Under the NDS scheme, organisations covered by the Privacy Act are required to notify individuals if their personal information is involved in a data breach that is likely to result in serious harm. This will be an important area of compliance for all APP entities.
The resources published on Friday cover:
• Entities covered by the NDB scheme
• Notifying individuals about an eligible data breach
• Identifying eligible data breaches
• The Australian Information Commissioner’s role in the NDB scheme.
This is the first in a series of posts looking at the NDB scheme. In this post, we will examine the definition of a Notifiable Data Breach based on the draft reference material.
What is a Notifiable Data Breach?
There are two elements to the test of a Notifiable Data Breach. The first is that personal information held by an organisation must have been lost or subject to unauthorised access or subject to unauthorised disclosure. The second is that the breach must be likely to result in serious harm to affected individuals.
Unauthorised access occurs when personal information is accessed by someone who is not permitted to have access. This may include access by unauthorised employees, contractors and third-parties.
Unauthorised disclosure occurs when an entity makes personal information available or visible to outsiders. This may include unauthorised disclosures by employees.
Loss refers to the accidental or inadvertent loss of personal information in circumstances where it is likely that unauthorised access or disclosure will occur. Loss may include accidental loss of storage devices on public transport by an employee, as an example.
‘Under the NDB scheme, if personal information is lost in circumstances where subsequent unauthorised access to or disclosure of the information is unlikely, there is no eligible data breach (s 26WE(2)(b)(ii)).’
When is Serious Harm Likely?
For the purpose of the NDB scheme, serious harm will be found where from the ‘perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.’
A reasonable person in this test is in the position of the entity (rather than the individual whose personal information was the subject of the data breach). Such a reasonable person is deemed to be properly informed.
Harm is said to include physical, psychological, emotional, financial, or reputational harm. Clearly, an example may include the loss of credit card and other financial details that would allow a third party to cause financial harm.
The NDB scheme includes a non-exhaustive list of ‘relevant matters’ that may assist entities to assess the likelihood that there has been serious harm. We will look in depth at these in a future post.
What should Businesses Do to Comply?
Businesses should examine (and consider contributing to) the draft resources. If you have feedback on the draft resources, please send it to [email protected] before 14 July, 2017.
The NDB scheme will come into effect on 22 February 2018. Compliance Quarter will be developing a range of tools to assist clients in their compliance with the NDB scheme over the coming months. If these are of interest to you, contact us.