Notifiable Data Breaches scheme – do you know when you need to notify?

The Commonwealth Notifiable Data Breaches (NDB) scheme has now been in place for over 18 months and has been widely publicised. Your organisation should be aware of its obligations and have a data breach response plan in place so that quick action can be taken if a breach occurs or is suspected to have occurred.

What sort of breaches need to be notified? Do you know when you need to take action and assess a breach or notify the Privacy Commissioner and affected individuals?

The answers to these questions are not black and white. Using some examples, we explain some of the factors that should be considered when assessing a breach or suspected breach. In each situation, the organisation will need to act quickly to determine whether an eligible data breach has occurred and whether notification is required.

Key Concepts

• Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable (eg name, address, email address, credit card information)
• Sensitive information includes information or an opinion about an individual’s race, political opinions, religious beliefs, membership of a professional or trade association, sexual orientation that is also personal information, and health and genetic information about an individual
• Generally speaking, both entities (business) that turnover more than $3 million and government agencies are required to comply with the NDB scheme, but entities with a lower turnover may also be required to comply, including if they
  • provide a health service;
  • are related to an organisation that has a turnover of more than $3 million;
  • provide services to the Commonwealth under a contract;
  • trade in personal information; or
  • are a credit reporting body.
• Reporting is required if:

1. 1. there is unauthorised access to or disclosure of personal information held by an organisation or agency that is required to comply with the NDB scheme, or if information is lost in circumstances where unauthorised access or disclosure is likely (a breach);
   2.  one or more of the individuals are likely to suffer serious harm as a result of the breach; and
   3. despite the remedial action taken by the entity, they have not been able to prevent the likely risk of serious harm.

Example one – lost client files

A staff member of a national logistics company loses a USB stick containing client’ personal information on the train on their way home from work. The USB contains a spreadsheet that has names of clients and managers at corporate clients, the mobile telephone number of each person, and payment information for clients.

In this case, personal information of several individuals has been lost. As a first step, a risk assessment should be undertaken, including an assessment of the following:

• What type of information is contained on the USB stick?
• Has the information been accessed, or is it capable of being accessed, by an unauthorised person?
• Are the individuals at risk of identity theft causing financial loss or emotional or psychological harm?
• Is there a risk of financial fraud including unauthorised credit card transactions or credit fraud?

Depending on the results of the initial assessment conducted by the organisation, the breach may be subject to the NDB scheme and may need to be notified. However, if the information is lost in circumstances where subsequent authorised access or disclosure of the information is unlikely, there is no eligible data breach. For example, if the USB stick could quickly be remotely deleted, or if the information is encrypted to a high standard – both of which make unauthorised access or disclosure unlikely – then there may be no eligible breach.

Example two – unauthorised access to personnel files

The HR manager of a freight company notices that the filing cabinet in which they keep employee files, contractor files and information about prospective employees is slightly ajar and the files are not sitting neatly in their hangers. Upon further investigation, the spare key to the cabinet, which is generally kept in a ‘safe place’, is missing. The HR manager suspects that there has been unauthorised access to personnel files.

In some cases, data breaches that affect employee records associated with current or former employment relationships in the private sector are exempt from the application of the NDB scheme. However, this exemption does not apply to:

• TFN information contained within in an employee record,
• information that is contained in the employee’s file that does not relate to their employment,
• information about consultants or independent contractors; or
• information about prospective employees

An assessment will need to be made about the circumstances around the suspected breach, the extent of the suspected breach, and the type of information contained in the files in the unlocked filing cabinet.

Depending on the type of information that is contained in the files relating to consultants, independent contractors and prospective employees, the organisation may be required to notify the individuals and the Privacy Commissioner about the breach.

Regardless of whether notification is mandatory, given community expectations around the handling of personal information, especially in the relationship of trust and confidence between an employer and employee, the Privacy Commissioner recommends that employers notify affected individuals where a breach of an employee record is likely to result in serious harm.

Next steps for your business

The notification requirements under the NDB scheme allow affected individuals the opportunity to take steps to prevent or limit potential harm, and may also help to build trust in your organisation, as it shows that privacy protection and data security is taken seriously.

Your business needs to be ready to act quickly in the event of a breach or a suspected breach.

Your organisation (and your staff) must be aware of the personal information that the business holds and the security measures that are in place. Your staff need to be trained on the role they play in maintaining information security, and what they need to do if they become aware of a breach or suspect a breach has occurred.

How can Rigby Cooke help?

Rigby Cooke’s specialist Privacy and Data Protection Team can assist your business by:

• reviewing your organisation’s current personal information handling practices and assist your organisation to obtain “best practice” compliance;
• reviewing your organisation’s existing Privacy Policy and Collection Notice;
• preparing a new Data Breach Response Plan for your organisation; and
• assisting in the event of a data breach or a potential data breach.

We can provide a questionnaire to scope your requirements and then provide you with fixed-fee quotes for any or all of these items.