The Notifiable Data Breach scheme in Part IIIC of the Commonwealth Privacy Act 1988 only requires certain data breaches to be notified by organisations.
Notification of breaches is mandatory when organisations believe an 'eligible data breach' has happened, including when affected individuals are likely to suffer serious harm as a result of the breach.
To assist, the guidance issued by the OAIC sets out some of the factors you can weigh up in assessing whether serious harm is likely.
The Notifiable Data Breach scheme in Part IIIC of the Commonwealth Privacy Act 1988 (Scheme) is now in full force. But not all privacy breaches need to be reported and not all privacy breaches are data security breaches.
The Scheme requires only certain data breaches to be notified by organisations subject to the Australian Privacy Principles, and/or the credit reporting provisions of the Privacy Act or the Tax File Number Rules. Notification of breaches is mandatory when organisations have reasonable grounds to believe an 'eligible data breach' has happened. A data breach is eligible and therefore notifiable when:
Whether an individual is likely to suffer serious harm is an objective test. However, this is an assessment that your organisation will need to undertake, taking into account the specific circumstances of the breach.
So, assuming there has been unauthorised access or disclosure of personal information that your organisation holds (which includes physical possession or control of the data) or this is likely, how do you work out whether any particular person affected by the data security breach is likely to suffer serious harm? This is one of the most challenging aspects of the Scheme for organisations to understand and assess, because no two breaches and individuals are the same. Also, as the Scheme is still relatively new, we don’t yet have the benefit of any determinations by the Australian Information Commissioner about the circumstances that will meet the ‘serious harm’ threshold.
However, to assist, the guidance issued by the Office of the Australian Information Commissioner (OAIC) (Guidance) sets out some of the factors you can weigh up in assessing whether serious harm is likely. These factors include:
When undertaking an assessment following a privacy data breach, you should also consider whether you can take any remedial action to remove the likelihood of affected people suffering serious harm. The Guidance sets out some case study examples of the types of action you could take. For example, can you remotely wipe a lost device that has security measures applied before it is likely that someone could have accessed the data on the device? If you can take remediation steps so that serious harm is no longer likely, you will not need to notify.
The two quarterly reports that the OAIC has published to date (February – March and April – June) on notified data breaches under the Scheme do not give any indication whether the reported breaches actually met the threshold 'serious harm' requirement. According to the reports, 305 breaches have been reported to the OAIC from 22 February – 30 June 2018. However, it is not clear whether all these meet the eligible data breach test.
Other questions you will want to consider if there has been a data breach is whether you should still voluntarily notify any affected individuals and/or the OAIC about the breach, whether specifically or generally, and what risk there is to the organisation of a claim for damages. While organisations may prefer to adopt a cautious approach and notify a data breach under the Scheme, in the event there is any doubt about whether it falls within the definition, this will form part of the organisation's record of privacy compliance and indicate to customers that the organisation considers that those affected are at risk from serious harm. It also sets a benchmark for the organisation for future notifications.
If you suspect you have had a data breach and would like assistance in working out whether you need to notify, MinterEllison's National Privacy team can assist.