ZDNET, 22 February, 2018 – The Notifiable Data Breaches (NDB) scheme comes into effect today, requiring agencies and organisations in Australia that are covered by the Privacy Act to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.
Launching the new legislative direction on Thursday, Australia’s outgoing Information and Privacy Commissioner Timothy Pilgrim said the NDB represents a significant boost to privacy governance in Australia. He said the requirements of the NDB scheme, however, are neither exceptional nor unexpected, noting rather that the scheme formalises a long-held expectation of consumers and the Australian community more broadly.
“Meeting privacy obligations and the expectations of the community continues to be essential. Only by demonstrating a commitment to privacy can organisations build and maintain people’s trust and a social licence for innovative uses of data,” he explained.
“The success of an organisation that handles personal information, or a project that handles personal information, depends on trust. People have to trust that their privacy is protected and be confident that personal information will be handled in line with their expectations.
“As a result, privacy today is really about transparency and accountability.”
The NDB scheme uses the phrase “eligible data breaches” to specify that not all breaches require reporting.
In general terms, an eligible data breach refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.
Examples of a data breach include when a device containing customers’ personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person.
An employee browsing sensitive customer records without any legitimate purpose could constitute a data breach as they do not have authorised access to the information in question.
While it is unclear how many notifications the new legislative direction will result in, Pilgrim did say on Thursday his office is yet to receive a notification.
“We don’t know what we’re going to receive by way of notifications, or the current number,” he continued.
“We will see over the coming months whether that number mirrors the experience of the Dutch Data Protection Authority (DPA), which implemented mandatory data breach notification requirements in January 2016.”
Pilgrim said in the first 100 days of its scheme, the Dutch DPA received 1,000 notifications.
“I am staggering back at the thought,” the commissioner added.
The OAIC has published guidelines on the scheme, which also includes information on how to deal with the aftermath of a breach.
However, as the NDB only applies to those covered by the Privacy Act, intelligence agencies, not-for-profit organisations, small businesses with turnover of less than AU$3 million annually, credit reporting bodies, and political parties are exempt.
“Then there’s another fabulous little part of the Act which says if you collect or disclose information, and in doing so you receive a service benefit or advantage, you can’t claim the small business exemption,” Pilgrim added on Thursday.
“The nature of business, regardless of their turnover, has changed dramatically since 2000 when those provisions came in and it’s really hard to distinguish now about what would constitute a small business, but we do have to ask the question, ‘OK you’ve got a AU$3 million turnover, but are you collecting personal information and are you somehow getting a service or a benefit or advantage.
“My personal view is I think it’s becoming a compliance burden on small to medium enterprises to actually have to ascertain that in the first place, rather than considering why aren’t I just applying good privacy practices in line with the principles and just move on like that.”
There is the option for small and medium-sized enterprises under the Act to voluntarily opt-in to be covered by it. Pilgrim said there has been “quite a few” take up this option over the years.
He said it is best practice for SMEs and those not covered by the NDB scheme to follow the guidelines because, “at the end of the day, I think your customers will respect you for it”.
The federal government finally passed the data breach notification laws at its third attempt in February 2017.
A data breach notification scheme was recommended by the Joint Parliamentary Committee on Intelligence and Security in February 2015, prior to Australia’s mandatory data-retention laws being implemented.
(2018), Australia’s Notifiable Data Breaches scheme is now in effect, ZDNet, viewed 22 February 2018, <https://www.zdnet.com/article/australias-notifiable-data-breaches-scheme-is-now-in-effect/>.