Data breaches are commonplace in an increasingly digital world and their consequences are about to become significant for thousands of organisations across Australia. New laws that came into effect on 22nd February 2018 require various companies to notify individuals and the Government if they believe a data breach has occurred within their IT systems causing personal information to be compromised.
Recent high profile data breaches include the theft of personal information of reportedly 57 million Uber customers and the 2016 admission by the Australian Red Cross Blood Service that the personal information of 500,000 Australian blood donors might have been compromised.
Here’s what organisations need to know about the new laws coming into effect.
What is it?
Australia’s new mandatory data breach reporting laws introduce the Notifiable Data Breaches (NDB) scheme making it mandatory for various organisations to notify individuals and the Office of the Australian Information Commissioner (OAIC) when a relevant data breach occurs. The scheme supplements Australian Privacy Principle 11 which relates to the security of personal information.
When does the scheme commence?
The NDB scheme came into effect on 22 February 2018 and does not operate retrospectively.
Who does it apply to?
These new laws will have significant implications for relevant organisations with turnovers of more than $3 million per annum.
Any agency or organisation already subject to the Privacy Act 1988 (Cth) is captured by the new regulations – that means businesses and not-for-profit organisations, health service providers and more.
Those with turnover less than $3 million a year may also be affected if they meet certain criteria, for example if they operate a residential tenancy database, trade in personal information or are employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009 (Cth), to name a few. For more information click here.
What are the new obligations?
If a relevant organisation suspects that an eligible data breach has occurred, it must take reasonable steps to complete a reasonable and expeditious assessment within 30 days.
If it is determined that an eligible data breach has occurred, the organisation must then do the following as soon as practicable:
- Prepare a statement containing the organisation’s contact details, a description of the eligible data breach, the kinds of information concerned and the steps the organisation recommends affected individuals take to mitigate any harm arising from the breach;
- Alert and provide a copy of the statement to the OAIC via an online form available here;
- Notify individuals whose personal information is likely to result in serious harm due to the data breach.
What is an eligible data breach?
An eligible data breach is one in which there is unauthorised access, unauthorised disclosure or loss of personal information held by an entity and that access, disclosure or loss is, from the perspective of a reasonable person, likely (more probable than not) to result in serious harm to any of the individuals to whom the information relates. A “reasonable person” is interpreted as a person in the organisation’s position who is properly informed as to the data breach and not from the perspective of a person whose personal information was potentially compromised.
Examples of an eligible data breach may include the hacking of a database containing personal information or personal information that is mistakenly provided to the wrong person. Although the phrase “serious harm” is not defined in the legislation, the OAIC has suggested it may include serious physical, psychological, emotional, financial or reputational harm. Factors to be considered include the kind of information, its sensitivity, the persons who have obtained or could obtain access to the information, and the nature of the harm.
What if I fail to report?
If an organisation fails to report an eligible data breach then civil penalties as high as $360,000 for individuals and $1.8 million for organisations can be applied.
For those affected, the release of personal names, email addresses and phone numbers may leave them susceptible to phishing attacks. Information such as driver’s licence numbers and bank account details could lead to fraud, identity theft and money laundering.
Failure to notify affected individuals could also result in complaints to the OAIC against the organisation.
How often do data breaches occur?
In 2017 it was reported that more than 1 in 10 Australians potentially had personal information stolen in a security breach that ride-sharing company Uber allegedly covered up for over a year. It was revealed by Uber that in late 2016 the personal information of a staggering 57 million customers and drivers (including names, email addresses and mobile phone numbers) had been compromised in a data theft and the company paid US$100,000 to the perpetrators to delete the stolen data. It was not until November 2017 that Uber notified the Privacy Commissioner.
How can you prepare your business?
- Firstly, determine whether your business or organisation is subject to the NDB scheme.
- Prevention is the best defence. Check out the Information Commissioner’s Guide to securing personal information. Be aware of how personal information is stored and managed and take any necessary steps to implement adequate security measures.
- Have in place an up-to-date data breach response plan. The Information Commissioner has an excellent guide to help prepare such a plan.
- Ensure relevant personnel are trained to understand the NDB scheme including identifying when an eligible data breach has occurred and what the organisation’s policies and procedures are to respond to such a breach.
- Seek legal advice at any step along the way to ensure that you are fully aware of your obligations.
Red Cross Blood Service admits to personal data breach affecting half a million donors – ABC News 28 October 2016
This article was updated on 22 February 2018.