What is a Notifiable Data Breach (NDB)?

Businesses today are subject to several privacy obligations for private and personal data. Considering that the majority of information is transmitted electronically, data transfers need to be kept secure and not shared with unauthorised parties. Under the Australian Privacy Principles, businesses dealing with data have an obligation to report and contain any notifiable data breach (NDB).  A NDB refers to a situation where an individual’s data is lost, leaked, or accessed without authorisation. The Office of the Australian Commissioner highlights the procedure businesses should follow when an NDB takes place.

This article covers what data breaches are, reporting obligations, and steps to limit the impact of lost data for businesses.

What is a Notification Data Breach?

According to the OAIC guidelines, a data breach occurs when:

  1. A business loses personal information, discloses it to a third party or the data is susceptible to unauthorised access;
  2. The loss, disclosure, or access results in serious harm;
  3. The business is unable to reduce this harm.

If a breach meets all three conditions, it is considered notifiable by the OAIC. However, if no serious harm occurred and steps were quickly implemented to minimise the harm, the data breach will not be considered notifiable.

The NDB Scheme

The NDB scheme was introduced in 2018 by the OAIC as the guideline for recognizing and handling data breaches. That said, the scheme does not apply to all businesses.

The eligibility criteria for the NDB Scheme is the following:

  • Businesses that have an annual turnover of over $3 million.
  • Credit reporting bodies and institutions.
  • Businesses that trade in personal information.
  • Health service providers.
  • Any institutions that are tax file number recipients.

Any businesses meeting the eligibility criteria must comply with the Scheme’s obligations.

What is meant by ‘Serious Harm’?

As stated above, one requirement of a notifiable breach involves serious harm. Determining whether a breach will result in serious harm means applying an objective test. This involves analysing the data breach circumstances through the lens of a ‘reasonable person’ in the business entity’s position. The OAIC has set a limit of 30 business days for businesses to determine whether the breach is seriously harmful.

Several factors are considered:

  • Is the harm psychological, reputational, financial, or physical?
  • Is the lost or disclosed information sensitive?
  • Which unauthorised persons have gained access to the information?
  • Did the information any relevant security measures?

The OAIC defines the serious harm to be:

  1. Identify theft (financial information or otherwise);
  2. Financial losses due to fraud;
  3. Physical harm or risk thereof;
  4. Serious psychological harm;
  5. Serious reputational risk to individuals.

How do I respond to a Data Breach?

Ideally speaking, a data breach should not occur. Relevant and stringent measures should be in place to secure any sensitive information from being disclosed. However, in the case of a breach, you need to have a response plan in line with OAIC guidelines.

First, you will need to notify the OAIC and report a data breach. Then you will need to identify and inform the relevant individual(s) about the information that was compromised.

Data Breach Response Plan

For businesses covered by the Privacy Act, their data breach response plan and security protocols must comply with the NDB scheme. This plan should be a formal written document with clear roles and responsibilities as well as procedures set in place. The plan should be accessible to all staff members. Additionally, staff need to be well-versed with these protocols.

A data breach response plan is a formal process to follow when a breach has taken place.

  • Who is responsible for containing data and dealing with the breach?
  • What actions must be taken after the breach occurs?
  • Who requires notification and who will do the notifying?

Not only is reporting the breach integral, but also containing the breach and limiting its impact too. This can be done by:

  • Recovering the lost information;
  • Remotely deleting files;
  • Shutting down breached systems;
  • Removing unauthorised access from the system;
  • Restricting access to data until the breach is investigated.

Reporting to the OAIC

Reporting a NDB requires filling out a form and submitting a statement of events. The statement should cover:

  • Summary of events (how the breach occurred);
  • What data/information has been compromised;
  • Effect and magnitude of the breach;
  • Business name and contact details.

Notifying Individuals about a Breach

The individuals involved in the data breach will need to be informed – including customers or third parties contracting with the business. You can reach them through email, text message, phone call or by publishing a statement on your website and social media handles.

Include the following information in your message when notifying them:

  • Your organisation’s name and contact details;
  • Outline the personal information that was breached;
  • The description of the breach;
  • Potential impact and how they can safeguard themselves;
  • The steps you will be taking under the response plan.

Preventing Data Breaches

Breach prevention should remain a top priority. Businesses can implement effective technological controls to protect data and information from falling into the wrong hands.

Relevant security protocols can include

  1. Using cybersecurity software and running regular scans.
  2. Restricting access and storing data and passwords in secure locations.
  3. Using email delay functions to recall emails sent by employees that may contain sensitive information.

Additional human resource measures can augment the security of the data:

  • Train staff to securely handle data;
  • Restrict access to specific individuals who have undergone proper training to store and handle data carefully;
  • Appoint privacy officers and teams;
  • Use shredders and disposal bins for securely disposing of vital information;
  • Publish a privacy manual that contains procedures for the safe handling of data.

Key Takeaways

  • Data breaches can have serious consequences for individuals and businesses and should be taken seriously.
  • Businesses need to follow the NDB scheme guidelines to report and contain data breaches.
  • A data breach response plan should be in place that identifies steps to take to report and contain the situation and identify the persons responsible for the task.
  • Put in place security protocols and containment measures to prevent a data breach.
  • Train staff on the proper security protocols and breach response plans to ensure timely compliance with the NDB Scheme.

If you’re looking to understand your business obligations regarding privacy, or are forming security policy documents, it is advisable to seek legal counsel. Business lawyers can not only help you setup privacy policies, but also help you with your obligations if a data breach occurs. Get in touch with the expert business lawyers at Lazarus Legal today to seek help with any concerns you may have regarding your privacy obligations and policies.

You may also like

Picture of Mark Lazarus

Mark Lazarus

Mark Lazarus, the visionary behind the business and the fresh blood of the Lazarus Legal team, Mark (or Laz as he is often known) owes much of his success to his past experiences. And he’s made it his personal goal to bring that wisdom and formula to the firm.

Leave a Comment

Your email address will not be published. Required fields are marked *

What is a Notifiable Data Breach (NDB)?

barry_lazarus

Barry Lazarus

CEO & Notary Public

barry@lazaruslegal.com.au 

We’d be lying if we told you that this bloke isn’t the big honcho of our team, but his name is a dead give-away. The founder of Lazarus Legal, Barry is an old school, tough as nails lawyer. They don’t forge litigators like this anymore.

With decades of experience in both Australia and South Africa, his wisdom is as renowned as his name. Back in the days when Schwarzenegger and Van Damme were kicking ass on VHS, Barry was kicking ass in the courtroom. And after all these years, he still has a reputation for refusing to back down.Barry is definitely the badass you’d want in a fight – in court or otherwise. But really, he’s a big softie. Just don’t let him know you know that (although he probably won’t read this anyway – navigating the Internet is not his strong point).

Aside from putting other lawyers in their place, taking long walks on the beach and spending time with his family, Barry enjoys seeing others succeed. Not only is Barry a staunch and unmoving litigator, he has sharp business and commercial acumen having started up ventures from scratch and growing them into full-blown franchises – from real estate to creating ice cream, to making pasta. With his experience on both sides of the commercial and legal equation, you want this guy to be on your side, whether you’re the next Zuckerberg realising your genius, or the next Zuckerberg taking on your opponents in court.

When Barry is not busy lawyering about, he is a part-time lawn bowler and a wannabe comedian, but never took both as a day job, because let’s face it, he’s a lot better at his day job.

If someone ever threatens you to lawyer up…relax, call Barry and he’ll handle the rest. 

Rise above...

Lazarus Legal Logo
Mark Lazarus Director

Mark Lazarus

Director

mark@lazaruslegal.com.au 

The visionary behind the business and the fresh blood of the Lazarus Legal team, Mark (or Laz as he is often known) owes much of his success to his past stories and experiences. And he’s made it his personal goal to bring that wisdom and formula to the firm.

He’s a bit of jet setter, splitting his time between Australia and the UK, maximising every hour of his professional life. He thrives on this adrenalin. It allowed him to work in private practice in Sydney, act for a host of famous celebrities in London, do a two year stint as a NSW barrister (and not the pretentious coffee type in the Melbourne laneways) and more recently did a gig as the Legal Director covering Europe, the Middle East and Africa for one of the world’s coolest fast-moving consumer good brands!  

As an Aussie and UK lawyer and former barrister, Mark not only has the gift of the gab but he’ll walk the walk to prove it too. He likes to think he’s a bit like Harvey Specter or Michael Corleone, the main difference is you can actually retain him as your lawyer and consigliere. He’ll tell you how it really is and will take on any challenge head on. Although litigation and court advocacy comes naturally to him, commercial and IP is what gets his blood pumping! 

When Mark is not out there doing his thing, you will probably catch him chilling at home with his family, on the sidelines of the soccer (football) pitch cheering on his two boys, crawling through mud obstacles, or training hard at the gym. Passion and commitment is what drives Mark to succeed, along with his burning desire to disrupt the legal profession by finding new ways to change the game.

He has sights on the future. So if you’re breaking new ground, ahead of the times, and on the verge of something big, but you need someone who’s got your back and who can give you straight up advice, this is the guy you will want on speed dial.

Rise above...

Lazarus Legal Logo