What are your organisation’s reporting requirements in relation to data breaches? Are you prepared to respond quickly in the event of a breach?

Australia’s Notifiable Data Breaches scheme was established by the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 by Federal Parliament, and came into effect in February 2018. The scheme adds to the responsibilities of organisations handling personal information, by introducing obligations to notify the regulator, and individuals affected, of certain breaches of information privacy.

This material provides general information which is current at the time of publication. The contents do not constitute legal advice and should not be relied upon as such. Formal legal or other professional advice should be sought where required.

 

Significant risk of data breaches

The collection of personal information is essential for effective provision of health, community, education and other services. However, much of the information gathered can be sensitive, including highly personal details of health and wellbeing matters, family and relationship situations, safety risks, or information about other vulnerabilities. Inadvertent or malicious exposure of this information can lead to significant harm to those whom it concerns.

Data breaches can occur through a variety of means. Malicious attack, including the targeting of health information by hackers, is a growing concern. However, in many cases data breaches occur through human error, ranging from misplaced paperwork, USB sticks or laptops, to the sending of personal information to the wrong recipient.

The Office of the Australian Information Commissioner (OAIC) reports for the March and June 2018 quarters show that more data breaches were reported by health service providers than by any other sector.1

This echoes trends in other jurisdictions such as the UK and US, in which health care data breaches have affected the personal records of many millions of patients and service users.2

Who is in scope for the scheme?

The Notifiable Data Breaches scheme applies to agencies and organisations (‘entities’) that fall within the scope of the Privacy Act 1988 (Cth).

This includes Australian Government agencies, businesses and not-for profit organisations that have an annual turnover of more than $3 million.

Organisations that provide a health service and hold health information about individuals are in scope, regardless of turnover. For the purposes of the Privacy Act, health services have quite a broad interpretation and include any activity that involves assessing, maintaining, improving or managing a person’s physical or psychological health, or diagnosing or treating a person’s illness or disability.

Which breaches does the scheme apply to?

The Notifiable Data Breaches scheme imposes notification requirements in relation to ‘eligible data breaches’. An eligible data breach arises when:

  1. There is unauthorised access to, disclosure or loss of personal information held by an entity;
  2. This is likely to result in serious harm to one or more individuals; and
  3. The entity has been unable to prevent the likely risk of serious harm through remedial action.

Serious harm may include serious physical, psychological, emotional, financial, or reputational harm. The scheme recognises a higher risk of harm in relation to certain types of information, including sensitive information (such as health information), documents commonly used for identity fraud, and financial information.

Matters which can affect the estimation of risk may include the number and level of vulnerability of the individuals whose information was involved, the duration of access, and whether the information was adequately encrypted or anonymised, among other considerations.

Obligations if a potential breach is identified

If an agency or organisation in scope for the scheme suspects that a data breach may have occurred, they must assess the situation to determine whether or not there has been an eligible data breach. The assessment must be undertaken promptly and reasonably. 30 calendar days is provided as a maximum time limit, however assessments should be completed as swiftly as possible.

If an agency or organisation is aware of reasonable grounds to believe that there has been an eligible data breach – whether as a result of conducting an assessment, or through other channels – then the scheme’s notification obligations apply. The entity must:

  • Notify individuals who are at likely risk of serious harm. Depending on the circumstances and the practicality of identifying and contacting those affected, the entity may notify all individuals affected, notify those assess to be at serious risk, or publish a general notification on its website, and publicise this notification.
  • Notify the Office of the Australian Information Commissioner as soon as practicable through a statement about the breach. The statement can be lodged using the OAIC’s online form.

Notifications under the scheme must contain certain information, including the identity and contact details of the entity, a description of the breach, the kind(s) of information concerned, and recommendations about steps that individuals should take in response to the breach.

At any time when a data breach is suspected or confirmed, the agency or organisation involved should take steps to contain the breach where possible, to prevent further unauthorised access to information, and to reduce any potential harm to individuals resulting from the breach. Depending on circumstances this could involve a variety of responses ranging from deleting malware or preventing network access, to requesting those who have inadvertently received copies of sensitive information to delete it.

If remedial action is successful in making serious harm unlikely, then notification is not required.

Recommended actions for entities who fall under the scheme

Does your agency or organisation fall within the scope of the Notifiable Data Breaches scheme? If so, then there are two important steps which should be taken to help ensure your compliance with the legislation.

1. Update your information privacy policy and procedures

... to ensure that they reflect the requirements of the scheme. This involves developing an appropriate process for responding to suspected or confirmed data breaches, building the skills and knowledge to implement this process effectively, and informing relevant staff about these systems and their responsibilities under the scheme.

2. Review your information security arrangements

... to reduce the risk of a data breach occurring. This should be a regular part of monitoring compliance with privacy legislation, and is particularly important when introducing new organisational processes or systems.

Assess the types of information collected, and the ways in which they are handled, stored and used, in order to identify areas of risk. Review application security and network security arrangements and use encryption wherever possible for information both at rest and in transit. Ensure that staff are trained and regularly updated on information security requirements, and audit systems to detect any non-compliance.

When it comes to data breaches, it’s definitely worth investing in prevention. However, every system has weaknesses, and human error can’t be eliminated entirely. A comprehensive strategy covering both prevention and post-breach response is therefore the preferred approach.

Notes

 

Further information and assistance

Lirata Consulting assists organisations to review their processes and policies to ensure that they are compliant with Privacy legislation. We can provide expert advice on development and review of privacy policies and procedures, and on information security arrangements that minimise the risk of data breaches.

For further information or assistance, please contact Mark Planigale at Lirata Consulting.

Mobile: +61 (0)429 136 596
Landline: +61 (0)3 9457 2547
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
 

Download

Privacy update: Managing the risk of data breaches (PDF 228 KB)

Related articles

Australian Privacy Principles - Make Sure You're Compliant

External resources

The key resource is the website of the Office of the Australian Information Commissioner, which includes a series of detailed guides on all aspects of the Notifiable Data Breaches scheme: