The Notifiable Data Breaches (NDB) scheme of the Privacy Act that came into effect in February 2018 requires entities to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) of certain data breaches. As a general rule, the NDB scheme applies to agencies and organisations with revenue over $3 million, and in certain cases, others such as those that have contractual arrangements with government.
Despite the “small business exemption” in the Privacy Act, RCSA is taking the view that most Members will be covered because they trade in the supply of personal information – e.g. information about candidate suitability etc. There may be some exceptions. But remember, RCSA Members’ Code of Professional Conduct responsibilities require them to take reasonable steps to maintain the privacy of information obtained in the course of their professional practice, regardless of whether there is any strict legal obligation to do so or not.
The NDB scheme requires entities to notify individuals and the Commissioner about ‘eligible data breaches’. An eligible data breach occurs when the following criteria are met:
There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
This is likely to result in serious harm to any of the individuals to whom the information relates.
The entity has been unable to prevent the likely risk of serious harm with remedial action.
The OAIC’s Guide to Managing Data Breaches is a good reference to start developing a full Data Breach Response Plan customized to your business.
The NDB scheme recognises that entities often hold personal information jointly. For example, one entity may have physical possession of the information, while another has legal control or ownership. In these circumstances, an eligible data breach of one entity will also be considered an eligible data breach of other entities that hold the affected information. Both will have obligations under the NDB scheme.
Accordingly, where information is held jointly, entities should establish clear procedures for complying with the NDB scheme when entering into service agreements or other relevant contractual arrangements. This may include considering obligations around the communication of suspected breaches, processes for conducting assessments, and responsibility for containment, remediation, and notification. OAIC suggests that, in general, the entity with the most direct relationship with the individuals affected by the data breach should carry out notification. This will allow individuals to better understand the notification, and how the eligible data breach might affect them.
European Union General Data Protection Regulation (GDPR)
Another major change is the introduction of the GDPR in May 2018. This has ramifications for any RCSA Corporate Members that hold any personal information about any EU citizen. Even though your company is not physically located in the European Union, GDPR applies whenever your organisation trades with EU residents, or monitors the behaviour of individuals within the EU – basically has any EU individual within your database.
The GDPR and the Australian Privacy Act share many similar goals – like privacy by design and transparency, however there are key differences that your organisation should be aware of, such as a requirement to have explicit and clear consent, and an individual’s right to be forgotten and to data portability. There are also strict requirements regarding the transfer of personal data outside the EU.