McKinley Plowman’s Guide to the Notifiable Data Breach Scheme
When you run a business that deals with the personal information of clients or customers, you are expected to maintain the security of that data to ensure it doesn’t fall into the wrong hands. Similarly, your clients understandably expect that their sensitive information will be well protected and only accessed by those who are supposed to.
So when a “data breach” occurs, this can cause concern for all involved.
What is a data breach?
A data breach is the release of confidential personal information or documents. The sort of documents can include, for example, tax file information; bank statements; credit card details; health records or even addresses and phone numbers. Quite often data breaches are inadvertent, however are breaches nonetheless and are subject to the new regime.
What is the Notifiable Data Breach Scheme, and who will be bound by it?
As you might anticipate, clients and customers who trust a business or organisation with their personal information would expect that they would be notified of any serious breach of their privacy. The Australian government will, on February 22rd, introduce the Notifiable Data Breach (NDB) scheme, which will affect businesses that:
- Have an annual turnover of $3 million or more;
- Those who have opted-in to the Privacy Act;
- Those related to another business covered under the privacy act; or
- Deal with health records, credit information, Tax File Numbers, or information contained on the Personal Property Securities Register (including gyms, educational organisations, health services providers etc.)
What you need to do
The first, and most obvious thing that comes to mind when thinking about a leak in information is to report the breach to anyone in your database who may be affected. While this still needs to be done in such an event, organisations will now need to report all breaches, and will be required to proactively implement measures to mitigate the risk of such breaches occurring in the first place.
Data Breach Risk Assessment
Carrying out a data breach risk assessment is a good place to start, and this should include:
- Recording how personal information flows into and out of your business
- What information you gather
- What information you provide to third parties
- Where private information is stored
- Systems involved and where they store data (keeping in mind cloud-based storage may be held in other countries)
- What level of security is provided
- Access levels of team members
- How private information is used (and who uses it) in each stage of the business life cycle
- Possible impact on an individual’s privacy
Data Breach Response Plan
Having a comprehensive Serious Data Breach Response Plan is mandatory and crucial in ensuring that any breaches are neutralised, or at least reduced, in order to minimise impact on customers.
Such a plan includes:
- Actions required if a breach is suspected or discovered
- When the issue is to be raised to the response team
- Members of the response team
- Actions they are required to take
A sample breach response plan is available from the Office of the Australia Information Commissioner.
How do you identify a serious breach?
A serious breach has occurred when there is unauthorised access to (or disclosure of) personal information, or a loss of the information that your business holds. Defining it is not necessarily all-encompassing for every business, but can usually be identified if said loss could result in physical, psychological, emotional, financial or reputational harm; or is information that could lead to identity theft, financial loss, threats to safety, job loss or other negative outcomes.
Do you have to report it?
Yes. Any breach should be reported, regardless of whether or not it is regarded as “serious”, and your business must take reasonable and expeditious action. Under the NDB scheme, you have 30 days to assess and respond, however the first 24 hours after the breach is crucial. Importantly, ignorance is NOT a defence. Under the Privacy Act, business are required to take all reasonable steps to ensure the protection of people’s personal information.
The Office of the Australian Information Commissioner has compiled a very informative page at https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme which outlines a range of important considerations in the NDB Scheme including who it affects, how to notify and additional resources.
New Data Breach Laws Come Into Effect. (2018). Your Knowledge, (February 2018).
Thinking about becoming a client?
Book your free, no obligation consultation right now via our online booking system or get in touch to find out more.
Already a client and want to get in touch?
Send us an email via our enquiry form or give us a call today.