More guidance released on the notifiable data breaches regime
The Office of the Australian Information Commissioner (OAIC) has released further draft guidance on the notifiable data breaches (NDB) regime that comes into effect in just over three months’ time.
The NDB regime, which commences on 22 February 2018, will require private sector businesses and government agencies covered by the Privacy Act 1988 (Privacy Act) to notify affected individuals as well as the head of the OAIC, the Australian Information Commissioner, of ‘eligible data breaches’.
An ‘eligible data breach’ is one that poses a likely risk of serious harm to any individual whose personal information is affected. The notice must include recommendations about the steps that individuals should take in response to the data breach.
Recent draft documents released by the OAIC include:
- draft guidance on what information should be included when notifying the Information Commissioner of an eligible data breach
- a draft notifiable data breach statement
- an online draft notifiable data breach statement smart form.
According to Clayton Utz lawyers, these materials provide greater clarity as to the OAIC's expectations of entities which will be subject to the NDB Scheme.
While these materials are currently in draft, Clayton Utz does not expect their final form to differ in any material respect.
The draft notifiable data breach statement, used to inform the Australian Information Commissioner of an ‘eligible data breach’, is divided into two parts.
Part one is the 'statement' about a data breach required by section 26WK of the Privacy Act 1988. If you are required to notify individuals of the breach, in your notification to those individuals you must provide them with the information you have entered into part one of the form.
Part two of the form is optional and asks entities to voluntarily provide additional information about the eligible data breach. However, the OAIC may need to contact you to seek further information if you do not complete this part of the form.
Lawyers Clyde & Co LLP advise that in order to provide the required data breach statement, organisations will need to have a strong understanding of the specific circumstances of the breach including the types of records compromised, whether other organisations may be affected and how the underlying security breach event occurred.
They add: ‘The depth of information which must be provided to the OAIC highlights how important it is to be fully prepared for the notifiable data breach regime. Organisations should be preparing and testing their data breach response plan and ensuring that it contains detailed policies and systems to ensure prompt notification to the OAIC and affected individuals after an eligible data breach.’
Clayton Utz says entities covered by the NDB Scheme should prepare for it by:
- auditing their current information security processes and procedures to ensure they are adequate
- preparing a data breach response plan (or updating their current plan) including by reference to the guidance materials released by the OAIC
- providing training to relevant officers and employees as to any role they may have in responding to data breaches.
Other useful OAIC resources include:
- a guide to securing personal information in preparation for the scheme
- a guide to handling personal information security breaches
- a guide to developing a data breach response plan
- a privacy management framework which sets out the steps that the OAIC expects organisations to take to ensure good privacy governance and compliance with the Privacy Act.
In addition, interested organisations can register to attend a webinar on the key requirements of the NDB regime, hosted by the OAIC on 21 November (12pm to 1pm AEDT).