Businesses today are subject to several privacy obligations for private and personal data. Considering that the majority of information is transmitted electronically, data transfers need to be kept secure and not shared with unauthorised parties. Under the Australian Privacy Principles, businesses dealing with data have an obligation to report and contain any notifiable data breach (NDB). A NDB refers to a situation where an individual’s data is lost, leaked, or accessed without authorisation. The Office of the Australian Commissioner highlights the procedure businesses should follow when an NDB takes place.
This article covers what data breaches are, reporting obligations, and steps to limit the impact of lost data for businesses.
What is a Notification Data Breach?
According to the OAIC guidelines, a data breach occurs when:
- A business loses personal information, discloses it to a third party or the data is susceptible to unauthorised access;
- The loss, disclosure, or access results in serious harm;
- The business is unable to reduce this harm.
If a breach meets all three conditions, it is considered notifiable by the OAIC. However, if no serious harm occurred and steps were quickly implemented to minimise the harm, the data breach will not be considered notifiable.
The NDB Scheme
The NDB scheme was introduced in 2018 by the OAIC as the guideline for recognizing and handling data breaches. That said, the scheme does not apply to all businesses.
The eligibility criteria for the NDB Scheme is the following:
- Businesses that have an annual turnover of over $3 million.
- Credit reporting bodies and institutions.
- Businesses that trade in personal information.
- Health service providers.
- Any institutions that are tax file number recipients.
Any businesses meeting the eligibility criteria must comply with the Scheme’s obligations.
What is meant by ‘Serious Harm’?
As stated above, one requirement of a notifiable breach involves serious harm. Determining whether a breach will result in serious harm means applying an objective test. This involves analysing the data breach circumstances through the lens of a ‘reasonable person’ in the business entity’s position. The OAIC has set a limit of 30 business days for businesses to determine whether the breach is seriously harmful.
Several factors are considered:
- Is the harm psychological, reputational, financial, or physical?
- Is the lost or disclosed information sensitive?
- Which unauthorised persons have gained access to the information?
- Did the information any relevant security measures?
The OAIC defines the serious harm to be:
- Identify theft (financial information or otherwise);
- Financial losses due to fraud;
- Physical harm or risk thereof;
- Serious psychological harm;
- Serious reputational risk to individuals.
How do I respond to a Data Breach?
Ideally speaking, a data breach should not occur. Relevant and stringent measures should be in place to secure any sensitive information from being disclosed. However, in the case of a breach, you need to have a response plan in line with OAIC guidelines.
First, you will need to notify the OAIC and report a data breach. Then you will need to identify and inform the relevant individual(s) about the information that was compromised.
Data Breach Response Plan
For businesses covered by the Privacy Act, their data breach response plan and security protocols must comply with the NDB scheme. This plan should be a formal written document with clear roles and responsibilities as well as procedures set in place. The plan should be accessible to all staff members. Additionally, staff need to be well-versed with these protocols.
A data breach response plan is a formal process to follow when a breach has taken place.
- Who is responsible for containing data and dealing with the breach?
- What actions must be taken after the breach occurs?
- Who requires notification and who will do the notifying?
Not only is reporting the breach integral, but also containing the breach and limiting its impact too. This can be done by:
- Recovering the lost information;
- Remotely deleting files;
- Shutting down breached systems;
- Removing unauthorised access from the system;
- Restricting access to data until the breach is investigated.
Reporting to the OAIC
Reporting a NDB requires filling out a form and submitting a statement of events. The statement should cover:
- Summary of events (how the breach occurred);
- What data/information has been compromised;
- Effect and magnitude of the breach;
- Business name and contact details.
Notifying Individuals about a Breach
The individuals involved in the data breach will need to be informed – including customers or third parties contracting with the business. You can reach them through email, text message, phone call or by publishing a statement on your website and social media handles.
Include the following information in your message when notifying them:
- Your organisation’s name and contact details;
- Outline the personal information that was breached;
- The description of the breach;
- Potential impact and how they can safeguard themselves;
- The steps you will be taking under the response plan.
Preventing Data Breaches
Breach prevention should remain a top priority. Businesses can implement effective technological controls to protect data and information from falling into the wrong hands.
Relevant security protocols can include
- Using cybersecurity software and running regular scans.
- Restricting access and storing data and passwords in secure locations.
- Using email delay functions to recall emails sent by employees that may contain sensitive information.
Additional human resource measures can augment the security of the data:
- Train staff to securely handle data;
- Restrict access to specific individuals who have undergone proper training to store and handle data carefully;
- Appoint privacy officers and teams;
- Use shredders and disposal bins for securely disposing of vital information;
- Publish a privacy manual that contains procedures for the safe handling of data.
Key Takeaways
- Data breaches can have serious consequences for individuals and businesses and should be taken seriously.
- Businesses need to follow the NDB scheme guidelines to report and contain data breaches.
- A data breach response plan should be in place that identifies steps to take to report and contain the situation and identify the persons responsible for the task.
- Put in place security protocols and containment measures to prevent a data breach.
- Train staff on the proper security protocols and breach response plans to ensure timely compliance with the NDB Scheme.
If you’re looking to understand your business obligations regarding privacy, or are forming security policy documents, it is advisable to seek legal counsel. Business lawyers can not only help you setup privacy policies, but also help you with your obligations if a data breach occurs. Get in touch with the expert business lawyers at Lazarus Legal today to seek help with any concerns you may have regarding your privacy obligations and policies.
You may also like
Mark Lazarus
Mark Lazarus, the visionary behind the business and the fresh blood of the Lazarus Legal team, Mark (or Laz as he is often known) owes much of his success to his past experiences. And he’s made it his personal goal to bring that wisdom and formula to the firm.