Preparing Your Mining Organisation for the NDB Scheme
The Privacy Amendment (Notifiable Data Breaches) Act 2017 established the NDB scheme in Australia as Part IIIC of the Privacy Act 1988 upon its commencement. The NDB scheme sets out obligations for organisations to notify affected individuals and the Australian Information Commissioner about any data breach which is likely to result in serious harm. The NDB scheme strengthens protections for personal information giving affected individuals an opportunity to take steps to protect their personal information following a breach. Further, the transparency supported by the scheme encourages greater personal information security capability across all Australian industries. Over time, this transparency should build consumer and community confidence in the handling of personal information. In order to comply with the NDB scheme, your mining organisation should educate all personnel that would be involved in a potential data breach, so they will be ready if necessary.
Who needs to comply with the NDB scheme?
The NDB scheme applies to organisations with obligations under the Privacy Act 1988 including:
- Australian Government agencies
- All businesses and not-for-profit organisations with an annual turnover of $3 million or more
- Some small business operators, including:
- All private sector health service providers
- Those that trade in personal information
- TFN recipients (if annual turnover is below $3 million, the NDB scheme will apply only in relation to TFN information)
- Those that hold personal information in relation to certain activities, for example; providing services to the Commonwealth under a contract
What is an “Eligible Data Breach” under the NDB scheme?
An eligible data breach occurs when three criteria are met:
- There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
- This is likely to result in serious harm to one or more individuals, and the entity has not been able to prevent the likely risk of serious harm with remedial action
- “Serious harm” can be psychological, emotional, physical, reputational, or other forms of harm
What is Remedial Action?
If you take remedial action that prevents the likelihood of serious harm occurring, then the breach is not an eligible data breach. For breaches where personal information is lost, the remedial action is adequate if it prevents the unauthorised access or disclosure of personal information.
Examples of remedial action:
A data file, which includes the personal information of numerous individuals, is sent to an incorrect recipient outside the entity. The sender realises the error and contacts the recipient, who advises that the data file has not been accessed. The sender then confirms that the recipient has not copied, and has permanently deleted the data file.
An employee leaves a smartphone on public transport while on their way to work. When the employee arrives at work they realise that the smartphone has been lost, and ask their employer’s IT support staff to remotely delete the information on the smartphone. Because of the security measures on the smartphone, the IT support staff are confident that its content could not have been accessed in the short period between when it was lost and when its contents were deleted.
When should my organisation conduct an Assessment of a Suspected Data Breach?
There is sometimes no evidence that the data has been subject to unauthorised access, but at the same time it cannot be proven that there has been no access. How does a company evaluate its notification obligations where there is no evidence of serious harm and no evidence of access or likelihood of harm?
If you suspect a data breach which may meet the threshold of “likely to result in serious harm,” you must conduct an assessment. Generally, there is a maximum of 30 days to conduct this assessment. This begins from when you become aware of a potential breach. Ahead of the NDB scheme, you should review your data breach response framework to ensure relevant personnel will be made aware of a breach as soon as practicable. It is not expected that every data breach will require an assessment that takes 30 days to complete before notification occurs. You must notify as soon as practicable once you hold the belief an eligible data breach has occurred.
What is involved in an assessment?
- The Act says assessments must be “reasonable” and “expeditious”
- It is up to entities to decide what process to follow when conducting an assessment
- An assessment should include the following three stages:
- Initiate: decide whether an assessment is necessary and identify which person or group will be responsible for completing it
- Investigate: quickly gather relevant information about the suspected breach, including, for example, what personal information is affected, who may have had access to the information and the likely impacts, and
- Evaluate: make a decision, based on the investigation, about whether the identified breach is an eligible data breach
Who should my organisation notify?
- You must notify any individuals that are at likely risk of serious harm as a result of a data breach
- You must also notify the Australian Information Commissioner
- There are three options for notification:
- Notify all individuals whose personal information is involved in the eligible data breach
- Notify only the individuals who are at likely risk of serious harm; or
- Publish your notification, and publicise it with the aim of bringing it to the attention of all individuals at likely risk of serious harm
What should my organisation include in a statement to the Australian Information Commissioner?
Your notification to the Australian Information Commissioner must be in the form of a statement, which includes the following information:
- The identity and contact details of your agency/organisation
- A description of the eligible data breach
- The kinds of information involved in the eligible data breach
- What steps your agency/organisation recommends that individuals take in response to the eligible data breach
- This statement must be provided to the Commissioner as soon as practicable
Are there any exceptions?
There are some exceptions to notification requirements, which relate to:
- Eligible data breaches of other entities
- Enforcement related activities
- Inconsistency with secrecy provision
- Declaration by the Australian Information Commissioner
- My Health Record data breaches