If your business is based in Australia or you have customers or contacts in Australia, you could have heard of the Notifiable Data Breach Act 2017. The Act will take effect on February 22nd, 2018. Australian-based business, as well as anyone processing the data of Australian citizens will be impacted by these laws.
Section 1: Past Practice
Reporting of data breaches was not legally mandatory, to the OAIC and/or affected individuals. Incidents were voluntarily reported at the discretion of the entity.
Section 2: The Changes
Unless an exception applies, all entities1 subject to the Privacy Act 1988 must notify eligable data breaches to the OAIC and affected individuals as soon as practicable after the entity is made aware of "reasonable grounds" to affirm there has been a breach of the entity's data.
These are amendments to the Privacy Act 1988 (Cth) - which consolidates several pre-existing privacy principles into the new Australian Privacy Principles (APPs).
2.1 Under the Privacy Act, the Privacy Principles outline use, management and handling of personal information for "APP Entities":
- (most) Australian Government Agencies (including Norfolk Island)
- all private sector and not-for-profit businesses with an annual turnover of more than $3 million
- all private health service providers; and
- some small businesses2
- they'll also apply to certain credit providers, credit reporting bodies, and holders of tax file number information
These new Principles have stringent guidelines on the collection, disclosure, security, access and correction of solicited and unsolicited personal information; including for the use of direct marketing (APP 7). Businesses not subject to the Act can still voluntarily report breaches.
2.2 Compliance with the Act:
2.2.1 Eligible Data Breaches must be reported to the OAIC when:
- there is unauthorised access and disclosure of information3; or loss of information where unauthorised access or disclosure is likely; and
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates
All entities must be directly notified of eligible data breaches; If direct notification is not practicable, the entity must publish the statement on its website and take reasonable steps to publicise its contents.
2.2.2 If there are reasonable grounds to suspect an eligible data breach, the entity must:
- carry out a "reasonable and expeditious assessment" to investigate if there is sufficient evidence to amount to an eligible data breach; and
- take all reasonable steps to ensure the assessment is carried out within 30 days4 since becoming aware of the reasonable grounds for suspicion
Reporting is not mandatory under some specific conditions:
- Remedial action is taken before the disclosure can cause serious harm
- In the cases where a data breach affects more than one entity, only one entity needs to undertake the notification
- The incident is not deemed an eligible data breach by the OAIC or the OAIC Commissioner
- The Act's Explanatory Memorandum cites possible remedial actions can include: remote disabling/wiping of devices, freezing an account and having accidental recipients return or delete data.
- If the entity is an enforcement body
- Secrecy provision - if the information breached is prohibited from being disclosed under another law (other than the Privacy Act 1988)
- By declaration by the Commissioner - who takes into account advice regarding the public interest, from an enforcement body and Australian Signals Directorate of the Defence Department.
2.4 Consequences of non-compliance
Entities who seriously breach, or repeatedly fail to comply with the Privacy Act risk significant fines:
- a minimum of $2,000 for individuals; and
- $350,000 up to $2 million for corporations
Section 3: What the NBD means for Managed Service Providers (MSPs)
All Australian MSPs who match the criteria of an "entity" (refer to section 2.1) will be required by law to report any data breach, or be subject to the penalties (refer section 2.4). Reporting will be compulsory for MSPs who service any: private health service providers, Government agencies and holders of TFN information (see more in section 2.1).
Consequently, unauthorised access or disclosure of information can occur as a result of internal and external factors. These include (but aren't limited to): human error and equipment loss, along with malicious acts like targeted hacks, theft, ransomware, malware and phishing. If an MSP suspects an eligible data breach has occurred, they can conduct an investigation within 30 days from becoming aware of a suspected data breach; if immediate remedial action can be taken to amend the data breach, in some cases (see section 2.3) it does not have to be reported.
These laws are an extension of the Privacy Act (1988) which add a facet of legal accountability for specific "entities" who manage the personal information of Australian citizens, to ensure it is protected. Furthermore, the updated Australian Privacy Principles (APPs) also govern the ethical use, selling and sharing of personal information by entities for commercial and marketing purposes. Unauthorised disclosure (transfer, sharing, publishing) of personal information by an entity can incur penalties (see section 2.4).
Finally, before the NDB Act comes into effect, MSPs have an opportunity to prepare. Knowing how their current information handling practices and network setup impact your Disaster Recovery. Some important questions to ask prior to these laws coming into effect:
- Are our clients handling information in a correct and compliant way against industry standards?
- Is our client's data network secure? Are their backups (onsite and offsite) up to date?
- Is their Disaster Recovery Plan quickly able to be executed? Are all responsible people aware of their roles?
With a compliant reliable setup and Disaster Recovery plan, MSPs can affirm the integrity of their networks, and easily comply with new regulations.
Got questions about the NDB Act? Our team has the answers
Download free infographics
- Introduction to the NDB Act 2017 & Is Malware considered a Data Breach?
- Comparison: the Australian NDB laws and the EU's GDPR laws
Resources for MSPs
- Australian Privacy Principles
- Information on reporting for businesses
- Contact the OAIC to report a Breach
- Parties to notify of an Eligible Data Breach (Section 3d)
- Case Study: The OAIC recently concluded an investigation into the Australian Red Cross Blood Service, which would have constituted an eligible data breach. Over half a million records of blood donors were inadvertently placed on a portion of a web server which was publicly accessible, and the Blood Service took measures to contain the breach.
1 Entities include individuals and businesses
2 Small businesses are subject to the conditions of the Privacy Act if:
- provides personal information in exchange for any benefit - including commercial and for sponsorship; when any personal information - e.g. email list - is provided to another company, both entities are subject to the Act.
- they are related to a business which has an annual turnover of greater than $3 million;
- the business provides someone else with a benefit, service or advantage to collect personal information;
- provides health services and holds health information other than employee records; or
- is a contracted service provider for a Commonwealth Contract
3 Information, under the APPs, refers to 'Sensitive Information'
4 In some cases, it can take longer
- Federal Register of Legislation; Privacy Amendment (Notifiable Data Breaches) Act 2017 & Explanatory Memorandum
- Office of the Australian Information Commissioner
- PWC; "Privacy Amendment Notifiable Data Breaches Bill 2016"
- Arts Law Centre of Australia; "Privacy and the Private Sector"