit reporting bodies, credit providers, and tax file number (TFN) recipients.
  • Entities that have Privacy Act security obligations in relation to particular types of information only (for example, small businesses that are required to secure tax file number information) do not need to notify about data breaches that affect types of information outside the scope of their obligations under the Privacy Act.

APP entities

The NDB scheme applies to entities that have an obligation under APP 11 of the Privacy Act to protect the personal information they hold (s 26WE(1)(a)).[1] Collectively known as ‘APP entities’, these include most Australian Government agencies, some private sector and not-for-profit organisations, and all private health service providers. The definition of APP entity generally does not include small business operators, registered political parties, state or territory authorities, or a prescribed instrumentality of a state (s 6C).

For more information about APP entities, see paragraphs [B.2]-[B.9] of the Australian Privacy Principle Guidelines (APP Guidelines).

Small business operators

A small business operator (SBO) is an individual (including a sole trader), body corporate, partnership, unincorporated association, or trust that has not had an annual turnover of more than $3 million in any financial year since 2001 (s 6D).

Generally, SBOs do not have obligations under the APPs unless an exception applies (s 6D(4)).

If an SBO falls into one of the following categories they are not exempt and must comply with the APPs, and therefore with the NDB scheme, in relation to all of their activities:

  • entities that provide health services
  • entities related to an APP entity
  • entities that trade in personal information
  • credit reporting bodies
  • employee associations registered under the Fair Work (Registered Organisations) Act 2009, and
  • entities that ‘opt-in’ to APP coverage under s 6EA of the Privacy Act.

If an SBO carries on any of the following activities it must comply with the APPs, and therefore must comply with the NDB scheme, but only in relation to personal information held by the entity for the purpose of, or in connection with, those activities:

  • providing services to the Commonwealth under a contract
  • operating a residential tenancy data base
  • reporting under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
  • conducting a protected action ballot, and
  • information retained under the mandatory data retention scheme, as per Part 5-1A of the Telecommunications (Interception and Access) Act 1979.

More information about how to determine whether a business or organisation is an APP entity or subject to the APPs for some of its activities is available at ‘Privacy business resource 10: Does my small business need to comply with the Privacy Act?

Credit reporting bodies

A credit reporting body (CRB) is a business or undertaking that involves collecting, holding, using, or disclosing personal information about individuals for the purpose of providing an entity with information about the credit worthiness of an individual (s 6P). Credit reporting information is defined as credit information or CRB derived information about an individual (s 6(1)).

CRBs have obligations under the NDB scheme in relation to their handling of ‘credit reporting information’ (s 26WE(1)(b)), and in relation to their handling of any other personal information for which they have obligations under APP 11.

Credit providers

The NDB scheme applies to all credit providers whether or not they are APP entities. The section of the Privacy Act under which a credit provider is required to comply with the scheme will depend on what kind of information is involved in the data breach.

If it is ‘credit eligibility information’ (defined in s 6(1)) the NDB scheme will apply because of the security requirement in s 21S(1) in relation to that information.

If the credit provider is also an APP entity the NDB scheme applies in relation to other personal information because of the security requirement in APP 11.

The following kinds of organisations are considered credit providers for the purposes of the Privacy Act (s 6G):

  • a bank
  • an organisation or small business operator if a substantial part of its business is the provision of credit, such as a building society, finance company or a credit union
  • a retailer that issues credit cards in connection with the sale of goods or services
  • an organisation or SBO that supplies goods and services where payment is deferred for seven days or more, such as telecommunications carriers, and energy and water utilities
  • certain organisations or SBO that provide credit in connection with the hiring, leasing, or renting of goods.

An organisation or SBO that acquires the right of a credit provider in relation to the repayment of an amount of credit is also considered a credit provider, but only in relation to that particular credit (s 6K).

TFN recipients

The NDB scheme applies to Tax File Number (TFN) recipients[5] in their handling of TFN information (s 26WE(1)(d)). A TFN recipient is any person who is in possession or control of a record that contains TFN information (s 11). TFN information is information that connects a TFN with the identity of a particular individual (s 6).

A TFN recipient may also be an APP entity or credit provider. The NDB scheme applies to TFN recipients to the extent that TFN information is involved in a data breach. If TFN information is not involved, a TFN recipient would only need to comply with the NDB scheme for breaches of other types of information if they are also a credit provider or APP entity.

Information disclosed overseas

Disclosing personal information

If an APP entity discloses personal information to an overseas recipient, in line with the requirements of APP 8, then the APP entity is deemed to ‘hold’ the information for the purposes of the NDB scheme (s 26WC(1)). APP 8 says that an APP entity that discloses personal information to an overseas recipient is generally required to ensure that the recipient will comply with the APPs when handling that information. This means that if the personal information held by the overseas recipient is subject to unauthorised access or disclosure, the APP entity is still responsible for assessing whether it is an eligible data breach under the Privacy Act, and if it is, for notifying the Commissioner and individuals at risk of serious harm.

More information about APP 8 is available in ‘Privacy business resource 8: Sending personal information overseas’.

Disclosing credit eligibility information

If a credit provider discloses credit eligibility information to a person or related body corporate that does not have an ‘Australian link’ (s 26WC(2)(a)),[8] the credit provider may also have obligations under the NDB scheme. In the event that credit eligibility information held by the person or related body corporate is subject to unauthorised access or disclosure, the credit provider is responsible for assessing whether there is an eligible data breach that needs to be notified to the Commissioner and individuals at risk of serious harm.

For more information on what is an ‘Australian link’, see paragraphs [B10]-[B22] of the APP Guidelines

Draft identifying eligible data breaches

Key points

  • The notifiable data breaches (NDB) scheme requires regulated entities (entities) to notify particular individuals and the OAIC about ‘eligible data breaches’. A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates.
  • Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s position.
  • Not all data breaches are eligible. For example, if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the OAIC. There are also exceptions to notifying in certain circumstances.

Eligible data breach

An eligible data breach arises when the following three criteria are satisfied:

  1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds (see, What is a ‘data breach’?)
  2. this is likely to result in serious harm to one or more individuals (see, Is serious harm likely?), and
  3. the entity has not been able to prevent the likely risk of serious harm with remedial action (see, Preventing serious harm with remedial action).

This document is about the threshold at which an incident is considered an ‘eligible data breach’ that will be notifiable under the scheme unless an exception applies. The OAIC will develop a separate resource, Assessing a suspected data breach, to provide guidance to entities about the process to follow when carrying out an assessment of ‘whether there are reasonable grounds to suspect that there may have been an eligible data breach of the entity’ under s 26WH.

What is a ‘data breach’?

The first step in deciding whether an eligible data breach has occurred involves considering whether there has been a data breach; that is, unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information (s 26WE(2)). The Privacy Act 1988 (Cth) (Privacy Act) does not define these terms. The following analysis and examples draw on the ordinary meaning of these words.

  • Unauthorised access of personal information occurs when personal information that an entity holds is accessed by someone who is not permitted to have access. This includes unauthorised access by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party (such as by hacking).
  • Unauthorised disclosure occurs when an entity makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee of the entity.
  • Loss refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure. An example is where an employee of an entity leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) on public transport.Under the NDB scheme, if personal information is lost in circumstances where subsequent unauthorised access to or disclosure of the information is unlikely, there is no eligible data breach (s 26WE(2)(b)(ii)). For example, if the personal information is remotely deleted before an unauthorised person could access the information, or if the information is encrypted to a high standard making unauthorised access or disclosure unlikely, then there is no eligible data breach.

Is serious harm likely?

The second step in deciding whether a notifiable data breach has occurred involves deciding whether, from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.

For the NDB scheme a ‘reasonable person’ means a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. What is reasonable can be influenced by relevant standards and practices. ‘Reasonable person’ is also discussed in general terms in Chapter B of the OAIC’s Australian Privacy Principle Guidelines.[1]

The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).

The chance that an individual will experience serious harm increases as the number of people whose personal information was part of the data breach increases. It may therefore be prudent for an entity to assume that a data breach that involves the loss of personal information of a very large number of individuals is likely to result in serious harm to at least one of those individuals unless the context or circumstances would support this not being the case.

‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

Entities should assess the risk of serious harm holistically, having regard to the likelihood of the harm eventuating for individuals whose personal information was part of the data breach and the consequences of the harm. The NDB scheme includes a non-exhaustive list of ‘relevant matters’ that may assist entities to assess the likelihood of serious harm. These are set out in s 26WG as follows:

  • the kind or kinds of information
  • the sensitivity of the information
  • whether the information is protected by one or more security measures
  • if the information is protected by one or more security measures – the likelihood that any of those security measures could be overcome
  • the persons, or the kinds of persons, who have obtained, or who could obtain, the information
  • if a security technology or methodology:
    • was used in relation to the information, and;
    • was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information

    the likelihood that the persons, or the kinds of persons, who:

    • have obtained, or who could obtain, the information, and;
    • have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates

    have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology

  • the nature of the harm
  • any other relevant matters.

As some of these matters involve overlapping considerations, they are discussed further below, under the broader headings:

  1. the type or types of personal information involved in the data breach
  2. the circumstances of the data breach
  3. the nature of the harm that may result from the data breach.

The type or types of personal information involved in the data breach

Some kinds of personal information are more likely to cause an individual serious harm if compromised. Examples of the kinds of information that may increase the risk of serious harm if there is a data breach include:

  • ‘sensitive information’, such as information about an individual’s health
  • documents commonly used for identity fraud (including Medicare card, driver licence, and passport details)
  • financial information
  • a combination of personal information (rather than a single piece of personal information).

Circumstances of the data breach

The specific circumstances of the data breach are relevant when assessing whether there is a risk of serious harm to an individual. This may include consideration of the following:

  • Whose personal information was involved in the breach? An entity could consider whose personal information was involved in the breach, as certain people (such as young persons and vulnerable individuals) may be at particular risk of serious harm. A data breach involving the names and addresses of individuals might not, in various circumstances, be likely to result in serious harm to an individual, particularly if that information is already publicly available. However, if the entity knows that the information involved primarily relates to a vulnerable segment of the community, this may increase the risk of serious harm.
  • How many individuals were involved? If the breach involves the personal information of many individuals, the scale of the breach may affect an entity’s assessment of likely risks. Even if an entity considers that each individual will only have a small chance of suffering serious harm, if enough people’s personal information is involved in the breach, it may become likely that some of the individuals will experience serious harm. From a risk perspective, it may be prudent, depending on the particular circumstances, to treat a breach involving the personal information of a very large number of people as likely to result in serious harm to at least one of those individuals.
  • Do the circumstances of the data breach affect the sensitivity of the personal information? A breach that may publicly associate an individual’s personal information with a sensitive product or service they have used may increase the risk of serious harm. For example, a data breach involving an individual’s name may involve a risk of serious harm if the entity’s name links the individual with a particular physical or mental health service.[3]
  • Is the personal information adequately encrypted, anonymised, or otherwise not easily accessible? A relevant consideration is whether the information is rendered unreadable through the use of security measures to protect the stored information, or if it is stored in such a way so that it cannot be used if breached. In considering whether security measures (such as encryption) applied to compromised data are adequate, the entity should consider whether the method of encryption is an industry-recognised secure standard at the time the entity is assessing the likelihood of risk. Additionally, an entity should have regard to whether the unauthorised recipients of the personal information would have the capability to circumvent these safeguards. For example, if an attacker holds both encrypted data and the encryption key needed to decrypt that data, the entity should not assume the data is secure.
  • What parties have gained or may gain unauthorised access to the personal information? The unauthorised disclosure of an individual’s criminal record to someone who knows that individual personally may increase the risk of serious reputational harm for that individual.In addition, where a third party that obtains unauthorised access to personal information, or appears to target personal information of a particular individual or group of individuals, this may increase the risk of serious harm as it may be more likely the personal information is intended for malicious purposes.

The nature of the harm

In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harms that may follow a data breach. It may be helpful for entities assessing the likelihood of harm to consider a number of scenarios that would result in serious harm and the likelihood of each. Examples may include:

  • identity theft
  • significant financial loss by the individual
  • threats to an individual’s physical safety
  • loss of business or employment opportunities
  • humiliation, damage to reputation or relationships
  • workplace or social bullying or marginalisation.

The likelihood of a particular harm occurring, as well as the anticipated consequences for individuals whose personal information is involved in the data breach if the harm materialises, are relevant considerations.

Preventing serious harm with remedial action

The NDB scheme provides entities the opportunity to take positive steps to address a data breach in a timely manner, and avoid the need to notify. If an entity takes remedial action that prevents the likelihood of serious harm occurring for any individuals whose personal information is involved in the data breach, then the breach is not an eligible data breach for that entity or for any other entity (s 26WF(1), s 26WF(2), s 26WF(3)). For breaches where information is lost, the remedial action is adequate if it prevents the unauthorised access or disclosure of personal information (s 26WF(3)).

If the remedial action prevents the likelihood of serious harm to some individuals within a larger group of individuals whose information was compromised in a data breach, notification to those individuals for whom harm has been prevented is not required.

Examples of remedial action that may prevent serious harm occurring include:

Example 1:

A data file, which includes the personal information of numerous individuals, is sent to an incorrect recipient outside the entity. The sender realises the error and contacts the recipient, who advises that the data file has not been accessed. The sender then confirms that the recipient has not copied, and has permanently deleted the data file.

Example 2:

An employee leaves a smartphone on public transport while on their way to work. When the employee arrives at work they realise that the smartphone has been lost, and ask their employer’s IT support staff to remotely delete the information on the smartphone. Because of the security measures on the smartphone, the IT support staff are confident that its content could not have been accessed in the short period between when it was lost and when its contents were deleted.

Examples of data breaches

The following examples are provided to illustrate some of the considerations that entities might take into account when assessing whether a data breach is likely to result in serious harm. However, whether any data breach is notifiable depends on the particular circumstances of the breach.

Example 1 — strong encryption making notification unnecessary

WeCare notifies the police and hires an external IT security consultant to conduct an audit and security assessment. The audit confirms that 500 customer records were involved in the data breach, and that an overseas source was responsible for the hack. The IT security consultant’s comprehensive sweeps of the internet and dark web were unable to find evidence that the information was offered for sale or otherwise disclosed online. The IT security consultant also assesses that because of the high standard of encryption used for the credit card information, it is unlikely that this information could be accessed by the hacker. WeCare implemented the recommendations of the IT security consultant, including new IT security protocols and intrusion detection software.

WeCare determines that it is not likely that the individuals whose personal information is involved in the data breach are at risk of serious harm. Therefore, WeCare decides it is not an eligible data breach, and does not notify the OAIC or the affected individuals.

Nonetheless, it decides that as a customer service measure, it should tell the individuals about the incident. It sends an email to the customers informing them of the incident and providing some advice on personal information security measures they can take.

Example 2 — notification following unintentional publication of sensitive data

PharmaChoice, a chain of low-cost pharmacies, becomes aware that its customer database, including records about dispensing of prescription drugs, has been publicly available on the internet due to a technical error. PharmaChoice’s security consultants identify that the database was publicly available for a limited time and that it was only accessed a few times.

However, PharmaChoice is unable to determine who accessed the data or if they kept a copy. Given the sensitivity of the personal information contained in the database, including drugs related to the treatment of addictive and psychiatric conditions, PharmaChoice’s risk assessment concludes that the data breach would be likely to result in serious harm to some of its customers.

PharmaChoice decides to notify all customers whose personal information is involved in the data breach. Because it does not have contact details for many of the customers who filled prescriptions with it in person, it publishes a notice describing the breach on its website and posts a copy in a prominent location at each of its stores.

Example 3 — data breach experienced by overseas contractor leading to phishing

Shop4You enters into a contract with an automated email marketing platform located overseas which it uses to communicate with its customers. The service provider detects that the bulk mailing distribution lists for Shop4You have been downloaded by an external IP address. The bulk mailing distributions lists include the name, email address, gender, and suburb of Shop4You’s customers. The service provider notifies Shop4You, who conducts an immediate investigation into how the mailing lists were accessed and downloaded.

An IT Security sweep detects malware on an employee’s computer, and the investigation concludes that their login credentials were obtained after the employee unintentionally opened an email attachment from a malicious third party attacker. As Shop4You also held the personal information, assuming that the service provider was not an APP entity, Shop4You undertook an assessment of whether it was required to notify individuals and the OAIC.

As part of its assessment, Shop4You identified that some of the individuals whose personal information was involved in the data breach received emails that fraudulently claimed to be sent from Shop4You, and which sought to obtain the individual’s credit card details. As a result, Shop4You concludes that it is more probable than not that the attacker will use the information in the mailing lists for the purposes of identity theft, and that it is likely that some of the individuals will suffer serious financial harm as a result of this.

Given this likelihood, Shop4You notifies the OAIC and sends an email with the relevant information required by the NDB scheme to those individuals whose personal information is involved in the data breach. Shop4You’s email to these individuals includes information about scam emails and how to identify them, and provides referrals to services that assist individuals in mitigating the risk of identity theft.

Example 4 — loss of unencrypted storage media containing personal information

A memory stick containing the employee records of 200 employees of an Australian Government Department (the Department) goes missing while the employee who holds the memory stick is travelling from one work site to another. Once the Department becomes aware that the memory stick is lost, it conducts an extensive search but fails to locate it. The information contained in the employee records includes the names, salary information, TFNs, home addresses, phone numbers, birth dates, and in some cases health information (including disability information) of current staff. As the data on the memory stick is not encrypted, and there is a chance that the memory stick was lost outside of the Department’s premises, the Department concludes that unauthorised disclosure is likely to occur.

Due to the sensitivity of the unencrypted information – not only the extent and variety of the information, but also the inclusion of health and disability information in the records – the Department’s risk assessment finds that there is a likely risk of serious harm to at least one of the individuals whose personal information is involved in the data breach. On this basis, the Department considers that it is an eligible data breach for the purposes of the NDB scheme, and prepares a statement to notify the OAIC.

A senior staff member emails the relevant staff to notify them of the eligible data breach, and provides the content of the statement prepared for the OAIC. In the notification, the Department also offers staff an apology for the breach, notes that the OAIC has been informed of the breach, and explains what steps have been put in place to prevent this type of a breach occurring in the future.

Example 5 — online banking fraud and remedial action

Jupiter Bank’s fraud detection systems flag that there has been unusual activity on an individual’s online banking account, when a substantial amount of money is transferred to an account in another country. The fraud team assesses the activity, and finds that the account was accessed by an unauthorised attacker who had obtained control of the individual’s account.

Through its existing fraud management processes, Jupiter Bank’s fraud team notify the individual that it is temporarily freezing online access to the account due to the fraudulent activity, resets the password for online access and returns the stolen funds. As part of its risk assessment, the fraud team confirms that the individual’s other accounts have not been compromised, and recommends to the individual that they change any similar passwords to other services. A member of Jupiter Bank’s fraud team assesses whether there is a risk of likely harm to the individual, and concludes that as a result of the above steps taken to remediate the unauthorised access, it is not likely the individual will be at risk of serious harm. Given this remedial action, Jupiter Bank does not notify the OAIC.

Example 6 — email sent to the wrong recipient contained before serious harm can occur

Care Services, a claims management service provider, regularly sends updates to its clients about the status of the workers compensation claims of their employees. Because of human error, an employee of Care Services accidentally sends an email with an attachment about the employees of Business A to another client, Business B. The attachment contains the personal information of 200 employees of Business A, and includes their name, address, date of birth, and health information about their claimed injury.

The Care Services employee realises the error, and contacts Business B to delete the email with the attachment. Business B confirms it has not accessed the file, and that it has deleted the email. Care Services’ assessment of the remedial action taken concludes that, while the file included sensitive information about the individuals’ health, the assurance that Business B deleted the file has prevented the likely risk of serious harm to any individuals. As a consequence, Care Services determines that it is not an eligible data breach that needs to be notified.

Draft: Exceptions to notification obligations

Key points

  • The Notifiable Data Breaches (NDB) scheme requires regulated entities (entities) to notify individuals and the Australian Information Commissioner (Commissioner) of ‘eligible data breaches’. A data breach is an ‘eligible data breach’ if an individual is likely to experience serious harm (see Identifying eligible data breaches and Notifying individuals about an eligible data breach).
  • There are some exceptions to the notification requirements, which relate to:
    • eligible data breaches of other entities
    • enforcement related activities
    • inconsistency with secrecy provisions
    • declarations by the Australian Information Commissioner.

Eligible data breach of other entities

Two or more entities may hold the same personal information in a number of circumstances, including through outsourcing arrangements or a joint venture[1]. If an eligible data breach involves personal information held by more than one entity, only one of the entities needs to notify the Commissioner and individuals (s 26WM).

The NDB scheme does not specify which entity must notify, in order to allow entities flexibility in making arrangements appropriate for their business and their customers.

Entities should consider making arrangements regarding compliance with NDB scheme requirements, including notification to individuals at risk of serious harm, such as in service agreements or other relevant contractual arrangements, as a matter of course when entering into such agreements.

The Commissioner suggests that, in general, the entity with the most direct relationship with the individuals at risk of serious harm should notify. This will allow individuals to better understand the notification, and how the eligible data breach might affect them.

If none of the entities notifies, then all of the entities may be found to have breached the notification requirements of the NDB scheme (s 26WL). It is the responsibility of each entity involved in an eligible data breach to be sure that the requirements of the NDB scheme are being met.

An enforcement body does not need to notify individuals about an eligible data breach if its chief executive officer (CEO) believes on reasonable grounds that notifying individuals would be likely to prejudice an enforcement related activity conducted by, or on behalf, of the enforcement body (s 26WN).

‘Believes on reasonable grounds’ means the CEO must have a basis for the belief. It is the responsibility of the enforcement body to be able to justify the reasonable grounds for this belief, and the decision should be documented. ‘Reasonable belief’ is discussed further in the OAIC’s APP Guidelines.

The enforcement body must still provide a statement about the eligible data breach to the Australian Information Commissioner (see What to include in an eligible data breach statement). However, this statement does not have to include the steps recommended for individuals to take in response to the data breach, because individuals are not being notified (s 26WN).

If this exception applies, and the eligible data breach involves other entities, these other entities are not required to notify individuals (s 26WN(e)). Further, these other entities are not required to provide a statement about the eligible data breach to the Commissioner if the enforcement body has done so (s 26WM). To rely on this exception, other entities would usually need a written statement regarding the eligible data breach, dated and signed by the CEO of the enforcement body.

This exception does not apply if an eligible data breach is unrelated to an enforcement activity. For example, the exception may not apply to an eligible data breach involving employees’ personal information, which is unrelated to an investigation.

Inconsistency with secrecy provisions

Exceptions to notifying the Commissioner or individuals may apply where a Commonwealth law prohibits or regulates the use or disclosure of information (a secrecy provision). In particular:

  • the requirement to provide a statement to the Commissioner about the eligible data breach does not apply to the extent that this requirement is inconsistent with a secrecy provision (s 26WP(2))
  • the requirement to notify individuals about an eligible data breach does not apply to the extent that providing this notice is inconsistent with a secrecy provision (s 26WP(3)).

The exceptions in s 26WP are intended to preserve the operation of specific secrecy provisions in other legislation. A common purpose of secrecy provisions is to prohibit the unauthorised disclosure of client information. Most secrecy provisions allow the disclosure of information in certain circumstances, such as with an individual’s consent where the information relates to them, or where the disclosure of information relates to an officer’s duties, or the exercise of their powers or functions.

If an eligible data breach occurs, agencies should apply the exceptions under s 26WP only to the extent necessary to avoid inconsistency with a secrecy provision.

For example, if providing a statement about an eligible data breach to the Commissioner (s 26WK) would not be inconsistent with a secrecy provision, but notifying individuals (s 26WL) would be, the entity would only be required to notify the Commissioner.

The following is relevant in assessing whether a secrecy provision is inconsistent with the requirements of the NDB scheme:

  • if a secrecy provision permits the disclosure of information that is required or authorised by another law (such as the Privacy Act), there would not be an inconsistency between the secrecy provision and the NDB scheme notification requirements
  • if a secrecy provision does not allow the disclosure of information, even if the disclosure is required or authorised by another law (such as the Privacy Act), there may be inconsistency between the secrecy provision and the NDB scheme notification requirements
  • if a secrecy provision permits the disclosure of information in the course of an officer’s duties, there would not be inconsistency between the secrecy provision and the NDB scheme notification requirements, as complying with the notification requirements is the responsibility of the agency through its officers.

Declarations by the Australian Information Commissioner

In some circumstances, the Commissioner may declare by written notice that an entity does not need to comply with the NDB scheme notification requirements (s 26WQ). The purpose of the declaration by the Commissioner is to provide an exception where compliance with the NDB notification requirements would conflict with the public interest.

The Commissioner may declare that an entity is not required to provide a statement to the Commissioner or to notify particular individuals (s 26WQ(1)(c)), or that notification to individuals is delayed for a specified period (s 26WQ(1)(d)).

The Commissioner cannot make a declaration under s 26WQ unless satisfied that it is reasonable in the circumstances to do so, having regard to the public interest, relevant advice received from an enforcement body or the Australian Signals Directorate, and any other relevant matter. While the Commissioner is empowered to make a declaration if it is ‘reasonable in the circumstances to do so’, the Commissioner still has discretion about whether to make a declaration, and on what terms.

In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objectives of the Privacy Act and other relevant matters. The Commissioner will consider whether the risks associated with notifying of a particular eligible data breach outweigh the benefits of notification to individuals at risk of serious harm.

Given the clear objective of the scheme to promote notification of eligible data breaches, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will only be made in exceptional cases and only after a compelling case has been put forward by the entity seeking the declaration.

The procedure for applying for a declaration, and factors the Commissioner may consider, are outlined in the OAIC’s Regulatory Action Guide.

Draft: Assessing a suspected data breach

Key points

  • If an entity has grounds to believe that it has experienced an eligible data breach, it must promptly notify individuals and the Commissioner about the breach, unless an exception applies
  • In contrast, if an entity suspects that it may have experienced an eligible data breach, it must quickly assess the situation to decide whether or not there has been an eligible breach
  • An assessment must be reasonable and expeditious, and organisations may develop their own procedures for assessing a suspected breach.

When must entities assess a suspected breach?

The NDB scheme is designed so that only serious (‘eligible’) data breaches are notified (see Identifying eligible data breaches). If an entity is aware of reasonable grounds to believe that there has been an eligible data breach, it must promptly prepare a statement about the eligible data breach for the Commissioner and notify individuals at risk of serious harm (see Notifying individuals about an eligible data breach).

On the other hand, if an entity only has reason to suspect that there may have been a serious breach, it needs to move quickly to resolve that suspicion by assessing whether an eligible data breach has occurred. If, during the course of an assessment, it becomes clear that there has been an eligible breach, then the entity needs to promptly comply with the notification requirements.

The requirement for an assessment is triggered if an entity is aware that there are reasonable grounds to suspect that there may have been a serious breach (s 26WH(1)).

Whether an entity is ‘aware’ of a suspected breach is a factual matter in each case, having regard to how a reasonable person who is properly informed would be expected to act in the circumstances. For instance, if a person responsible for compliance or personnel with appropriate seniority are aware of information that suggests a suspected breach may have occurred, an assessment should be done. An entity should not unreasonably delay an assessment of a suspected eligible breach, for instance by waiting until its CEO or Board is aware of information that would otherwise trigger reasonable suspicion of a breach within the entity.

The OAIC expects entities to have practices, procedures, and systems in place to comply with their information security obligations under APP 11, enabling suspected breaches to be promptly identified, reported to relevant personnel, and assessed if necessary.

If a data breach affects one or more other entities, and one entity has assessed the suspected breach, the other entities are not required to also assess the breach (s 26WJ). If no assessment is conducted, depending on the circumstances, each entity that holds the information may be found to be in breach of the assessment requirements. The NDB scheme does not prescribe which entity should conduct the assessment in these circumstances. Entities should establish clear arrangements where information is held jointly, so that assessments are carried out quickly and effectively.

How quickly must an assessment be done?

An entity must take all reasonable steps to complete the assessment within 30 calendar days after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach (s 26WH(2)).

The OAIC expects that wherever possible entities treat 30 days as a maximum time limit for completing an assessment, and endeavour to complete the assessment in a much shorter timeframe, as the risk of serious harm to individuals often increases with time.

Where an entity cannot reasonably complete an assessment within 30 days, OAIC recommends that it should document this, so that it is able demonstrate:

  • that all reasonable steps have been taken to complete the assessment within 30 days,
  • what were the reasons for delay, and
  • the assessment was reasonable and expeditious.

How is an assessment done?

Entities must carry out a ‘reasonable and expeditious’ assessment (s 26WH(2)(a)). The Privacy Act does not set out how entities should assess a data breach, and organisations may develop their own procedures for assessing a suspected breach.

The OAIC expects entities to take a risk-based approach to assessments. The amount of time and effort expended in an assessment should be proportionate to the likelihood of the breach and its apparent severity.

The OAIC expects that an entity’s business as usual approach to data breach management, including its data breach response plan, will be reviewed and updated to incorporate the requirements of the NDB scheme for assessing suspected eligible data breaches.

While the Act does not specify how an assessment should occur, the OAIC suggests that an assessment could be a three-stage process:

  1. Initiate: decide whether an assessment is necessary and identify which person or group will be responsible for completing it
  2. Investigate: quickly gather relevant information about the suspected breach, including, for example, what personal information is affected, who may have had access to the information and the likely impacts, and
  3. Evaluate: make a decision, based on the investigation, about whether the identified breach is an eligible data breach (see Identifying eligible data breaches).

The OAIC’s Data breach notification — A guide to handling personal information security breaches may also assist when designing and reviewing an entity’s assessment procedures.

The OAIC recommends that entities document the assessment process and outcome.

Remedial action

At any time, including during an assessment, an entity can, and should, take steps to reduce any potential harm to individuals caused by a suspected or eligible data breach. If remedial action is successful in preventing serious harm to affected individuals, notification is not required (as explained in Identifying eligible data breaches).

Breach established – what next?

Once an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach – whether during the course of an assessment, or when the assessment is complete – it must promptly notify affected individuals and the OAIC about the breach (see What to include in an eligible data breach statement and Notifying individuals about an eligible data breach).

 

Notifying individuals about an eligible data breach.

  • When an entity experiences an eligible data breach, it must provide a statement to the Commissioner, and notify individuals at risk of serious harm of the contents of the statement.
  • If it is not practicable to notify individuals at risk of serious harm, an entity must publish a copy of the statement prepared for the Commissioner on its website, and take reasonable steps to bring its contents to the attention of individuals at risk of serious harm.
  • If a single eligible data breach applies to multiple entities, only one entity needs to notify the Commissioner and individuals at risk of serious harm. It is up to the entities to decide who notifies. Generally, the Commissioner suggests that the entity with the most direct relationship with the individuals at risk of serious harm should undertake the notification.

Who needs to be notified?

Once an entity has reasonable grounds to believe there has been an eligible data breach, the entity must promptly prepare a statement for the Commissioner and make a prompt decision about which individuals to notify.

The Notifiable Data Breaches (NDB) scheme provides flexibility — there are three options for notifying individuals at risk of serious harm, depending on what is ‘practicable’ for the entity (s 26WK(2)). 

Whether a particular option is practicable involves a consideration of the time, effort, and cost of notifying individuals at risk of serious harm in a particular manner. These factors should be considered in light of the capabilities and capacity of the entity.

Option 1 — Notify all individuals

If it is practicable, an entity can notify each of the individuals to whom the relevant information relates (s 26WL(2)(a)). That is, all individuals whose personal information was part of the data breach.

This option may be appropriate, and the simplest method, if an entity cannot reasonably assess which particular individuals are at risk of serious harm from an eligible data breach that involves personal information about many people, but where the entity has formed the view that serious harm is likely for one or more of the individuals. 

The benefits of this approach include ensuring that all individuals who may be at risk of serious harm are notified, and allowing them to consider whether they need to take any action in response to the data breach.

Option 2 — Notify only those individuals at risk of serious harm

If it is practicable, an entity can notify only those individuals who are at risk of serious harm from the eligible data breach (s 26WL(2)(b)).

That is, individuals who are likely to experience serious harm as a result of the data breach. If an entity identifies that only a particular individual, or a specific subset of individuals, involved in an eligible data breach is at risk of serious harm, and can specifically identify those individuals, only those individuals need to be notified.

The benefits of this targeted approach include avoiding possible notification fatigue among members of the public, and reducing administrative costs, where it is not required by the NDB scheme.

Example: An attacker installs malicious software on a retailer’s website. The software allows the attacker to intercept payment card details when customers make purchases on the website. The attacker is also able to access basic account details for all customers who have an account on the website. Following a comprehensive risk assessment, the retailer considers that the individuals who made purchases during the period that the malicious software was active are at likely risk of serious harm, due to the likelihood of payment card fraud. Based on this assessment, the retailer also considers that those customers who only had basic account details accessed are not at likely risk of serious harm. The retailer is only required to notify those individuals that it considers to be at likely risk of serious harm.

Option 3 – Publish notification

If neither option 1 or 2 above are practicable, the entity must:

  • publish a copy of the statement on its website if it has one
  • take reasonable steps to publicise the contents of the statement (s26WL(2)(c)).

It is not enough to simply upload a copy of the statement prepared for the Commissioner on any webpage of the entity’s website. Entities must also take proactive steps to publicise the substance of the data breach (and at least the contents of the statement), to increase the likelihood that the eligible data breach will come to the attention of individuals at risk of serious harm.

How do I notify and what do I need to say?

Options 1 and 2

Options 1 and 2 above require that entities take ‘such steps as are reasonable in the circumstances to notify individuals about the contents of the statement’ that the entity prepared for the Commissioner (s 26WL(2)(a) and (b)).

The entity can use any method to notify individuals (for example, a telephone call, SMS, physical mail, social media post, or in-person conversation), so long as the method is reasonable. In considering whether a particular method, or combination of methods is reasonable, the notifying entity should consider the likelihood that the people it is notifying will become aware of, and understand the notification, and weigh this against the resources involved in undertaking notification.

An entity can notify an individual using their usual method of communicating with that particular individual (s 26WL(4)).

The entity can tailor the form of its notification to individuals, as long as it includes the content of the statement required by s 26WK. That statement (and consequently, the notification to individuals) must include the following information:

  1. the identity and contact details of the entity (s 26WK(3)(a))
  2. a description of the eligible data breach that the entity has reasonable grounds to believe has happened (s 26WK(3)(b))
  3. the kind, or kinds, of information concerned (s 26WK(3)(c))
  4. recommendations about the steps that individuals should take in response to the data breach (s 26WK(3)(d)).

Option 3

Option 3, which can only be used if Options 1 or 2 are not practicable, requires an entity to publish a copy of the statement prepared for the Commissioner on its website, and take reasonable steps to publicise the contents of that statement.

An entity should consider what steps are reasonable in the circumstances of the entity and the data breach to publicise the statement. The purpose of publicising the statement is to draw it to the attention of individuals at risk of serious harm, so the entity should consider what mechanisms would be most likely to bring the statement to the attention of those people.

A reasonable step when publicising an online notice, might include:

  • ensuring that the webpage on which the notice is placed can be located and indexed by search engines
  • publishing an announcement on the entity’s social media channels
  • taking out a print or online advertisement in a publication or on a website the entity considers reasonably likely to reach individuals at risk of serious harm.

In some cases, it might be reasonable to take more than one step to publicise the contents of the statement. For example, if a data breach involves a particularly serious form of harm, or affects a large number of individuals, an entity could take out multiple print or online advertisements (which could include paid advertisements on social media channels), publish posts on multiple social media channels, or use both traditional media and online channels.

The approach to publicising the statement may depend on the publication method. For example, where space and cost allows, an entity may republish the entirety of the information required to be included in the statement. Another option, if the available space is limited, or the cost of republishing the entire statement would not be reasonable in all the circumstances, would be to summarise the information required to be included in the statement and provide a hyperlink to the copy of the statement published on the entity’s website. Entities should keep in mind the ability and likelihood of individuals at risk of serious harm being able to access the statement when determining the appropriateness of relying solely on such an approach.

Timing of notification

Entities must notify individuals as soon as practicable after completing the statement prepared for notifying the Commissioner (s 26WL(3)).

Considerations of cost, time, and effort may be relevant in deciding an entity’s decision about when to notify individuals. However, the Commissioner generally expects entities to expeditiously notify individuals at risk of serious harm about an eligible data breach unless cost, time, and effort are excessively prohibitive in all the circumstances.

If entities have notified individuals at risk of serious harm of the data breach before they notify the Commissioner, they do not need to notify those individuals again, so long as the individuals were notified of the contents of the statement given to the Commissioner. The scheme does not require that notification be given to the Commissioner before individuals at risk of serious harm, so if entities wish to begin notifying those individuals before, or at the same time as notifying the Commissioner, they may do so.

Data breaches involving more than one organisation

If more than one entity holds personal information that was compromised in an eligible data breach, only one entity needs to notify individuals about the data breach. For example, more than one entity may hold personal information compromised in an eligible data breach due to outsourcing, a joint venture, or shared services arrangements between entities. However, if none of the entities notifies, each of the entities may be found to have breached s 26WL(2).

In these circumstances the Privacy Act intentionally does not specify which entity must undertake the notification, in order to allow entities flexibility in making arrangements appropriate for their business and their customers.

Entities should consider making arrangements regarding compliance with NDB scheme requirements, including notification to individuals at risk of serious harm, such as in service agreements or other relevant contractual arrangements, as a matter of course when entering into such agreements.

The Commissioner suggests that, in general, the entity with the most direct relationship with the individuals at risk of serious harm should notify. This will allow individuals to better understand the notification, and how the data breach might affect them.

Example: A medical practice stores paper-based patient records with a contracted storage provider. The storage provider’s premises are broken into, and the patient records stolen. Both the medical practice and the storage provider hold the records for the purpose of the Privacy Act, so both have an obligation to notify. Although the storage provider’s insurance company has agreed to cover the cost of the break in, including the cost of notification, the storage provider and medical practice agree that it is most appropriate that notification come from the medical practice, as the individuals at risk of serious harm do not have any pre-existing relationship with the storage provider. As such, the medical practice notifies the individuals about the incident and is reimbursed by the storage provider and its insurer for the costs of notification.

What to include in an eligible data breach statement

  • The NDB scheme requires entities to notify individuals about an eligible data breach (see Identifying eligible data breaches).
  • Entities are also required to prepare a statement and provide a copy to the Australian Information Commissioner (the Commissioner) (s 26WK). The OAIC’s online form may help entities to do this.
  • The statement must include the name and contact details of the entity, a description of the eligible data breach, the kind or kinds of information involved, and what steps the entity recommends that individuals at risk of serious harm take in response to the eligible data breach (s 26WK(3))
  • Entities must notify affected individuals about the contents of this statement or, if this is not practicable, publish a copy of the statement on the entity’s website and take reasonable steps to publicise the contents of the statement (s 26WL(2)) (see Notifying individuals about an eligible data breach).

What must be included in the statement

A statement about an eligible data breach must include:

  • the identity and contact details of the entity (s 26WK(3)(a))
  • a description of the eligible data breach (s 26WK(3)(b))
  • the kind or kinds of information involved in the eligible data breach (s 26WK(3)(c))
  • what steps the entity recommends that individuals take in response to the eligible data breach (s 26WK(3)(d)).

Identity and contact details of the entity

Where an entity’s company name is different to the business or trading name, the OAIC recommends that entities also include the name that is most familiar to individuals. The entity must also include information about how an individual can contact it. Depending on the nature and scale of the breach, the entity may wish to consider whether to provide its general contact details, or establish a dedicated phone line or email address to answer queries from individuals.

Description of the eligible data breach

An entity is required to include ‘a description’ of the data breach in its statement.

The OAIC expects that the statement will include sufficient information about the data breach to allow affected individuals the opportunity to properly assess the possible consequences of the data breach for them, and to take protective action in response.

Information describing the eligible data breach may include:

  • the date of the unauthorised access or disclosure
  • the date the entity detected the data breach
  • the circumstances of the data breach (such as any known causes for the unauthorised access or disclosure)
  • who has obtained or is likely to have obtained access to the information
  • relevant information about the steps the entity has taken to contain the breach.

The kind or kinds of information concerned

The statement must include the kind or kinds of information involved in the data breach. Knowing what kind of personal information has been breached is critical to assessing what action should be taken by individuals following a data breach.

Entities, in assessing the data breach, should clearly establish what information was involved in the data breach, including whether the breach involved ‘sensitive information’[1] (such as information about an individual’s health), government related identifiers (such as a Medicare number or driver licence number), or financial information.

The statement must include recommendations individuals should take in response to the data breach, to mitigate the serious harm or likelihood of serious harm from the data breach.

The nature of recommendations will depend on the entity’s functions and activities, the circumstances of the eligible data breach, and the kind or kinds of information that were involved. Recommendations should include practical steps that are easy for the individuals to action.

For example, to help reduce the risk of identity theft or fraud, recommendations in response to a data breach that involved individuals’ Medicare numbers might include steps an individual can take to request a new Medicare card. Or in the case of a data breach that involved unencrypted or partially encrypted credit card information, recommendations might include that an individual contact their financial institution to change their credit card number, and also contact a credit reporting body to establish a credit alert.

Additional information to provide

Other entities involved in the data breach

If more than one entity holds personal information that was compromised in an eligible data breach, only one entity needs to prepare a statement and notify individuals about the data breach (s 26WM, and see Notifying individuals about an eligible data breach). This may occur when an entity outsources the handling of personal information, is involved in a joint venture, or where it has a shared services arrangement with another entity.

When a data breach affects more than one entity, the entity that prepares the statement may include the identity and contact details of the other entities involved (s 26WK(4)). Whether an entity includes the identity and contact details of other involved entities in its statement will depend on the circumstances of the eligible data breach, and the relationship between the entities and the individuals involved. The Privacy Act does not require this information to be included on the statement, and it is open to entities to assess whether it is useful to provide this information to individuals.

The OAIC recognises that in some instances the identity and contact details of a third party may not be relevant to an individual whose personal information is involved in an eligible data breach, for example, where the individual does not have a relationship with the other entity. In these circumstances, rather than include the identity and contact details of the third party or parties, the entity that prepares the statement may wish to describe the commercial relationship with the third party in its description of the data breach.

When to provide a copy of the statement to the Commissioner

Entities must prepare and give a copy of the statement to the Commissioner as soon as practicable after becoming aware of the eligible data breach (s 26WK(2)).

What is a ‘practicable’ timeframe will vary depending on the entity’s circumstances, and may include considerations of the time, effort, or cost required to prepare the statement. The OAIC expects that once an entity becomes aware of an eligible data breach, it will provide a statement to the Commissioner promptly, unless there are circumstances that reasonably hinder the entity’s ability to do so.

It may be appropriate in some circumstances for an entity to advise individuals about the contents of the statement before or at the same time that it gives the statement to the Commissioner, rather than waiting.

How to provide the statement to the Commissioner

The OAIC has created an online form that may assist entities when preparing a statement about an eligible date breach under section 26WK of the Privacy Act.

Alternatively, an entity may wish to prepare a statement using the Word document form [108 KB DOCX] option, and provide it to the Commissioner by sending it to:

Email: enquiries@oaic.gov.au
Fax: +61 2 9284 9666
Post: GPO Box 5218
Sydney NSW 2001

 

A draft Notifiable Breach Statement

Notifiable Data Breach statement

This form is used to inform the Australian Information Commissioner of an ‘eligible data breach’ where required by the Privacy Act 1988.

Part one is the ‘statement’ about a data breach required by section 26WK of the Privacy Act.

If you are required to notify individuals of the breach, in your notification to those individuals you must provide them with the information you have entered into part one of the form.

The OAIC encourages entities to voluntarily provide additional information about the eligible data breach in part two of this form. Part two of the form is optional, but the OAIC may need to contact you to seek further information if you do not complete this part of the form. 

Before completing this form, we recommend that you read our resource What to include in an eligible data breach statement.

If you are unsure whether your entity has experienced an eligible data breach, you may wish to review the Identifying eligible data breaches resource.

The OAIC will send an acknowledgement of your statement about an eligible data breach on receipt with a reference number.

Your personal information

We will handle personal information collected in this form (usually only your name and contact details) in accordance with the Australian Privacy Principles.

We collect this information to consider and respond to your breach notification. We may use it to contact you.

More information about how the OAIC handles personal information is available in our privacy policy.

Information Commissioner’s Role in the National Data Breach scheme

The Australian Information Commissioner (the Commissioner) has a number of roles under the Notifiable Data Breaches (NDB) scheme in the Privacy Act 1988 (Cth) (Privacy Act). These include:

  • receiving notifications of eligible data breaches
  • encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance
  • offering advice and guidance to regulated entities, and providing information to the community about the operation of the scheme.

This document summarises how the Commissioner anticipates exercising these functions.

Receiving notifications of data breaches

How the Commissioner will receive notification

Once an entity has reasonable grounds to believe there has been an eligible data breach and is not exempted from notifying, it is required to provide notification to the Commissioner and, usually, individuals at risk of serious harm. When notifying the Commissioner, the entity must provide a notification statement that contains the following information (s 26WK(3)):

  1. the identity and contact details of the notifying entity
  2. a description of the data breach
  3. a description of the personal information involved
  4. recommendations to individuals about the steps that they should take to minimise the impact of the breach.

Although not required by the Privacy Act, entities may also provide additional supporting information to the Commissioner to explain the circumstances of the data breach and the entity’s response in further detail. This information will assist the Commissioner to decide whether to make further inquiries or to take any other action.

The Commissioner will publish an online form to help entities lodge notification statements and provide additional supporting information.

Confidentiality of information provided in notifications

If an entity elects to provide additional supporting information to the Commissioner, they may request that the Commissioner hold that information in confidence. The Commissioner will respect the confidence of commercially sensitive information provided voluntarily in support of a data breach notification, and will only disclose such information after consulting with the notifying entity, and with the entity’s agreement or where required by law.

If the Commissioner receives a freedom of information (FOI) request for a notification statement or additional supporting information, the Commissioner will consult with the entity that made the notification (if it is an organisation) or will offer to transfer the request to the entity (if it is an agency).

Responding to notifications

The Commissioner will acknowledge receipt of all data breach notifications.

The Commissioner may also make inquiries or offer advice and guidance in response to notifications. In deciding whether to make inquiries or offer advice and guidance in response to a notification, the Commissioner may consider the type and sensitivity of the personal information, the numbers of individuals potentially at risk of serious harm, and the extent to which the notification statement and any additional supporting information provided demonstrate that:

  • the data breach has been contained or is in the process of being contained where feasible
  • the notifying entity has taken, or is taking, reasonable steps to mitigate the impact of the breach on the individuals at risk of serious harm
  • the entity has taken, or is taking, reasonable steps to minimise the likelihood of a similar breach occurring again.

The Commissioner may also decide to take regulatory action on the Commissioner’s own initiative in response to a notification, or series of notifications, if this indicates a serious or systemic breach of the Privacy Act. In deciding whether to take regulatory action, the Commissioner will have regard to the OAIC’s Privacy regulatory action policy and Guide to privacy regulatory action. However, the Commissioner’s priority when responding to notifications is to provide guidance to the entity and to assist individuals at risk of serious harm.

Enforcing compliance with the scheme

The Commissioner has a number of enforcement powers to ensure that entities meet their obligations under the scheme. A failure to meet any of the following requirements of the scheme is an interference with the privacy of an individual (s 13(4A)):

  • conduct a reasonable and expeditious assessment of a suspected eligible data breach (s 26WH(2))
  • prepare a statement about the data breach, and give a copy to the Commissioner, as soon as practicable (s 26WK(2))
  • notify the contents of the statement to individuals at risk of serious harm (or, in certain circumstances, publish the statement) as soon as practicable (s 26WL(3))
  • comply with a direction from the Commissioner to notify as soon as practicable (s 26WR(10)).

The enforcement powers available to the Commissioner in response to an interference with privacy, which range from less serious to more serious regulatory action, include powers to:

  • accept an enforceable undertaking (s 33E) and bring proceedings to enforce an enforceable undertaking (s 33F)
  • make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62)
  • seek an injunction to prevent ongoing activity or a recurrence (s 98)
  • apply to court for a civil penalty order for a breach of a civil penalty provision (s 80W), which includes any serious or repeated interference with privacy.

The Commissioner is also required, in most circumstances, to investigate a complaint made by an individual about an interference with the individual’s privacy (s 36), which would include a failure to notify an individual at risk of serious harm of an eligible data breach where required to do so.

In deciding when to exercise enforcement powers in relation to a contravention of the NDB scheme, the Commissioner will have regard to the OAIC’s Privacy Regulatory Action Policy.

The preferred approach of the Commissioner is to work with entities to encourage and facilitate voluntary compliance with an entity’s obligations under the Privacy Act before taking enforcement action.

The Commissioner acknowledges that it will take time for all regulated entities to become familiar with the requirements of the NDB scheme. During the first 12 months of the scheme’s operation, the Commissioner’s primary focus will be on working with entities to ensure that they understand the new requirements and are working in good faith to implement them.

Other powers and functions under the scheme

Direction to notify (s 26WR)

The Commissioner can direct an entity to notify the Commissioner and individuals at risk of serious harm about an eligible data breach in certain circumstances.

Before directing an entity to notify, the Commissioner will usually ask the entity to agree to notify. This might happen if a data breach comes to the attention of the Commissioner but has not come to the attention of the relevant entity, or if the Commissioner does not agree with an entity’s initial view about whether a data breach triggers an obligation to notify.

If the Commissioner and the entity cannot agree about whether notification should occur, the Commissioner will give the entity an opportunity to make a formal submission about why notification is not required, or if notification is required, on what terms. The Commissioner will consider the submission and any other relevant information before deciding whether to direct the entity to notify under s 26WR.

Declaration that notification need not be made, or that notification be delayed (s 26WQ)

The Commissioner may declare that notification of a particular data breach is not required (s 26WQ(1)(c)). The Commissioner may also modify the period in which notification needs to occur (s 26WQ(1)(d)).

The Commissioner cannot make a declaration under s 26WQ unless satisfied that it is reasonable in the circumstances to do so, having regard to the public interest, relevant advice received from an enforcement body or the Australian Signals Directorate, and any other relevant matter. While the Commissioner is empowered to make a declaration if it is ‘reasonable in the circumstances to do so’, the Commissioner still has discretion about whether to make a declaration, and on what terms.

In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objectives of the Privacy Act and other relevant matters. The Commissioner will consider whether the risks associated with notifying of a particular data breach outweigh the benefits of notification to individuals at risk of serious harm.

Given the clear objective of the scheme to promote notification of eligible data breaches, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will be limited to exceptional cases.

An entity applying for a declaration will be expected to make a well-reasoned and convincing case detailing how the data breach is an eligible data breach, why any relevant exceptions do not apply, and why notification should not occur or should be delayed. The entity should provide detailed evidence or information in support of its application.

Advice, guidance, and community information

The Commissioner provides general information to the community about the Privacy Act, including the NDB scheme, via its public enquiries service and on its website.

The Commissioner is developing a range of guidance material that will be published on the OAIC’s website to help entities comply with the scheme.

However, the Commissioner will not be able to provide detailed advice about the application of the scheme to specific data breaches. Entities will need to seek their own legal advice.

The Commissioner intends to provide information to the community about the operation of the scheme.

Data breach incidents

9.1The OAIC administers a Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.

9.2 Under Part IIIC, entities that have information security obligations under the Privacy Act must generally notify the Australian Information Commissioner (the Commissioner), and individuals whose information was involved, about eligible data breaches (ss 26WK and 26WL).

9.3 The Commissioner has the following functions under the scheme:

  • promoting compliance with the scheme
  • receiving notifications from entities
  • directing an entity to notify under s 26WR
  • declaring that notification need not be made, or that notification be delayed under s 26WQ
  • offering advice and guidance to regulated entities, and providing information to the community about the operation of the scheme.

Promoting compliance with the scheme

9.4 Section 13(4A) provides that if an entity contravenes any of the following requirements of the NDB scheme, the contravention is taken to be an act that is an interference with the privacy of an individual, subject to possible enforcement action:

  • carry out an assessment of a suspected eligible data breach (s 26WH(2))
  • prepare a statement about the eligible data breach, and give a copy to the Commissioner as soon as practicable (s 26WK(2))
  • notify the contents of the statement to individuals whose personal information was involved in the eligible data breach (or, in certain circumstances, publish the statement) as soon as practicable (s 26WL(3))
  • comply with a direction from the Commissioner to notify the eligible data breach (s 26WR(10)).

9.5 The Commissioner’s preferred approach is to work with entities to encourage and facilitate voluntary compliance with an entity’s obligations under the NDB scheme before taking enforcement action in relation to any interferences with privacy. The OAIC has developed guidance about the NDB scheme to assist entities.

9.6 The Commissioner may, on the Commissioner’s own initiative, investigate an act or practice that may be an interference with privacy where the Commissioner thinks it is desirable to do so (s 40(2)). The Commissioner must also investigate complaints made by individuals where an act or practice may be an interference with the privacy of the individual (s 40(1)).

9.7 Where the Commissioner has identified an interference with privacy, there are a number of enforcement powers available to the Commissioner, ranging from less serious to more serious regulatory action depending on the relevant factors. These include powers to:

  • accept an enforceable undertaking (s 33E) and bring proceedings to enforce an enforceable undertaking (s 33F)
  • make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62)
  • seek an injunction to prevent ongoing activity or a recurrence (s 98)
  • apply to a court for a civil penalty order for a breach of a civil penalty provision (s 80W), which includes serious or repeated interferences with privacy.

9.8 In deciding whether an investigation or enforcement action is appropriate in the circumstances, the Commissioner will act in accordance with the OAIC’s Privacy regulatory action policy.

Receipt of notifications

9.9 The Commissioner will acknowledge receipt of all data breach notifications.

9.10 The Commissioner may or may not take any action in response to a data breach notification. The Commissioner will decide which notifications to respond to depending on available resources, and the Commissioner’s evaluation of the extent to which taking action in response to the notification will further the objects of the Privacy Act.

9.11 Some notifications may point to a possible interference with privacy. Under s 42, the Commissioner may make preliminary inquiries to determine whether to investigate an act or practice that may be an interference with privacy, where there has been a complaint or on the Commissioner’s own initiative. In deciding whether to make preliminary inquiries or offer advice and guidance in response to a notification, the Commissioner may consider:

  • the type and sensitivity of the personal information involved
  • the numbers of individuals potentially at risk of serious harm
  • whether the data breach has been contained or is in the process of being contained where feasible
  • steps the notifying entity has taken, or is taking, to mitigate the impact on individuals at risk of serious harm
  • measures that the entity has taken, or is taking, to minimise the likelihood of a similar breach occurring again.

9.12 The Commissioner may also inquire about the incident to determine whether the OAIC can provide assistance to the entity, such as best practice advice on data breach responses and the future prevention of similar incidents.

Declaration of Commissioner – exception to notification (s 26WQ)

9.13 The Commissioner may declare that an entity does not need to comply with the notification requirements in the NDB scheme in relation to an eligible data breach. Under s 26WQ the Commissioner may give written notice declaring that a statement to the Commissioner (under s 26WK) and notification to individuals (under s 26WL) is not required, or that notification to individuals is delayed for a specified period.

9.14 The Commissioner must not make a declaration unless satisfied that it is reasonable in the circumstances to do so, having regard to:

  • the public interest (s 26WQ(3)(a))
  • any relevant advice given to the Commissioner by an enforcement body or the Australian Signals Directorate (ASD) (s 26WQ(3)(b)), and
  • such other matters (if any) as the Commissioner considers relevant (s 26WQ(3)(c)).

9.15 An entity that is considering applying to the Commissioner for a s 26WQ declaration should do so as soon as practicable after the entity is aware that there are reasonable grounds to believe an eligible data breach has occurred.

9.16 In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objects of the Privacy Act and other relevant matters. The Commissioner will consider whether the risks associated with notifying of a particular data breach outweigh the benefits of notification to individuals at risk of serious harm.

9.17 Given the clear objective of the scheme to promote notification of eligible data breaches, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will only be made in exceptional cases and only after a compelling case has been put forward by the entity seeking the declaration.

Applying for a s 26WQ declaration

9.18 An entity considering making an application under s 26WQ should contact the OAIC in the first instance to discuss its intention.

9.19 If the entity decides to make an application, it should provide the following information and documents to the OAIC:

  • a detailed description of the data breach
  • a statement outlining the entity’s reasons for seeking a s 26WQ notice
  • a draft notice setting out the terms that it believes should be included in the notice issued by the Commissioner
  • relevant supporting documents and evidence (including, if applicable, relevant advice from an enforcement body or the ASD)
  • contact details of an employee or representative of the entity.

9.20 The onus is on the entity to demonstrate to the Commissioner that it is appropriate for the Commissioner to make a declaration. As such, the entity applying for a declaration will be expected to make a well-reasoned and compelling case detailing how the data breach is an eligible data breach, why any relevant exceptions do not apply, and why notification should not occur or should be delayed. The entity should provide detailed evidence or information in support of its application.

9.21 The Commissioner may seek further information from the entity or third parties. However, given the time critical nature of data breach notifications, the entity may not have a further opportunity to provide evidence or submissions to the OAIC before the Commissioner makes a decision on the application. As such, the entity should include all relevant information in its written application.

9.22 In considering whether to make a declaration, the Commissioner will have regard to relevant factors which may include:

  • the objects in s 2A of the Privacy Act
  • the purposes of the NDB scheme, which include enabling individuals to take steps to protect themselves from serious harm arising from a data breach
  • the circumstances of the eligible data breach
  • the extent to which notification will cause harm to particular groups or to the community at large
  • the extent to which benefits of notification will be lost or diminished if notification does not occur or is delayed
  • whether advice from an enforcement body or the ASD indicates that notification would be contrary to the public interest in the effective conduct of enforcement related activities and national security matters
  • whether the entity responsible for the eligible data breach has been the subject of prior compliance or regulatory enforcement action by the OAIC, and the outcome of that action
  • whether the eligible data breach is an isolated instance, or whether it indicates a potential systemic issue (either within the entity concerned or within an industry) or an increasing issue which may pose ongoing compliance or enforcement issues
  • such other matters as the Commissioner considers relevant.

9.23 After considering the application, the Commissioner will make one of the following decisions:

  • a declaration that notification does not need to occur
  • a declaration that notification can be delayed (either for the period proposed by the applicant, or another period selected by the Commissioner)
  • a refusal of the application.

9.24 Where the Commissioner refuses a declaration, the Commissioner will give written notice of the refusal (s 26WQ(7)).

9.25 Decisions by the Commissioner under s 26WQ are reviewable by the Administrative Appeals Tribunal (AAT). An application for review by the AAT may be made by the entity that made the application for the declaration, or another entity whose obligations under the NDB scheme are affected by the declaration.

Direction of Commissioner – requiring notification (s 26WR)

9.26 The Commissioner may direct an entity to:

  • prepare a statement about the eligible data breach
  • give a copy of the statement to the Commissioner, and
  • notify individuals about the eligible data breach.

9.27 In deciding whether to give a direction to an entity under s 26WR(1), the Commissioner must consider:

  • any relevant advice given to the Commissioner by an enforcement body or the ASD (s 26WR(6)(a))
  • any relevant submission made by the entity (s 26WR(6)(b))
  • such other matters (if any) as the Commissioner considers relevant (s 26WR(6)(c)).

9.28 Under s 26WR(5), a direction by the Commissioner may require an entity to include specified information about the eligible data breach, in addition to the information required in a statement prepared for the Commissioner under s 26WR(4).

9.29 The specified information that relates to an eligible data breach is likely to be information that the Commissioner considers would assist individuals to take appropriate action in response to the eligible data breach. Examples could include:

  • information about the risk of harm to individuals that the Commissioner considers exists as a result of the eligible data breach
  • recommendations about steps the Commissioner considers individuals should take in response to the eligible data breach
  • information about complaint mechanisms available under the Privacy Act to individuals affected by the eligible data breach
  • other specified information relating to the eligible data breach that the Commissioner considers reasonable and appropriate in the circumstances to include in the statement.

Process for making a s 26WR direction

9.30 Before directing an entity to notify, the Commissioner will usually ask the entity to agree to notify voluntarily.

9.31 If the Commissioner and the entity cannot agree about whether notification should occur, the Commissioner will formally invite the entity to make a submission about the direction under consideration, within a specified period (s 26WR(3)). The form of the invitation, and the period of time specified in the invitation for the entity to respond, will be for the Commissioner to determine depending on the particular circumstances. In deciding the form and period of time to respond, the Commissioner will have regard to the impact on the entity and the nature and imminence of the risk of harm to individuals who would receive notification of the eligible data breach the Commissioner has reasonable grounds to believe has happened.

9.32 The Commissioner will consider submissions and any other relevant information provided by the entity before deciding whether to direct the entity to notify under s 26WR.

9.33 The Commissioner’s decision will be communicated to the entity in writing. Entities can apply to the AAT for review of a decision by the Commissioner under s 26WR(1) to make a direction.

9.34 An entity must comply with a direction made under s 26WR(1) as soon as practicable (s 26WR(10)). Contravention of s 26WR(10) is an interference with the privacy of an individual (s 13(4A)).

Publication and disclosure of information

9.35 The OAIC will publish statistics in connection with the NDB scheme, with a view to reviewing this approach 12 months after the scheme’s commencement.

9.36 The OAIC will respect the confidence of commercially or operationally sensitive information that is provided voluntarily in support of a data breach notification.

9.37 As a matter of course, the Commissioner will consult with entities following a request for information made under FOI law. For FOI requests relating to agencies, the Commissioner will offer to transfer requests to the agency in question.

9.38 Decisions about public communications will be made in accordance with the considerations set out in the ‘Public communication as part of privacy regulatory action’ section of the Privacy regulatory action policy.

 

 

 

Leave a Reply