The Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches Scheme (NDB) in Australia. The NDB Scheme will commence on 22 February 2018.
If you are an organisation or agency covered by The Privacy Act 1988, you must be already very familiar with the APPs (Australian Privacy Principles). In essence, agencies and organisations are required to take reasonable steps to protect the personal information they hold from misuse. interference and loss, and from unauthorised access, modification or disclosure.
It is now time to review your practices, procedures and systems to ensure that you are ready for the NDB Scheme.
What the Office of Australian Information Commissioner (OAIC) has done to assist organisations
Over the years, the OAIC has published various guides to assist organisations with compliance under the Privacy Act 1988. One example of this is their Guide to securing personal information. This is a very useful guide which does not only take you through the basic concepts of what constitutes personal information and sensitive information but also provides practical guidelines as how to conduct a privacy impact assessment (PIA) which identifies the impact the proposed activities might have on the privacy of individuals and sets out recommendations for managing, minimising or eliminating the impact.
The PIA assists an organisation with identification of any personal information security risks and the reasonable steps that may be required to be undertaken to protect that personal information concerned.
What is a Notifiable Data Breach?
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates. A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.
Examples referred to on the OAIC website include circumstances when:
- a device containing customers' personal information is lost or stolen;
- a database containing personal information is hacked; or
- personal information is mistakenly provided to the wrong person.
Four key steps to consider when responding to a breach of suspected breach
- Step 1: Contain the breach and do a preliminary assessment
- Step 2: Evaluate the risks associated with the breach
- Step 3: Notification
- Step 4: Prevent future breaches
Resources to prepare for the NDB scheme
The OAIC has devised a guide to assist organisations in their development of a Data Breach Response Plan as well as a Guide to handling personal information security breaches. These contain detailed steps and considerations to be taken into account to ensure that appropriate practical measures are adopted where there is or a suspected data breach.
Without going into the details of the Guides, to meet their information security obligations, agencies and organisations should generally consider the following:
- Risk assessment – Identifying the security risks to personal information held by the organisation and the consequences of a breach of security.
- Privacy impact assessments – Evaluating, in a systemic way, the degree to which proposed or existing information systems align with good privacy practice and legal obligations.
- Policy development – Developing a policy or range of policies that implement measures, practices and procedures to reduce the identified risks to information security.
- Staff training – Training staff and managers in security and fraud awareness, practices and procedures and codes of conduct.
- The appointment of a responsible person or position – Creating a designated position within the agency or organisation to deal with data breaches. This position could have responsibility for establishing policy and procedures, training staff, coordinating reviews and audits and investigating and responding to breaches.
- Technology – Implementing privacy enhancing technologies to secure personal information held by the agency or organisation, including through such measures as access control, copy protection, intrusion detection, and robust encryption.
- Monitoring and review – Monitoring compliance with the security policy, periodic assessments of new security risks and the adequacy of existing security measures, and ensuring that effective complaint handling procedures are in place.
- Standards – Measuring performance against relevant Australian and international standards as a guide.
- Appropriate contract management – Conducting appropriate due diligence where services (especially data storage services) are contracted, particularly in terms of the IT security policies and practices that the service provider has in place, and then monitoring compliance with these policies through periodic audits.
The above list should always be considered in light of:
- the sensitivity (having regard to the affected individual(s)) of the personal information held by the agency or organisation;
- the harm that is likely to result to individuals if there is a data breach involving their personal information;
- the potential for harm (in terms of reputational or other damage) to the agency or organisation if their personal information holdings are breached, and
- how the agency or organisation stores, processes and transmits the personal information (for example, paper-based or electronic records, or by using a third party service provider),
as these would dictate both the extent and breadth of the measures to be undertaken.
The OAIC website is a very useful first port of call for all concerns regarding your organisation's privacy obligations but should you be unsure about how to proceed, please feel free to:
Note: The information contained in this article and on www.laulegal.consulting website is general information only and does not constitute legal or compliance advice.