Notifiable Data Breaches Scheme – the clock is ticking

The new Notifiable Data Breaches Scheme (Scheme) under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Act) takes effect on 22 February 2018, so it is time for businesses that fall within the ambit of the Act to ensure that they are adequately prepared.

We previously provided some general information (click here) in relation to the operation of the Scheme, but the recent release of new draft materials by the Office of the Australian Information Commissioner (OAIC) provides further insight to help inform preparation and compliance with the Scheme.

If your business falls within the ambit of the Act, we urge you to consider the following principles.

BE PROACTIVE

An assessment should be completed in less than 30 calendar days.

If a business becomes aware that there are reasonable grounds to suspect an eligible data breach, then it must carry out an assessment of whether the relevant circumstances actually amount to a breach. Under the Act, the business must take ‘reasonable steps’ to ensure that this assessment is completed within 30 calendar days, but the OAIC has now indicated that this should be treated as a maximum limit – generally the assessment should be completed within a much shorter timeframe as the risk of harm to individuals increases with time.

In short, businesses need to be proactive in monitoring any suspected breach, and ensure that an assessment is quickly completed.

Any relevant individual can be ‘aware’ of a potential breach.

Proactiveness must be instilled throughout the business, and not just at a management or executive level. ‘Awareness’ of a potential breach is a factual consideration based on what a reasonable, properly informed person would think in the circumstances, and can therefore be triggered by any relevant individual within the business, such as a member of the compliance team or a senior product owner.

The OAIC has specifically indicated that a business should not delay an assessment because it is waiting for its CEO or Board, so this should be captured in the business’ data breach response plan, and be covered in any privacy education within the business.

TAKE PREVENTATIVE MEASURES

Given these strict timeframes, businesses should take measures to prevent or minimise any obstructions that they may face when attempting to comply with the Scheme, particularly those that relate to third parties. It is important that there are appropriate notification obligations, and clear responsibilities if a breach occurs.

Current and future contracts may be a barrier to an efficient assessment

A timely assessment may prove problematic if other parties are involved, unless there are appropriate contractual obligations in place. At a minimum, any contracts involving personal information should include notification obligations in the event of any suspected or actual breach. Businesses should consider what information or assistance they will require from third parties to either enable breach investigations, or to prepare a notification if required.

A good starting point is the newly released draft Notifiable Data Breach Statement form (click here), which sets out the information that entities will be required to provide, including:

• a description of the breach;
• information involved in the breach; and
• recommended steps to reduce the risk of harm to individuals.

Which party will notify?

The OAIC suggests that the party with the most direct relationship with the individual should notify, even if the eligible breach originated with a third party.

This is likely to be a common scenario, particularly where parties outsource services. A recent example is the data leak suffered by Domino’s Pizza, which the company attributed to an online ratings system service provider. Had this fallen under the Scheme, the OAIC approach suggests that this notification should have been made by Domino’s Pizza, rather than the third party service provider who had no direct relationship with the affected individuals.

Despite the OAIC guidance, ultimately the parties will need to consider which party is best placed to make the notification on a case by case basis, which makes contractual obligations to co-operate particularly important.

However, even if a third party does not make the notification, it will still need to satisfy itself that the other entity has notified, because each of the entities may be found to be in breach of the Scheme if the required notification is not made.

UPDATE PROCEDURES

Finally, businesses should ensure that a data breach response plan and associated procedures have been established internally. All relevant individuals should receive appropriate training in relation to these procedures within the coming months to ensure that they understand the operation of the Scheme and their obligations.

In particular, consider the following:

  • Will employees know what to do if they become aware of an actual or suspected data breach?
  • Who is responsible for responding to and managing the breach?
  • Are third parties required to notify the business if they suspect a breach or there is an actual breach? What information are they required to provide?
  • What are the third party’s obligations in the event of an actual breach and who will enforce those obligations?

It is important that all of these questions can be answered and that appropriate procedures are put in place before 22 February 2018, as any breach from that date will be covered by the Scheme.

If you have any queries or would like further information regarding this article, please contact:

Simon McDonald
Partner
M: 0402 843 198
E: smcdonald@pageseager.com.au

Rhiannon Fletcher
Lawyer
M: 0418 966 390
E: rfletcher@pageseager.com.au

Published: 15 November 2017

Copyright © 2016 Page Seager. Privacy Statement Privacy Policy