Mandatory Data Breach Reporting and Planning

Share on twitter
Share on linkedin
Share on facebook

Failing to plan is planning to fail when it comes to data security and breach responses. In this post, we examine the regulatory obligations of entities under the notifiable data breach (NDB) scheme. Specially, we examine when reporting is mandatory and what the features of a broader effective response plan are.

When is reporting mandatory?

The NDB scheme is found in Part IIIC of the Privacy Act and requires certain businesses to notify affected individuals and the Privacy Commissioner of certain data breaches.

The reporting obligation kicks in where there is an ‘eligible data breach,’ which is a data breach where:

  • there is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur);
  • this is likely to result in serious harm to any of the individuals to whom the information relates; and
  • the entity has been unable to prevent the likely risk of serious harm with remedial action.

The policy rationale for the NDB is to ensure that individuals affected by a data breach can take action to reduce the risk of loss- steps such as updating passwords and securing other accounts.

From a practical perspective, organisations that have had a data breach often need to examine if serious harm is likely. ‘Serious harm’ is not defined in the Privacy Act. Whether there is a risk of serious harm is determined objectively- from the perspective of a ‘reasonable person.’

 Examples of serious harm provided by the Office of the Australian Information Commissioner include:

  • identity theft, which can affect an individual’s finances and credit report;
  • financial loss through fraud;
  • a likely risk of physical harm, such as by an abusive ex-partner;
  • serious psychological harm; and
  • serious harm to an individual’s reputation.

Ultimately, it will be for individual organisations to undertake that assessment with the assistance of suitably experienced legal and compliance professionals. The key to ensuring that the process is conducted efficiently and effectively is a business’s data breach plan- a plan that should be in place before a breach occurs.

What is an effective plan?

All organisations should seek to plan to respond effectively to data breaches. An effective response is one that stops the loss of data, that minimises the impact of the breach, and resolves any underlying deficiencies in a business’s data collection, storage, and disclosure processes and systems.

An effective response was described by Mr Timothy Pilgrim PSM (Australian Information Commissioner) as a ‘response that successfully reduces or removes the risk of harm to individuals, and which aligns with legislative requirements and community expectations.’[1]

A data breach response plan should, clearly, be implemented before a breach occurs. It should be regularly reviewed and updated, and all staff should be trained on it and understand their respective roles within it.

Compliance with the Australian Privacy Principles (APPs) will, in itself, reduce the likelihood of a data breach. APP 11 requires that entities take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.

What is reasonable for an entity depends on the characteristics of the entity, the types of information held and the risks of unauthorised access, loss or disclosure. To comply with APP 11, entities should conduct risk assessments to determine whether their controls are reasonable or if additional measures should be implemented.

The best mitigation against a data breach is to not have data to be lost or stolen in the first place. Business should consider whether they actually need to collect the personal information they are collecting and whether they are able to then destroy or de-identify personal information.

Many businesses are under the misapprehension that they need to keep all data for seven years for ‘audit purposes.’ Most times, this is simply not the case.

The Office of the Australian Information Commissioner has some fantastic resources available for businesses who are establishing or reviewing their data breach plan.  

[1] Office of the Australian Information Commissioner, Data breach preparation and response – A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)- July 2019

More to explorer

Autumn leaves falling with copy space on black background

Avoiding Compliance Atrophy: The Critical Role of Assurance Reviews for Growing Energy Retailers

As energy retailers expand their customer base and operations, ensuring ongoing compliance with regulatory obligations can become increasingly challenging. A key risk is “compliance atrophy” – where initially compliant documents, processes and systems slowly deteriorate and waste away over time if not regularly monitored and reviewed. What is compliance atrophy? Compliance atrophy is typically a result of documents, processes and systems being ‘updated’ or ‘reworded’ to reflect changes in focus for the business and input from other stakeholders including marketing

person holding debit card

AER payment difficulty framework review

The Australian Energy Regulator (AER) is conducting a review of the consumer protections available under the National Energy Customer Framework (NECF) for those experiencing payment difficulties. On 14 May 2024, the AER released an issues paper for consultation. The review is driven by the commitment in Action 8 of the ‘Towards Energy Equity’ strategy in which the AER committed to considering whether improvements could be made to the NECF to ensure that consumers experiencing payment difficulties are identified early, engaged

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

Leave a Reply

Your email address will not be published. Required fields are marked *