INSIGHT

Five things you didn't know about the NDB Scheme

By Gavin Smith, Valeska Bloch
Cybersecurity & Privacy Data

1. The 30-day time limit to assess whether an eligible data breach has occurred is not a hard stop.

Where an entity becomes aware of reasonable grounds to suspect that an eligible data breach has occurred, it must carry out an assessment of this suspicion expeditiously and must take all reasonable steps to carry out this assessment within 30 days.1

The Office of the Australian Information Commissioner (OAIC) has said that entities should treat this 30-day period as the maximum time limit, particularly given that the risk of serious harm to individuals tends to increase with time. However, the OAIC also recognises that it will not always be possible to complete an assessment of a suspected data breach within 30 days, for example, if systems or records were lost during the intrusion and significant recovery effort is required.

Top tip: Where an entity cannot reasonably conduct a data breach assessment within 30 days, the OAIC recommends that an entity prepare and retain documentation that will allow it to demonstrate:

  • that all reasonable steps were taken to complete the assessment within 30 days;
  • the reasons for the delay; and
  • that the assessment was reasonable and expeditious.

2. The scheme does not apply to employee records.

The OAIC has confirmed in its Data breach preparation and response guide that businesses will not be required to notify the OAIC or individuals about data breaches relating to employee records – that is, personal information of an employee relating to their employment. This is because the employee records exemption provided for in the Privacy Act 1988 (Cth) applies to the Notifiable Data Breaches Scheme (NDB Scheme).2

A few words of caution.

  • Even where the employee records exemption applies, the OAIC recommends notifying individuals affected by a breach of employee records if it is likely to result in serious harm.
  • Think carefully about whether the information involved in a data breach is truly covered by the exemption.
    • For example, employees often use their work email accounts to receive personal emails, such as communications from their bank, which would not be covered by the exemption. In practice, it may be difficult to distinguish between what data does and does not fall within the exemption.
  • The employee records exemption will not extend to a data breach involving tax file numbers.3
  • The employee records exemption only applies to an employee record held by the employer. If your organisation stores its employee records with a third party, the exemption will not extend to a data breach involving those records and your service provider will need to notify the OAIC of the breach.

3. The OAIC can make a declaration that an entity does not have to notify, or can defer notification, for a specified period.

The NDB Scheme allows the OAIC to declare that an entity may dispense with or delay notification following an eligible data breach.4 The decision to exercise this power may be on the OAIC's own initiative or follow an application by an entity that has experienced a data breach.5

In deciding whether to make such a declaration, the Commissioner must be satisfied that it is reasonable in the circumstances to do so, having regard to:

  • the public interest;
  • any relevant advice provided to the OAIC by an enforcement body or the Australian Signals Directorate; and
  • any other matter that the OAIC considers to be relevant to the situation.6

The OAIC has also identified a number of additional factors that they may consider before making a declaration to this effect, including whether the risks associated with notification outweigh the benefits to individuals at risk of serious harm.

Things to consider when making an application:

  • The OAIC expects that declarations will only be made in exceptional circumstances. Unfortunately, owing to the practical reality that only entities which are granted declarations will be made aware of the circumstances in which they occur, it is difficult to predict what will be considered sufficiently 'exceptional'.
  • Entities that request an exemption should be prepared to present a compelling case with detailed evidence as to why it is reasonable in the circumstances for the notification requirements to be dispensed with, including why no other exemptions apply.

4. You will be liable for the notification of breaches suffered by an overseas recipient of personal information.

Ordinarily, where an entity discloses personal information to an overseas recipient in accordance with Australian Privacy Principle 8.1, the disclosing party will only be liable for a breach of the Australian Privacy Principles (APPs) by that overseas recipient where the APPs do not apply to the overseas recipient.7

The NDB Scheme takes a stricter approach, such that a party who discloses personal information in accordance with APP 8.1 is deemed liable even where the overseas recipient is itself subject to the Privacy Act.8 Keep in mind that this deemed liability will not apply to personal information disclosed overseas under an exception in APP 8.2.9

Although the OAIC recommends that, where a single data breach involves multiple entities, the entity with the most direct relationship with the affected individuals should make the notification, if an overseas recipient of information disclosed by you suffers a data breach, remember that you will be deemed liable for any failure to notify that breach.

It may still be appropriate for the overseas recipient to notify, depending on who has the closer relationship with affected individuals, but you should make sure that you retain appropriate oversight and input into the assessment of the breach, what the notification contains and how it is carried out.

For more information on data breaches involving more than one organisation, see Double trouble: how to handle a data breach involving more than one organisation.

5. You may still need to notify even if the eligible data breach requirement is not triggered.

It is a common misconception that once a data breach has occurred, your notification obligations are limited to those required by the NDB Scheme. In fact, there may be other good reasons why you may choose or need to notify.

  1. APP 11 – Before the introduction of the NDB Scheme, the OAIC had suggested that, in certain circumstances, a failure to notify may in and of itself constitute a breach of APP 11. This is because notifying may in fact enable individuals to protect their personal information, for example, by changing their passwords.
    Although the introduction of the NDB Scheme makes it less likely that the OAIC would seek to assert that a breach of APP 11 has occurred in a data breach scenario, it is still open to the OAIC to do so. This means that even if you suffer a data breach that is not an eligible data breach, you should still consider notifying.
  2. Continuous disclosure – If you are a listed entity and there is a possibility that a data breach you suffer might reasonably be expected to have a material effect on the price of your securities, you may need to disclose the data breach to the ASX. For more information on continuous disclosure obligations and data breaches, please see our article Coming clean and staying clean: Continuous disclosure obligations in the age of data breach.
  3. Other notification requirements – Depending on the nature of your business, how and where you hold your data and who you hold data about, you may be subject to other notification requirements, for example, under state-based or international data protection laws, or under sector-specific laws. Keep in mind:
    • the EU General Data Protection Regulation (GDPR), which has significant extra-territorial reach. For more on notification requirements under the GDPR, see our article New EU rules raise the bar for data security; and
    • reporting obligations under the National Cancer Screening Register Act 2016 and the My Health Records Act 2012.
  4. Public and customer relations – Even if there is no legal obligation to notify affected customers, you may decide to notify about a non-eligible data breach in the interests of maintaining good public relations, particularly if there is a reasonable chance that the data breach may become public through sources that are out of your control. If you get on the front foot with notification and a public statement, you can control the narrative and ensure that your customers receive accurate information.

Footnotes

  1. Privacy Act 1988 (Cth), s26WH.
  2. Privacy Act 1988 (Cth), s7B.
  3. Privacy Act 1988 (Cth), ss 17, 18 and 26WE(1)(d).
  4. Privacy Act 1988 (Cth), s26WQ.
  5. Privacy Act 1988 (Cth), s26WQ(5).
  6. Privacy Act 1988 (Cth), s26WQ(3).
  7. Section 16C, Privacy Act 1988.
  8. Privacy Act 1988 (Cth), s26WC. Although this is the position under the legislation, curiously, the Explanatory Memorandum to the Bill introducing the NDB Scheme appears to suggest that s26WC and s16C will operate in the same way, when in fact, the latter contains a critical caveat to the effect that where the APPs apply to an overseas recipient of personal information, the disclosing entity will not be deemed liable. In contrast, the drafting of s26WC indicates that a disclosing entity is liable for any breach of the NDB Scheme by an overseas organisation, regardless of whether the overseas recipient is subject to the APPs. Interestingly, the Explanatory Memorandum does not provide an explanation for this distinction between the two provisions.
  9. There is similar deemed liability for credit providers who disclose credit eligibility information in specified circumstances to certain bodies without an 'Australian link' (Defined in s5B of the Privacy Act 1988) but there is no deemed liability for credit reporting bodies who are not permitted to disclose credit reporting information unless certain exceptions apply. Those exceptions are limited and, in most cases, require that the party receiving the information has an 'Australian link'.