Notifiable Data Breaches scheme - what your business needs to know

I doubt that many of us would have envisaged the advances in technology which we have seen over the last 30 years. In 1988, phones were not smart (they were still fixed to landlines), personal computers were in their infancy and relied on dots for graphics, and alternative media meant it was necessary to get up from your chair and walk across the room to change (with a choice of four) channels on the TV.

At the same time the Australian Privacy Act 1988 was introduced. No doubt the legislators would never have conceived how differently we do things today and how heavily we reply upon technology in our everyday life. Communicating with friends, taking a photo, paying a bill, getting directions, shopping, and renewing our car registration are all interactions capable of taking place online and generating data…the list is endless. That has resulted in an exponential increase in the amount of data and personal information collected, stored, used, and shared by organisations on a global scale.

This has governments around the world very concerned, and many have taken steps in the last 12 months to address the changes in use of technology and to update the rights which individuals enjoy to privacy.

In September Facebook reported that the accounts of nearly 90 million users had been compromised. The details of more than 500 million Marriot guests were also hacked, revealing customer data dating back to 2014.

Given those concerns, 2018 became the year a number of regulatory developments were introduced in Australia to enhance privacy governance across both public and private sectors. Internationally, on 25 May the European Union’s General Data Protection Regulation (GDPR) took effect. Those rules apply to Australian businesses operating in the EU or dealing with European citizens. (See our article here.) Domestically, the Notifiable Data Breaches (NDB) scheme also came into effect on 22 February 2018.

What is the NDB scheme?

The NDB scheme requires entities to notify affected individuals and the Privacy Commissioner where a data breaches occurs involving personal information that is likely to result in serious harm to any individual affected.

It is important to understand that data breaches don’t just occur as a result of hacking, but can occur from simple human behaviour leading to accidental loss or disclosure of personal information. Examples of data breaches include the following incidents:

• a device containing customers’ personal information is lost or stolen – such as a mobile phone being left/lost; or
• personal information is mistakenly provided to the wrong person – which could be as simple as putting the wrong letter in the wrong envelope or sending an email to the wrong recipient.

Who must comply with the NDB scheme?

Any organisations which must comply with the Privacy Act 1988 will be bound by the NDB scheme. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more. Some organisations such as credit reporting bodies and health service providers must comply even if they don’t meet the $3 million threshold due to the sensitivity of the information which is collected.

What I need to do when there is a data breach?

When a data breach has occurred, organisations must promptly assess whether individuals are at likely risk of serious harm and whether steps could be taken to contain the breach. That must be done promptly (within days rather than weeks). The Commissioner must also be notified as soon as practicable, if that is required.

Sectors which are susceptible to data breach

Putting the NDB scheme into perspective, according to statistics from Office of the Australian Information Commissioner (OAIC) from 1 July 2018 to 30 September 2018, OAIC had received a total of 487 data breach notifications. The top five industries by number of notifications are:

• Health (45)
• Finance (35)
• Legal, accounting & management services (34)
• Education (16)
• Business and professional associations (13)

Across all sectors, 37% of the breaches are caused by human error such as:

• Personal information sent to the wrong recipient
• Loss of paperwork/data storage device
• Unauthorised disclosure including unintended release or publication
• Insecure disposal

In comparison, 57% of breaches are caused by malicious or criminal attacks such as:

• Theft of paper work or data storage device
• Cyber incident such as hacking, compromised or stolen credentials, phishing, brute-force attack or ransomware
• Rogue employee who fails to comply with policy or who deliberately accesses information without authorisation

Conclusion

It is essential for organisations to regularly review their privacy policy and to consider the steps which they implement in the organisation to achieve compliance.

A move towards a best practice approach to privacy governance includes building a stronger system with the help of latest technology to manage data breach risks. This should include a review of your privacy policy and the establishment of protocols to assess and (if necessary) respond to any potential breach.

As with the development of technology, businesses must continue to review and evolve how they collect, store and handle personal information. It is essential to keep moving with the times, assessing where risks lie (both internally and externally), updating policy (set and forget won’t be acceptable) and developing appropriate response plans – should they ever be needed.

The Privacy Commissioner is unlikely to be impressed if you tell them that you have a pristine copy of your privacy policy in the bottom drawer, which was generated on your dot matrix printer back in 1988 and hasn’t been touched since.

This article was written by Kate Fei, Solicitor, and Andrew Nicholson, Partner