Part 4: Notifiable Data Breach (NDB) Scheme

The Privacy Act requires certain entities to notify individuals and the Commissioner about data breaches that are likely to cause serious harm.

The requirements of the NDB scheme are contained in Part IIIC of the Privacy Act and apply to breaches that occur on or after 22 February 2018.

This part of the guide covers the following topics:

Entities covered by the NDB scheme

Key points

APP entities

The NDB scheme applies to entities that have an obligation under APP 11 of the Privacy Act to protect the personal information they hold (s 26WE(1)(a)).[14] Collectively known as ‘APP entities’, these include Australian Government agencies and private sector and not-for-profit organisations with an annual turnover of more than $3 million. The definition of APP entity generally does not include small business operators, registered political parties, state or territory authorities, or a prescribed instrumentality of a state (s 6C). However, some businesses of any size are APP entities, including businesses that trade in personal information [15] and organisations that provide a health service to, and hold health information about, individuals (see What Is a Health Service Provider?).[16]

For more information about APP entities, see Chapter B of the Australian Privacy Principle Guidelines (APP Guidelines ).[17]

Exempt acts and practices

The NDB scheme only applies to entities and personal information holdings that are already subject to security requirements under the Privacy Act. This means that acts and practices of APP entities that are exempt from the Privacy Act may also be exempt from the NDB scheme.

For example, the Privacy Act does not cover employee records, a media organisation acting in the course of journalism or registered political parties and political representatives. Further information about exempt acts and practices can be found in Rights and Responsibilities[18].

Entities should be mindful that the employee record exemption:

Small business operators

A small business operator (SBO) is an individual (including a sole trader), body corporate, partnership, unincorporated association, or trust that has not had an annual turnover of more than $3 million in any financial year since 2001 (s 6D).

Generally, SBOs do not have obligations under the APPs unless an exception applies (s 6D(4)).

In certain circumstances an SBO must comply with the APPs, and therefore with the NDB scheme. That will be the case where the SBO:

More information about how to determine whether a business or organisation is an APP entity or subject to the APPs for some of its activities is available at Small Business.[19]

Credit reporting bodies

A credit reporting body (CRB) is a business or undertaking that involves collecting, holding, using, or disclosing personal information about individuals for the purpose of providing an entity with information about the credit worthiness of an individual (s 6P). Credit reporting information is defined as credit information or CRB derived information about an individual (s 6(1)).

CRBs have obligations under the NDB scheme in relation to their handling of credit reporting information (s 26WE(1)(b)), and in relation to their handling of any other personal information for which they have obligations under APP 11.

Credit providers

The NDB scheme applies to all credit providers whether or not they are APP entities. The section of the Privacy Act under which a credit provider is required to comply with the scheme will depend on what kind of information is involved in the data breach.

If it is ‘credit eligibility information’ (defined in s 6(1)) the NDB scheme will apply because of the security requirement in s 21S(1) in relation to that information.

If the credit provider is also an APP entity the NDB scheme applies in relation to other personal information because of the security requirement in APP 11.

The organisations that are credit providers for the purposes of the Privacy Act (s 6G) are:

An organisation or SBO that acquires the right of a credit provider in relation to the repayment of an amount of credit is also considered a credit provider, but only in relation to that particular credit (s 6K).

TFN recipients

The NDB scheme applies to TFN recipients[20] in relation to their handling of TFN information (s 26WE(1)(d)). A TFN recipient is any person who is in possession or control of a record that contains TFN information (s 11).TFN information is information that connects a TFN with the identity of a particular individual (s 6).

A TFN recipient may also be an APP entity or credit provider. In certain circumstances, entities that are not otherwise covered by the Privacy Act, such as state and local government bodies, may also be authorised to receive TFN information and will be considered TFN recipients.

The NDB scheme applies to TFN recipients to the extent that TFN information is involved in a data breach. If TFN information is not involved, a TFN recipient would only need to comply with the NDB scheme for breaches of other types of information if they are also a credit provider or APP entity.

Overseas activities

Entities with an ‘Australian link’

The NDB scheme generally extends to the overseas activities of an Australian Government agency (s 5B(1)). It also applies to organisations (including small businesses covered by the Act, outlined above) that have an ‘Australian link’ (s 5B(1A)).

An organisation or small business operator has an Australian link either because it is, in summary, incorporated or formed in Australia (see s 5B(2) for more detail). An organisation or small business operator will also have an Australian link where it carries on business in Australia or an external Territory (s 5B(3)(b)).[22]

Further information about entities that are taken to have an Australian link is available in Chapter B of the APP Guidelines.[23]

Disclosing personal information overseas

If an APP entity discloses personal information to an overseas recipient, in line with the requirements of APP 8.1, then the APP entity is deemed to ‘hold’ the information for the purposes of the NDB scheme (s 26WC(1)). APP 8.1 says that an APP entity that discloses personal information to an overseas recipient is required to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. This means that if the personal information held by the overseas recipient is subject to loss, unauthorised access, or disclosure, the APP entity is still responsible for assessing whether it is an eligible data breach under the Privacy Act, and if it is, for notifying individuals at risk of serious harm and providing a statement to the Commissioner.

There are exceptions to the requirement in APP 8.1 to take reasonable steps. APP entities that disclose information overseas under an exception in APP 8.2 are not taken to ‘hold’ information they have disclosed overseas under s 26WC. In these circumstances, if the personal information held by the overseas recipient is subject to a data breach, the APP entity does not have obligations to notify about the breach under the NDB scheme.

More information about APP 8 is available in Sending Personal Information Overseas.[24]

Disclosing credit eligibility information

If a credit provider discloses credit eligibility information about one or more individuals to a person, a body or a related body corporate that does not have an ‘Australian link’ (s 26WC(2)(a)),[25] the credit provider may also have obligations under the NDB scheme in respect of that information. In the event that credit eligibility information held by the person or related body corporate is subject to loss, unauthorised access, or disclosure, the credit provider is responsible for assessing whether there is an eligible data breach that needs to be notified to individuals at risk of serious harm and the Commissioner.

Consumer Data Right entities

Under the CDR system, the NDB scheme extends to accredited data recipients and designated gateways in relation to any data breaches involving CDR data (where that data relates to a CDR consumer).[26]An accredited data recipient is an entity that has been accredited by the Australian Competition and Consumer Commission (ACCC) under the CDR. A designated gateway is an entity that has been designated by the Treasurer to facilitate the transfer of CDR data between data holders and accredited data recipients.

Data breaches involving more than one entity

Key points

When is information held jointly?

Under s 6(1) of the Privacy Act, an entity is taken to ‘hold’ personal information if it has possession or control of a record that contains personal information. This means that the term ‘holds’ extends beyond physical possession of a record to include a record that an entity has a right or power to deal with, even if it does not physically possess the record or own the medium on which it is stored.

For example, one entity may store its records with a cloud service provider. Since the cloud service provider has possession of the records and can access that information physically or by use of an electronic device, it will be taken to hold the personal information. Because the first entity has contractual rights to retain control of the records (such as maintaining rights to access and use the records), both entities hold the information.

Whether an entity will be taken to ‘hold’ personal information will therefore depend on the particular circumstances of the arrangement.

Other examples where two or more entities may hold the same information include:

Example

A large market research company is conducting focus groups on behalf of its client, a fast food outlet, using a list of interviewees provided by its client for that purpose. The contractual arrangements between the market research company and the ast food outlet give the fast food outlet effective control over how the information is handled by the research company. Following the focus group sessions, all participants give consent to participate in future research projects for the research company’s other clients. The research company creates a new record containing the participant’s names and contact details. Although the record contains the same information that the market research company originally received from the fast food outlet, only the market research company has possession or control over the newly created record. This means that only the market research company would have NDB scheme obligations in the event of a data breach affecting the newly created record.

Responding to data breaches of jointly held information

In situations where two or more entities hold the same record of personal information, both entities are generally responsible for complying with the NDB scheme in relation to this record.

However, exceptions apply so that only one of the entities that jointly holds information needs to comply with the NDB scheme’s assessment and notification requirements on behalf of the group. For example, if a data breach affects one or more other entities that jointly hold personal information, and one entity has assessed the suspected breach, the other entities are not required to also assess the breach (s 26WJ). If no assessment is conducted, depending on the circumstances, each entity that holds the information may be found to be in breach of the assessment requirements.

Similarly, only one entity needs to notify individuals and the Commissioner (s 26WM) if there is an eligible data breach involving personal information jointly held by more than one entity (see Identifying Eligible Data Breaches). If none of the entities notify, then all of the entities may be found to have breached the notification requirements of the NDB scheme (s 26 WL( 2)).

See Exceptions to Notification Obligations for more information about the circumstances in which specific exceptions apply to entities that jointly hold information.

How to allocate responsibility for compliance

Each entity that holds personal information involved in an eligible data breach, should be able to demonstrate they are meeting the requirements of the NDB scheme.

The NDB scheme does not prescribe which entity should conduct an assessment of a suspected data breach, nor which entity should notify individuals and the Commissioner about an eligible data breach. This allows entities to tailor their arrangements to accommodate their particular contractual and customer relationships.

Accordingly, where information is held jointly, entities should establish clear procedures for complying with the NDB scheme when entering into service agreements or other relevant contractual arrangements. This may include considering obligations around the communication of suspected breaches, processes for conducting assessments, and responsibility for containment, remediation, and notification.

The Commissioner suggests that, in general, the entity with the most direct relationship with the individuals at risk of serious harm may be best placed to issue a notification to them. This will allow individuals to better understand the notification, and how the eligible data breach might affect them.

Example

A medical practice stores paper-based patient records with a contracted storage provider. The storage provider’s premises are broken into and a number of items stolen. While the storage provider cannot immediately determine if the stolen items included the medical practice’s records, it suspects that they might have been included. Both the medical practice and the storage provider hold the records for the purpose of the Privacy Act, so both have an obligation to conduct an assessment and, if required, notify.

Since the storage provider is more familiar with its facilities, the entities decide that the storage provider is best placed to conduct an assessment and determine if the records were stolen. Once the provider determines that the records were stolen, the medical practice assists the assessment by using its knowledge about the affected individuals to conclude that serious harm is likely. Although the storage provider’s insurance company has agreed to cover the cost of notification, the storage provider and medical practice agree that it is most appropriate that notification come from the medical practice, as the relevant individuals do not have any pre-existing relationship with the storage provider. As such, the medical practice notifies the individuals about the incident and is reimbursed by the storage provider and its insurer for the costs of notification.

Identifying eligible data breaches

Key points

Eligible data breach

An eligible data breach arises when the following three criteria are satisfied:

  1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds (see, What is a ‘Data Breach’?)
  2. this is likely to result in serious harm to one or more individuals (see, Is Serious Harm Likely?), and
  3. the entity has not been able to prevent the likely risk of serious harm with remedial action (see Preventing Serious Harm With Remedial Action).

This document is about the threshold at which an incident is considered an ‘eligible data breach’ that will be notifiable under the scheme unless an exception applies. Assessing a Suspected Data Breach provides guidance to entities about the process to follow when carrying out an assessment of ‘whether there are reasonable grounds to suspect that there may have been an eligible data breach of the entity’ under s 26WH.

What is a ‘data breach’?

The first step in deciding whether an eligible data breach has occurred involves considering whether there has been a data breach; that is, unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information (s 26WE(2)). The Privacy Act does not define these terms. The following analysis and examples draw on the ordinary meaning of these words.

Is serious harm likely?

The second step in deciding whether an eligible data breach has occurred involves deciding whether, from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.

For the NDB scheme a ‘reasonable person’ means a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. In general, entities are not expected to make external enquiries about the circumstances of each individual whose information is involved in the breach. ‘Reasonable person’ is also discussed in general terms in Chapter B of the OAIC’s APP Guidelines. [27]

The phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).

‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

Entities should assess the risk of serious harm holistically, having regard to the likelihood of the harm eventuating for individuals whose personal information was part of the data breach and the consequences of the harm. The NDB scheme includes a non-exhaustive list of ‘relevant matters’ that may assist entities to assess the likelihood of serious harm. These are set out in s 26WG as follows: