Notifiable Data Breaches and third party data holders
The Notifiable Data Breaches (NDB) scheme of the Privacy Act that came into effect in February 2018 requires entities to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) of certain data breaches. As a general rule, the NDB scheme applies to agencies and organisations with revenue over $3 million, and in certain cases, others such as those that have contractual arrangements with government.
Despite the “small business exemption” in the Privacy Act, RCSA is taking the view that most Members will be covered because they trade in the supply of personal information – e.g. information about candidate suitability etc. There may be some exceptions. But remember, RCSA Members’ Code of Professional Conduct responsibilities require them to take reasonable steps to maintain the privacy of information obtained in the course of their professional practice, regardless of whether there is any strict legal obligation to do so or not.
The NDB scheme requires entities to notify individuals and the Commissioner about ‘eligible data breaches’. An eligible data breach occurs when the following criteria are met:
There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
This is likely to result in serious harm to any of the individuals to whom the information relates.
The entity has been unable to prevent the likely risk of serious harm with remedial action.
The OAIC’s Guide to Managing Data Breaches is a good reference to start developing a full Data Breach Response Plan customized to your business.
The NDB scheme recognises that entities often hold personal information jointly. For example, one entity may have physical possession of the information, while another has legal control or ownership. In these circumstances, an eligible data breach of one entity will also be considered an eligible data breach of other entities that hold the affected information. Both will have obligations under the NDB scheme.
Accordingly, where information is held jointly, entities should establish clear procedures for complying with the NDB scheme when entering into service agreements or other relevant contractual arrangements. This may include considering obligations around the communication of suspected breaches, processes for conducting assessments, and responsibility for containment, remediation, and notification. OAIC suggests that, in general, the entity with the most direct relationship with the individuals affected by the data breach should carry out notification. This will allow individuals to better understand the notification, and how the eligible data breach might affect them.
European Union General Data Protection Regulation (GDPR)
Another major change is the introduction of the GDPR in May 2018. This has ramifications for any RCSA Corporate Members that hold any personal information about any EU citizen. Even though your company is not physically located in the European Union, GDPR applies whenever your organisation trades with EU residents, or monitors the behaviour of individuals within the EU – basically has any EU individual within your database.
The GDPR and the Australian Privacy Act share many similar goals – like privacy by design and transparency, however there are key differences that your organisation should be aware of, such as a requirement to have explicit and clear consent, and an individual’s right to be forgotten and to data portability. There are also strict requirements regarding the transfer of personal data outside the EU.
If your organisation trades with EU residents, or monitors the behaviour of individuals within the EU, it is vital that you seek advice on implementing the GDPR. For more information about the GDPR please click here.
Checklist for Members with third party data holders (eg on-line timesheets, cloud based databases, IT providers, payroll companies)
Do you know all the third parties that hold your data?
What compliance checks have you done on them?
Have you established clear procedures with any third party data holders for obligations under the NDB scheme?
Do you have any individuals in your database who might be EU citizens?
Example questions to ask a third party data holder:
Where is your live data being stored (implications for off-shore)?
Where are your back-ups being stored?
Do you outsource any handling of my company data to another party? If so, how do you ensure their compliance with the Australian Privacy Act?
Has an independent party completed an audit of your system/data security?
Do you have firewalls protecting your own customer data and my client/candidate data?
Are your antivirus/spyware/malware software up-to-date?
Do you protect all Personally Identifiable Information through Encryption?
Who has access to the data?
What is the policy for data and security breech notifications?
What timeframe would you provide for any breech notification? (make sure this is quick enough to allow you to meet require notification periods yourself)
Who would bear the costs of data breech recovery (including containment, assessment, legal advice, notification costs or other)?
Who would notify individuals involved?
Who would notify the Office of the Australian Information Commissioner?
Are your data security policies and procedures communicated to all employees, including annual security awareness and data breech notifications training?
Could you ensure that a record has been deleted from all instances including live and back up versions if requested? (for EU citizens “Right to be Forgotten”)
Could you export all references of an individual so that they can port their data to another service? (for EU citizens “Data Portability”)