understand what the Notifiable Data Breaches Scheme is about.
learn how to manage and report a data breach.
be informed of data breaches reported since February 2018.
discover resources to help you with the requirements of the scheme.
In February 2017, Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, and a year later – in February 2018 – the Notifiable Data Breaches Scheme (NDBS) came into effect. This means that health service providers regulated by the Privacy Act 1988 are now required to notify the Privacy Commissioner and affected individuals of an eligible data breach.
Who does the NDBS apply to?
The NDBS applies to agencies and organisations that are required by the Privacy Act to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, among others.
Health service providers are subject to the NDBS.
What is a data breach?
A data breach occurs if there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or if such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.
Which data breaches are required to be notified?
A data breach is an eligible data breach (and therefore a breach that must be reported) if a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.
Serious harm includes:
There is a likely risk of serious harm if a reasonable person would be satisfied that the risk of serious harm occurring is more probable than not. In deciding whether this is the case, you are required to have regard to a list of “relevant matters” included in the Act.
What to do if you suspect a data breach
If you suspect that an eligible data breach has occurred, you must undertake an assessment of the relevant circumstances. You are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable after becoming aware that there are reasonable grounds to believe there has been an eligible data breach.
These assessments are required to be undertaken and completed within 30 calendar days. While this is the maximum time, the OAIC encourages assessments to be completed as quickly as possible.
The OIAC states that at any time, including during an assessment, you can, and should, take steps to reduce any potential harm to individuals caused by a suspected or eligible data breach. If remedial action is successful in preventing serious harm to affected individuals, notification is not required.
There is an important exception to the notification requirement. If there is a data breach but you take action, and as a result of the action:
- there is no unauthorised access to, or unauthorised disclosure of, the information
- there is no serious harm to affected individuals, and as a result of the remedial action, a reasonable person would conclude that the breach is not likely to result in serious harm then the breach will not be an eligible data breach.
How to notify if an eligible data breach has occurred
- The notification to affected individuals and the OAIC must include the following information:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned
- recommendations about the steps individuals should take in response to the data breach.
A form to notify the breach can be accessed here
When notifying affected individuals, however, you have a discretion to notify either each affected individual or, if not all affected individuals are deemed to be “at risk” from an eligible data breach, only those affected individuals who are considered to be at risk.
Results of a failure to comply
- Failure to comply with the requirements means the Privacy Commissioner has the power to:
- conduct investigations
- make determinations
- seek enforceable undertakings
- pursue civil penalties for serious or repeated interferences with privacy.
It is also possible that a failure to comply will result in referral to a health practitioner’s registering body for consideration of disciplinary proceedings being brought against the practitioner.
What should you do now?
- Develop or update your data breach response plan: The plan should cover the actions to be taken if a breach is suspected, discovered or reported.
- Plan to utilise the eligible data breach exception: Having to notify customers of a data breach can cause serious damage to your reputation. If a breach occurs and if it is possible, the aim should be to take remedial action. A notification is not required if this action prevents the data breach from causing serious harm to an individual.
- Review contracts with service providers: Contracts with service providers should be reviewed and, if necessary, updated in order to ensure that the provider is required to notify and work with you in the event of a data breach.
Reports made post February 2018
Since the scheme commenced on 22 February 2018 the OAIC has received 305 notifications – 63 notifications in the first quarter and 242 notifications in the second quarter.
The OAIC’s second quarterly report (for the period 1 April to 30 June 2018) reports that a data breach involving health information made up 25% of the notifications, which was down from 33% in the first quarter.
Health service providers were the industry sector which reported the most number of notifications, representing 20% of the notifications. Of those notifications, 59 per cent of reportable data breaches resulted from human error and 41 per cent of reported breaches resulted from malicious or criminal attack.
In relation to human error, examples included sending personal information to the wrong recipient by email or mail address, loss of paperwork or storage devices and unintended release or publication of personal information.
In relation to malicious and criminal attacks, theft of paperwork or storage devices was the most common type of attack. Cyber incidents were the second most common type of attack.
Of the cyber incident data breaches notified by the health sector, 62.5 per cent of incidents related to lost or stolen credentials (such as phishing or brute-force attacks). Hacking by other means (25 per cent) and ransomware attacks (12.5 per cent) comprised the remaining cyber incidents.
In the most recent quarter, ‘system faults’ were not identified as the source of any data breaches notified by the health sector.
Most notifications from the health sector related to the personal information involving 100 individuals or fewer (69 per cent of breaches). Data breaches impacting between 1 and 10 individuals comprised 51 per cent of the notifications. 29 per cent of data breaches affected more than 100 individuals.
You are now required to notify the OAIC of any unauthorised access to, or unauthorised disclosure of, or loss of personal information where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure.
Remedial action taken after a suspected or actual data breach will obviate the requirement to notify the breach if it avoids the possibility of serious harm.
In the event that you are uncertain of the steps required to undertake the requisite assessment or remedial action, or are uncertain as to your obligations to make a mandatory notification, then you should seek legal advice. In order to ensure that you are up-to-date regarding the NDBS, you should refer to the below resources provided by the OAIC.
Two of the OAIC’s publications – the Data breach preparation and response and the Guide to securing personal information – provide useful information for practitioners and practices. An OIAC webinar entitled Preparing for the Notifiable Data Braches Scheme may also be of assistance.