FAQ: What your business needs to know about the Notifiable Data Breaches Scheme

31 March 2019

The ‘notifiable data breaches’ scheme (NDB scheme) came into effect in Australia on 22 February 2018. It applies to businesses operating in Australia. For easy reference, here is a short list of Q&A to give you more insight into the NDB scheme and how it might impact your business.

1. What is the NDB scheme?

The NDB scheme introduces the compulsory requirement for businesses with existing obligations under the Australian Privacy Act 1988 (Cth) (Privacy Act) to notify affected individuals and the Australian Information Commissioner (AIC) about a data breach that is likely to result in serious harm.

2. Which businesses are required to comply with the NDB scheme?

Businesses that are obliged to comply with the Privacy Act will need to also comply with the NDB scheme.

Your business will need to comply with the Privacy Act if it:

(a) has annual turnover more than $3m; or

(b) is a credit reporting body; or

(c) is a health service provider; or

(d) is a recipient of tax file numbers.

Regardless of the above, if your business has voluntarily opted into the Privacy Act, then it will also need to comply with the NDB scheme.

3. Which data breaches require notification?

The NDB scheme applies to ‘eligible data breaches’ – these are breaches involving personal information that are likely to result in serious harm to any individual affected.

4. When is a data breach considered an ‘eligible data breach’?

A data breach will be considered an ‘eligible data breach’ when the following 3 criteria are met:

First requirement. There has been:

(a) loss of personal information; or

(b) unauthorised access to personal information; or

(c) unauthorised disclosure of personal information,

held by a business.

Second requirement. The loss, unauthorised access or disclosure is likely to cause serious harm to a person.

Third requirement. The business has not been able to prevent the likely risk of the serious harm with remedial action.

5. When is serious harm likely?

The test is whether from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.

A ‘reasonable person’ is a person in the business’s position who is properly informed, based on information immediately available or following reasonable enquiries about the circumstances of each individual whose information is involved in the breach.

The phrase ‘likely to result’ means the risk of serious harm to an individual is more probably than not.

‘Serious harm’ is not defined in the Privacy Act. It can subjective and depends on the type of data compromised. It could include psychological, emotional, physical, reputational or financial harm.

6. What should a business do in case of a suspected eligible data breach?

The business must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual. The business must take all reasonable steps to complete the assessment within 30 calendar days after becoming aware of the grounds that caused it to suspect an eligible data breach has occurred.

If the business has reasonable grounds to believe an eligible data breach has occurred, it must promptly notify the individuals at likely risk of serious harm. The business should also notify the AIC through use of the Notifiable Data Breach form.

If the business does not have up-to-date contact details for individuals, then it must publish a statement on its website (if it has one) and take reasonable steps to publicise the contents of the statement. The AIC expects that such statement be readily accessible on the business’s website for at least 6 months. Details of what to include in the statement can be found here.

7. What is the consequence of failure to comply with the NDB scheme?

Failure to comply with the NDB scheme can attract fines up to $2.1 million.

8. What can your business do to manage data breaches?

You should understand any arrangement in which your business discloses or receives personal information so that you can seek control over determining whether an eligible data breach has occurred.

Ideally, businesses should prepare a data breach response plan. This plan should clearly explain what constitutes a data breach; actions that will be taken in the event of a data breach or a suspected data breach; roles and responsibilities of staff members; and how data breach incidents will be recorded. Further details of what can be included in a data response plan can be found here.

Want to find out more?

For more information on how to be compliant, contact us at enquiries@flowlegal.com.au.