OIAC Draft Guidelines for Mandatory Data Breach Scheme

27 Jun 2017

  • Governance
  • Data
  • Privacy and Compliance

The Office of the Australian Information Commissioner (OAIC) has released business resources for the new Notifiable Data Breaches (NDB) scheme set to commence in 2018. 

The NDB scheme was established earlier this year with the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017.  The NDB requires businesses covered by the Privacy Act 1988 to notify individuals of eligible data breaches, or when directed to do so by the OAIC.

We have a number of resources available about the new Notifiable Data Breaches scheme and what it means for your business – you can access them below:
Making Sense of the Privacy Act Amendments
Privacy Amendment: the law explained (webinar)
Q&A Privacy Amendment Notifiable Data Breaches Bill 2017

The OAIC’s recently released resources, including information on how to prepare for the NDB scheme, can be accessed on the OAIC’s new NDB website

The Commissioner has also released its Draft Guidelines for the following aspects of the NDB scheme:

1. Entities covered by the NDB scheme

Businesses that are already required to comply with the Australian Privacy Act and the Australian Privacy Principles, will be required to comply with the new Notifiable Data Breaches scheme. The Draft Guidelines clarify that the NDB scheme applies to those businesses who are required to “take reasonable steps to secure certain categories of personal information” including for example APP entities, credit reporting bodies, credit providers, and tax file number (TFN) recipients. 

In addition, the Draft Guidelines also clarify that small businesses that are not required to comply with the Privacy Act do not need to notify affected individuals of a notifiable data breach.  However, small businesses that must comply with the APPs in relation to certain types of information it holds (for example TFNs) will be required to notify affected individuals.

Read more information on who is covered by the NDB scheme here.

2. Notifying individuals about an eligible data breach

When an organisation experiences an Eligible Data Breach it will be required to notify OAIC and affected individuals. There are a range of options for notification, including:

• Notifying all individuals to which the information relates;
• Notifying only those individuals at risk of serious harm; or
• Publishing a notification on your website.

The Draft Guidelines also include further information on what information must be provided in a notification and timing requirements for the notification.

They clarify that where more than one business holds personal information that was compromised, only the business with the most direct relationship with individuals will be required to notify.

You can read the Draft Guideline on Notifying Individuals here.

3. Identifying eligible data breaches

Not all data breaches are notifiable under the NDB scheme. Businesses are only required to notify affected individuals of a data breach when:

• There is unauthorised access to or disclosure of personal information or a loss of personal information;
• This is likely to result in serious harm to affected individuals; and
• The business has not been able to prevent the likely risk of serious harm with remedial action.

The OAIC’s Draft Guidelines provides further information to assist businesses in determining whether a data breach satisfies the above criteria, including when a data breach is likely to result in serious harm.

Under the NDB scheme, a risk of serious harm is likely when, from the perspective of a ‘reasonable person,’ the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach. 

Importantly, the OAIC’s Draft Guidelines clarify that ‘reasonable person’ refers to a person in the position of the business, rather than the position of the affected individual. This is an important aspect that will ensure greater clarity and certainty for businesses.

You can read the Draft Guideline on Identifying and Eligible Data Breach here.

4. OAIC’s role in the NDB scheme

The OAIC is responsible for the administration of the NDB scheme, including:
• Receiving notification of eligible data breaches
• Encouraging compliance with the scheme (including complaints handling, investigations, and enforcement); and
• Offering advice and guidance in relation to the scheme.

The OAIC will consider its Privacy Regulatory Action Policy in determining whether to exercise its enforcement powers in relation to a breach of the NDB scheme. Its preferred approach is to work with business to encourage and facilitate compliance before taking enforcement action.

You can read more information on the OAIC’s role in the NDB scheme and its preferred approach to ensuring compliance here.

The OAIC has approached ADMA to provide feedback in relation to the NDB scheme and its Guidelines. We are currently in the process of reviewing the Draft Guidelines and will provide feedback to the OAIC. If there are any aspects of the Draft Guidelines or the Notifiable Data

Breaches scheme that you would like further clarity on, please contact us.  We will work with OAIC to ensure that more clarity and certainty is provided in relation to the scheme. The closing date for providing comments and feedback is 14 July 2017.

Need more info?