Insights from the OAIC's draft mandatory data breach notification resources released for comment

The Office of the Australian Information Commissioner (OAIC) last week released four resources on the mandatory data breach notification scheme (DBN scheme)  for consultation. Public comments on these are due by 14 July 2017. The resources cover:

1. the types of entities that will be covered by the DBN scheme;
2. notifying individuals about an eligible data breach;
3. identifying eligible data breaches; and
4. the Commissioner's roles in the DBN scheme.

Here is a brief summary of the resources and some key points from the resources:

Key takeaways

• The Commissioner's focus in the first 12 months of the DBN scheme’s operation, will be 'working with entities to ensure that they understand the new requirements and are working in good faith to implement them.'
• There will be an online form for notification.
• There are different options for notifying individuals  - an entity's website will be an option if other forms of communication are not practicable.
• The current Guides on Data breach notification and Developing a data breach response plan will be updated in consultation with stakeholders before the DBN Scheme starts.
• There will be a separate guide on the process to follow when assessing whether there are reasonable grounds to suspect that there may have been an eligible data breach.
• The expectation of the Commissioner is that entities will act expeditiously to notify individuals at risk of serious harm about an eligible data breach unless cost, time, and effort are excessively prohibitive in all the circumstances.

Summary of the resources

1. The entities covered by the DBN scheme

This resource explains the entities that are covered by the DBN scheme, as well as those that are not.  The resource provides particular guidance for small business operators, TFN recipients and credit providers (including guidance on notification requirements when a credit provider discloses credit eligibility information to a person that does not have an Australian link), as well as general guidance for APP entities and credit reporting bodies). 

The resource also provides guidance on responsibility for notification under the DBN scheme when personal information is disclosed overseas.

2. Notifying individuals about an eligible data breach

How to notify individuals

This resource provides guidance on the different notification options that are available under the DBN scheme, the three options being in summary:

1. notify all individuals;
2. notify only those individuals at risk of serious harm; or
3. if neither option 1 or 2 are practicable, publish the notification on the entity's website and take reasonable steps to publicise the contents of the statement).

The resource provides an example of a breach that relates to many individuals, but in respect of which only a subset of individuals need to be notified.  There is, in summary, where a hacker has obtained information about many individuals, but only additional information that could lead to serious harm about the subset of individuals.

The resource also provides guidance on what are 'reasonable steps' to publicise an online notice (under option 3).

Timing of the notification

The resource provides useful guidance on the timing of the notification, indicating that entities may choose to notify individuals before or at the same time as the Commissioner (not necessarily after notifying the Commissioner).  Importantly, it states that, although entities only have to notify individuals 'as soon as practicable' after completing the statement for the Commissioner, 'the Commissioner generally expects entities to expeditiously notify individuals at risk of serious harm about an eligible data breach unless cost, time, and effort are excessively prohibitive in all the circumstances.'

Breaches involving more than one entity

Finally, in relation to a breach that applies to multiple entities (eg where one is in possession of the information and another controls the information), the Commissioner suggests that the entity with the most direct relationship with the individuals at risk of serious harm should undertake the notification.  The resource recommends entities consider making arrangements regarding compliance with the NDB scheme, such as in contractual arrangements.  We recommend such arrangements cover notification of a breach between the contracting parties, the provision of assistance by the parties in the risk assessing breach responses, and allocation of responsibility of breach notification.

The resource provides an example of breach notification in a circumstance where the breach applies to multiple entities.

3. Identifying eligible data breaches

This resource provides detailed guidance and examples to assist entities in determining whether an 'eligible data breach' has occurred, a key threshold issue under the DBN scheme.  It provides guidance on each of the three criteria in the assessment, being whether:

1.         a data breach has occurred (ie unauthorised access, unauthorised disclosure or loss);
2.         serious harm is likely; and
3.         the entity has been able to prevent the likely risk of serious harm through remedial action.

The resource provides specific guidance on the following relevant matters for assessing whether serious harm is likely:

• the type or types of personal information involved in the data breach;
• the circumstances of the data breach; and
• the nature of the harm that may result.

The resource provides examples of remedial action that may prevent serious harm occurring, as well as a number of examples of data breaches to illustrate the considerations that entities might take into account when assessing whether a data breach is likely to result in serious harm.

The resource indicates that a separate resource will be developed to provide guidance about the process to follow when carrying out an assessment of whether there are reasonable grounds to suspect that there may have been an eligible data breach.

4. Australian Information Commissioner’s role in the DBN scheme

This resource summarises how the Commissioner anticipates exercising its functions in relation to the DBN scheme (receiving notifications of breaches, encouraging compliance with the scheme, handling and investigating complaints, taking other action in response to non-compliance and offering advice and guidance to entities and information the community about the scheme).

The resource indicates that the Commissioner will publish an online form to help entities lodge notification statement.  It also addresses:

1. confidentiality of additional supporting information provided to the Commissioner;
2. the factors the Commissioner may consider in deciding whether to make inquiries or offer advice and guidance in response to a notification, or take regulatory action in response to a notification;
3. when a failure to meet specific requirements of the DBN scheme will be an interference with the privacy of an individual, as well as the enforcement powers of the Commissioner in such situations; and
4. the Commissioner other powers and functions under the scheme, being:
   1. directing an entity to notify the Commissioner and individuals about a breach (the resource explains the process the Commissioner will following before making such direction); and
   2. declaring that notification need not be made, or that notification can be delayed (the resource explains the factors the Commissioner will take into account before making such declaration, but states that the Commissioner expects that these declarations will be limited to exceptional circumstances).

Feedback sought

The OAIC has provided the following questions to stimulate comments, but comments do not need to be confined to these questions:

1. Are the draft resources clear, relevant and practical?
2. Do the draft resources meet the needs of agencies and organisations in understanding the new requirements under the NDB scheme?
3. Are there any topics that you believe the draft resources should cover that have not been covered, or should be covered in greater detail?
4. Are there any practical examples you could share to help illustrate the operation of the NDB scheme?
5. Are there any other ways in which the draft resources could be enhanced?