As of 22 February 2018, the NDB introduced new obligations for organisations that experience an ‘eligible’ data breach likely to result in serious harm.
Where an eligible breach has occurred, organisations are obliged to alert individuals whose personal information is involved and to inform these individuals of the steps they should take in response to the data breach.
Organisations can lodge their statement about an eligible data breach to the Office of the Australian Information Commissioner (“OAIC”) through the Notifiable Data Breach Statement Form, which can be found by clicking on this link.
Who does the NDB scheme apply to?
Any agencies and organisations that the Act requires to take steps to secure certain categories of personal information will be captured by the NDB scheme. This includes:
Australian Government agencies;
businesses and not-for-profit organisations with an annual turnover of $3 million or more;
credit reporting bodies;
health service providers;
TFN recipients; and
other agencies and organisations.
Small Business Operators (i.e. entities which have an annual turnover of less than AU$3 million) are generally exempt from the Privacy Act. However, there are a number of circumstances where your small business will have obligations under the Privacy Act, including the NDB scheme. These circumstances include:
where your business is a related entity of an entity which has an annual turnover of more than AU$3 million; or
your business falls within the definition of a “credit provider” under the Act.
There are other circumstances in which a small business may be subject to the Act. Assessing whether that includes your organisation is an important part of your compliance obligations and if you are unsure, you should seek legal advice.
Small businesses may also opt-in to the Australian Privacy Principles (APP), in which case the NDB scheme will apply.
An entity that has disclosed personal information to an overseas recipient will in most circumstances be accountable for any ‘eligible data breach’ by the overseas entity, even if the ‘eligible data breach’ occurred offshore.
Which data breaches require notification?
An eligible data breach arises when the following criteria are met:
there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
this is likely to result in serious harm to one or more individuals; and
the entity has not been able to prevent the likely risk of serious harm with remedial action.
However, there are some exceptions which may mean notification is not required for certain eligible data breaches.
The OAIC has also provided guidelines on the new scheme.
How to notify the Australian Information Commissioner (“Commissioner”)
If an agency or organisation has reasonable grounds to believe an eligible data breach has occurred, it must alert individuals at risk of serious harm as soon as practicable. The Commissioner must also be promptly notified through a statement about the eligible data breach. If an entity is unsure whether a data breach meets the criteria of an eligible data breach, the entity has 30 days to conduct an assessment.
When notifying the affected individuals and the Commissioner, the following information must be included:
the identity and contact details of the organisation;
a description of the data breach;
the kinds of information concerned; and
steps outlining how individuals should respond to the data breach.
Impact for Directors
The NDB scheme places a greater onus on directors to oversee cybersecurity. Organisations should have a robust cybersecurity framework in place to identify the information to be protected, protect the information and ensure the company is able to detect, respond and recover from a data breach. Directors and officers of companies must have a thorough understanding of a company’s cybersecurity systems and take responsibility to ensure that those systems operate effectively.
Effective corporate governance involves active engagement by directors and the board in managing cyber risks. ASIC has encouraged directors to consider:
how cyber risks impact on their directors’ duties and annual director report disclosure requirements;
whether they have appropriate board-level oversight of cyber risks and cyber resilience, particularly where data is shared with third parties; and
whether cyber risks have been incorporated into the company’s governance and risk management practices and what controls and measures exist for managing these risks.
It is also prudent for directors to:
monitor compliance with IT and data security policies and regularly test and update systems in place to address any cyber risks;
educate themselves on the nature and possible consequences of cyber risks that are applicable to their company; and
engage a cybersecurity expert to review cyber resilience and consult if an incident occurs.
If a company is wilfully negligent about securing information, directors may be personally liable for failing to act in the company’s best interests. Directors are provided with a ‘safe harbour’ for informed, rational business decisions made in good faith and in the best interests of the company. However, a challenging aspect for directors is understanding what will amount to serious harm and what will constitute reasonable controls over information.
Where a company is covered by the Act, directors should consider the implications of a possible data breach and make informed decisions in relation to the company’s cybersecurity framework in order to avoid personal liability.
Cowell Clarke has a number of privacy documents which are compliant with the new NDB regime including privacy policies and compliance plans. For more information regarding NDB please do not hesitate to contact Megan Jongebloed or Anna Lacey from Cowell Clarke.