Notifiable Data Breaches
Know what a notifiable data breach is? Check out our post on how you can protect your business from data breaches
Until very recently, Australian businesses were not required to inform their customers if personal information was hacked and leaked to the public or unauthorised parties. In fact, in November last year, the popular ride-sharing company Uber was named and shamed for its year-long cover-up of a data breach which exposed the personal information of 57 million Uber drivers around the world. In this case, Uber not only failed to notify the public about the breach, but they actually paid the hackers to stay quiet.
Unsurprisingly, the 2017 Australian Community Attitudes to Privacy Survey revealed that 69 percent of Australians are more concerned about their online privacy than they were five years ago, while 94 percent of Australians believe they should be told if a business loses their personal information. Clearly, with the ever-changing technological, social and consumer landscape in which personal information is being used, the climate has been ripe for change.
As of 22 February 2018, the Notifiable Data Breaches (NDB) scheme mandates that all Australian businesses covered by the Privacy Act 1988 are required to report eligible data breaches to authorities and all affected individuals – provided the business is aware of data breaches or has reason to believe a breach has occurred.
What is a notifiable data breach?
There are three scenarios in which a notifiable data breach is deemed to have occurred:
- Unauthorised access to personal information
This is where a person accesses personal information held by a business without permission. But this doesn’t only relate to access by external third parties such as hackers. Unauthorised access for the purposes of a notifiable data breach also includes access by employees or contractors who do not have the requisite permission.
- Unauthorised disclosure
There are situations where notifiable data breaches are committed by people who are authorised to access information. This can occur when an entity itself, via employees or contractors, makes personal information available to others outside the entity in a manner not permitted by the Privacy Act. An example of this could be where an employee accidentally emails confidential personal data to an unintended recipient.
In this scenario, an entity is said to have committed a notifiable data breach when it inadvertently or accidentally loses personal information in circumstances where it is likely to result in unauthorised access or disclosure. For example, this could occur when an employee leaves unsecured computer equipment on public transport.
Here are some of the types of personal information involved in data breaches
- Sensitive information such as:
- Political opinions
- Religious views
- Racial or ethnic origin
- Membership of a trade union
- Sexual preferences
- Criminal record
- Documents commonly used for identity theft including:
- Medicare card
- Driver’s license
- Financial statements
- Birth certificate
- Homeownership deeds
- Tax assessment notices
- Utility bills
- Financial information
- Account details
It’s also important to remember that a data breach can occur when a combination of types of personal information is revealed. In this case, even though each piece of information might not reveal enough to identify or affect an individual, together they reveal enough about a person to constitute a notifiable data breach.
Are you required to report them?
Under the Notifiable Data Breaches scheme, you need to act and report data breaches if you are one of the following:
- Australian Government Agency
- Business or a not-for-profit organisation with an annual turnover or revenue of $3 million or more
- Small business operator with less than $3 million turnover or revenue if:
- You are a private sector health service provider
- You trade in personal information without obtaining formal consent from all parties (for example, you’ve bought or sold a mailing list without obtaining the consent of all the individuals on that list).
- You hold personal information in relation to certain activities including the provision of services to Commonwealth under a contract
- TFN recipient (someone holding a Tax File Number in your systems)
Your business may not need to comply with the notifiable data breaches scheme if none of the above criteria applies but there’s no doubt, security and privacy are becoming increasingly hot topics all around the world. So, whether you’re a business on track for growth, or you’re concerned about this rapidly changing landscape, it could pay dividends to start securing your business against data breaches today – whatever your size, industry or sector.
What happens if you don’t report data breaches?
Admitting to a data breach is never going to be fun and games but concealing an eligible data breach (just like Uber) could result in severe penalties. In fact, failure to comply with the NDB scheme can attract fines of up to $2.1 million for businesses and up to $360,000 for individuals.
Want to know how to protect your business from data breaches? Click here for Part 2