Where multiple entities jointly hold personal information compromised in a data breach, only one of those entities will need to comply with the assessment and notification requirements under the Notifiable Data Breaches Scheme (NDB Scheme). That is, compliance by one entity will be taken to constitute compliance by all of the entities. However, if no assessment or notification is undertaken when required, all of those entities may be taken to have breached those requirements.
In this article, we discuss when personal information will be held 'jointly' by multiple entities and how you should consider responding to the uncertainty of a data breach involving jointly held information.
For the purposes of the NDB Scheme, an entity will be considered to 'hold' personal information if it has possession or control over the relevant record, that is, where it has a right or power to deal with the record.
Importantly, you cannot simply avoid your obligation to notify under the NDB Scheme by outsourcing your data storage to a third party.
Information will be held jointly where two or more entities hold the same record of personal information.
There is an important difference between jointly held data and newly created records that are derived from mutually held information.
This distinction is best demonstrated by an example given by the Office of the Australian Information Commissioner (OAIC) in its Data breach preparation and response guide. In this hypothetical scenario, a client company provides a market research firm with the personal information of individuals for a focus group. The information is provided in circumstances where contractual arrangements mean that the client retains control over how the information is used.
At this point in time, the personal information is jointly held between the client and the market research firm.
Following the focus group session, the market research team asks the focus group attendees whether they would like to participate in future research projects that they facilitate. All participants give their consent to have their personal information held by the market research company to be contacted for future research opportunities. The market research firm creates a new record containing this information.
This is a new record that is separate from the information that was held jointly by the client and the market research firm.
This new record is not 'held jointly' for the purposes of the NDB Scheme, even though the personal information may be identical to that which is held jointly. As such, to the extent the new record is breached, only the market research firm will be responsible for notifying in respect of the new records, unless, of course, the contractual arrangements stipulate that the client has the right or power to deal with newly created records.
Practically, this means that you should very carefully consider how different categories of data are dealt with in agreements, including by identifying which data you do have rights to deal with and when newly created records will be out of your control.
The new scheme does not proscribe which entity should assess and/or notify, allowing entities that hold information jointly to tailor their assessment and notification arrangements to accommodate their particular customer and contractual requirements.
Although the OAIC suggests that the entity with the most direct relationship with the individuals at risk of serious harm will often be best placed to notify, there may be situations where the OAIC's suggested approach isn't the preferred response from a commercial perspective (for example, where the system involved is so complex that the system host will be best equipped to deal with any further queries post-notification).
It is important to consider these issues in advance and to ensure that both parties are aligned as to who should assess and who should notify. In some circumstances, the parties might prefer that the entity that undertakes the assessment is different to the entity that notifies.
- Be careful not to rely too heavily on other organisations to carry out an assessment or make a notification in the absence of appropriate oversight. Ensure that you have clearly communicated the responsibilities of each entity holding that information in the event of a data breach (ideally by drafting this into your new and existing contractual arrangements), prior to any incident taking place. This will save any confusion and potential miscommunication in the aftermath of a significant data breach involving several entities across a number of possible locations.
- In deciding how to allocate responsibility for undertaking an assessment and notifying the OAIC and affected individuals, weigh up all of the possible risks and benefits associated with the responsibility of notifying. Consider:
- Who would be the 'public face' of the breach – are you or the other party likely to receive inquiries?
- Who would affected individuals expect the notification to come from?
- Who has the most direct access to the underlying systems that would be affected? Consider which entity will be best able to undertake the assessment and would be best placed to provide relevant and accurate information.
- Is one party better resourced or more able to undertake the assessment or notification?
- Who will be responsible for the costs of assessment and notification?
- Who will be best placed to handle additional queries post-notification from the OAIC or affected individuals?
- Do you or the other party have any additional notification obligations? For example, under continuous disclosure requirements or overseas data breach notification regimes.
- Your contractual arrangements should contemplate:
- a requirement that other parties be informed where one party suspects a data breach involving jointly held information has occurred;
- the process for conducting an assessment where it is suspected that a data breach has occurred;
- who should undertake an assessment of a suspected data breach in particular circumstances;
- where an eligible data breach has occurred, who is responsible for notification to the OAIC and affected individuals; and
- a right to review and/or sign-off on any data breach statement prepared for the OAIC and individuals whose information was involved in the data breach.
- Other issues you may want to consider include:
- If another party is responsible for the assessment and/or notification under the NDB Scheme, how might you ensure this has actually occurred?
- What will happen if another party undertakes an assessment of the data breach and considers that notification is not required, but you disagree (or vice versa)? How might you resolve this stalemate?
- Where the OAIC decides to review a data breach involving information you held jointly, it is important that you can demonstrate the steps taken to ensure compliance with the NDB Scheme. This might include any documentation prepared for the purposes of complying with the notification regime, any internal processes or procedures, and any correspondence with the entity responsible for notification at the time of the breach.
- See Data breaches involving more than one entity in Part 4 of the OAIC's Data breach preparation and response guide