A quick guide to Australia's Notifiable Data Breach scheme

A quick guide to Australia's Notifiable Data Breach scheme

Data breaches in Australia are an escalating threat. It is therefore essential to have a good understanding of the Notifiable Data Breach scheme.

This knowledge will enable you to deliver a timely and compliant response to a potential incident and help you manage your reputation amongst customers.

Want to quickly know the details? Read below as we explore the ins and outs of the scheme.

What is the notifiable data breach scheme?

The Notifiable Data Breaches (NDB) scheme was passed as an amendment to The Privacy Act (1988) in 2017. It applies to eligible data breaches that occur on or after 22 February 2018.

The (NDB) scheme mandated reporting and notification of breaches by the Office of the Australian Information Commissioner (OAIC). It also established new obligations for government agencies and organisations to notify individuals and the OAIC about 'eligible data breaches'.

The objectives of the scheme are to:

  • Enable individuals whose personal information has been compromised to take remedial steps to lessen the potential harm.
  • Enhance accountability amongst organisations for privacy protection.
  • Build trust in personal information handling by demonstrating that entities are accountable for privacy, and that information security and privacy breaches are treated seriously.

The new NDB scheme replaced the voluntary scheme that had been in operation since 2008, quickly resulting in a 10x increase in reported incidents.

Increase in reported data breaches in Australia under the NDB scheme

Before the NDB scheme, there were 107 voluntary notifications in the 2015–16 financial year. In the first full year (2018-19) after introduction, the OAIC received 939 data breach notifications, followed by 1,050 in the next year.

If the proposed changes to Australia's privacy legislation come into place (discussed at the end), we can expect a further significant increase.

What is a notifiable data breach in Australia?

An eligible breach is considered to be 'likely to result in serious harm to one or more individuals'

Under the Notifiable Data Breach (NDB) scheme, an eligible data breach occurs when the following three criteria are met:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds;
  • this is likely to result in serious harm to one or more individuals; and
  • the organisation or agency hasn't been able to prevent the likely risk of serious harm with remedial action.

An organisation or agency must quickly assess a suspected incident to determine if it is an eligible breach and whether it will likely result in serious harm to any individual. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

Who is responsible for regulating the notifiable data breach scheme?

The OAIC monitors, encourages compliance and reports on notifiable breaches. Their responsibilities include:

  • receiving notifications of eligible data breaches;
  • encouraging compliance with the NDB scheme, including by handling complaints, conducting investigations and taking other regulatory action;
  • offering advice and guidance to regulated organisations; and
  • providing information to the community about the operation of the NDB scheme.

What are the notifiable data breach penalties?

A minimum penalty of $50m (AUD) for serious or repeated breaches

Organisations are subject to penalties defined in The Privacy Act. A new amendment in 2022 increased the potential penalties for serious or repeated breaches from $2.2m to the greater of the following:

  • $50 million (AUD);
  • 3x the value of benefits obtained or attributable to the breach (if quantifiable); or,
  • 30% of the corporation's 'adjusted turnover' during the 'breach turnover period' (if the court cannot determine the value of any benefit obtained).

These are only the direct penalties. These may only be a fraction of the financial damages following a breach, which can be wide-ranging and long-lasting. The immediate cost to contain an incident can be in the millions, while the reputational damage can result in loss of revenue for years to come.

Examples of notifiable data breaches

Organisations should develop their own procedures for assessing a suspected data breach. Examples may include, but are not limited to:

  • a digital or physical record containing customers' personal information is lost or stolen
  • unauthorised access of sensitive personal information by an employee (or third party)
  • a database containing personal information is hacked
  • a cyber-attack results in unauthorised access to personal information
  • accidental disclosure of personal information due to human error

The four key steps to reporting data breaches

The four steps can be broken down into four key areas: Contain, Assess, Notify and Review

  1. CONTAIN the data breach to prevent further compromise of personal information.
  2. ASSESS the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
  3. NOTIFY the relevant authorities and impacted individuals

    a) Notify the Commissioner if required. If the breach is an 'eligible data breach' under the NDB scheme, it may be mandatory to notify the regulator.

    b) Notify the individuals impacted. It is your choice whether to notify all individuals or only those deemed at risk of serious harm. The communication should include the content of the statement to the OAIC (3a), which requires recommended steps to minimise the risk of harm.
  4. REVIEW the incident and consider what actions can be taken to prevent future breaches.

The NDB scheme requires entities to assess a data breach within 30 days of becoming aware of reasonable grounds to suspect that there may have been an eligible data breach, and to notify the OAIC and affected individuals as soon as practicable after it confirms that an eligible data breach has occurred.

It is worth noting that steps 1 to 3 can often occur simultaneously. In many cases, waiting for the entire assessment to be completed may not be suitable before notifying the Commissioner and any impacted individuals.

Helpfully, the OAIC provides a data breach response plan template

To notify the OAIC of a data breach, you should use their online Notifiable Data Breach form.

This should be part of your data breach response plan (as part of Step 3 above). It is, therefore, worthwhile being prepared about the types of information required to speed the process in the event of a breach. For this purpose, the OAIC has helpfully provided an online training version (pdf).

What information should be included within the data breach reporting to the OAIC?

The information that needs to be supplied to the OAIC includes:

  • the identity and contact details of your organisation
  • a description of the breach
  • the types of personal information impacted (e.g. financial, health, TFN)
  • recommended steps for affected individuals to take to reduce their risk of harm as a result of the breach

Proposed changes to the Notifiable Data Breaches (NDB) Scheme in The Privacy Act Review

'A 72-hour notification window for reporting breaches'

The Australian Attorney-General recently released The Privacy Act Review, a comprehensive report on Australia's privacy legislation. It includes over 100 recommendations to improve data privacy and protection and bring legislation in line with modern international privacy standards.

The proposals include several changes that would impact the notifiable data breaches scheme. These include:

  1. A 72-hour window for organisations to report eligible breaches to the OAIC. This would start from when they become aware of reasonable grounds to believe an eligible data breach had occurred. This new timeframe aligns with the window imposed by the GDPR.
  2. The introduction of a data 'processor' and 'controller' distinction to reduce confusion in the event of a multi-party breach. Under the new rules, all parties would be required to notify the OAIC, but only the controller would be required to notify affected individuals.
  3. The removal of small business exemptions. While not directly affecting the NDB Scheme, the removal of certain exemptions would materially increase the number of organisations that must comply with The Privacy Act and are therefore subject to data breach reporting rules.

Key questions to consider to understand for your organisation

  • Is your organisation covered by the NDB Scheme?
  • Do you know your obligations in the event of a breach?
  • Do you have a data breach policy and data breach response plan in place?
  • Do you understand the proposed changes under The Privacy Act Review?

If you would like to learn more about what we are building at Onqlave to help protect sensitive data, follow our updates via LinkedIn, sign up to our newsletter or feel free to get in touch with any of our team.