Notifiable Data Breaches (NDB) scheme
9.1 The OAIC administers a Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.
9.2 Under Part IIIC, entities that have information security obligations under the Privacy Act must generally notify individuals whose information was involved and the Australian Information Commissioner (the Commissioner), about eligible data breaches (ss 26WK and 26WL).
9.3 The Commissioner has the following functions under the scheme:
- offering advice and guidance to regulated entities, and providing information to the community about the operation of the scheme.
- promoting compliance with the scheme
- receiving notifications from entities
- directing an entity to notify under s 26WR
- declaring that notification need not be made, or that notification be delayed under s 26WQ
9.4 Section 13(4A) provides that if an entity contravenes any of the following requirements of the NDB scheme, the contravention is taken to be an act that is an interference with the privacy of an individual, subject to possible enforcement action:
- carry out an assessment of a suspected eligible data breach (s 26WH(2))
- prepare a statement about the eligible data breach, and give a copy to the Commissioner as soon as practicable (s 26WK(2))
- notify the contents of the statement to individuals whose personal information was involved in the eligible data breach (or, in certain circumstances, publish the statement) as soon as practicable (s 26WL(3))
- comply with a direction from the Commissioner to notify the eligible data breach (s 26WR(10))
9.5 The Commissioner’s preferred approach is to work with entities to encourage and facilitate voluntary compliance with an entity’s obligations under the NDB scheme before taking enforcement action in relation to any interferences with privacy. The OAIC has developed guidance about the NDB scheme to assist entities.
9.6 The Commissioner may, on the Commissioner’s own initiative, investigate an act or practice that may be an interference with privacy where the Commissioner thinks it is desirable to do so (s 40(2)). The Commissioner must also investigate complaints made by individuals where an act or practice may be an interference with the privacy of the individual (s 40(1)).
9.7 Where the Commissioner has identified an interference with privacy, there are a number of enforcement powers available to the Commissioner, ranging from less serious to more serious regulatory action depending on the relevant factors. These include powers to:
- accept an enforceable undertaking (s 33E) and bring proceedings to enforce an enforceable undertaking (s 33F)
- make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62)
- seek an injunction to prevent ongoing activity or a recurrence (s 98)
- apply to a court for a civil penalty order for a breach of a civil penalty provision (s 80W), which includes serious or repeated interferences with privacy
9.8 In deciding whether an investigation or enforcement action is appropriate in the circumstances, the Commissioner will act in accordance with the OAIC’s Privacy Regulatory Action Policy.
Receipt of notifications
9.9 The Commissioner will acknowledge receipt of all data breach notifications.
9.10 The Commissioner may or may not take any action in response to a data breach notification. The Commissioner will decide which notifications to respond to depending on available resources, and the Commissioner’s evaluation of the extent to which taking action in response to the notification will further the objects of the Privacy Act.
9.11 Some notifications may point to a possible interference with privacy. Under s 42, the Commissioner may make preliminary inquiries to determine whether to investigate an act or practice that may be an interference with privacy, where there has been a complaint or on the Commissioner’s own initiative. In deciding whether to make preliminary inquiries or offer advice and guidance in response to a notification, the Commissioner may consider:
- the type and sensitivity of the personal information involved
- the numbers of individuals potentially at risk of serious harm
- whether the data breach has been contained or is in the process of being contained where feasible
- steps the notifying entity has taken, or is taking, to mitigate the impact on individuals at risk of serious harm
- measures that the entity has taken, or is taking, to minimise the likelihood of a similar breach occurring again
9.12 The Commissioner may also inquire about the incident to determine whether the OAIC can provide assistance to the entity, such as best practice advice on data breach responses and the prevention of similar incidents in the future
Declaration of Commissioner — exception to notification (s 26WQ)
9.13 The Commissioner may declare that an entity does not need to comply with the notification requirements in the NDB scheme in relation to an eligible data breach. Under s 26WQ the Commissioner may give written notice declaring that a statement to the Commissioner (under s 26WK) and notification to individuals (under s 26WL) is not required, or that notification to individuals is delayed for a specified period.
9.14 The Commissioner must not make a declaration unless satisfied that it is reasonable in the circumstances to do so, having regard to:
- the public interest (s 26WQ(3)(a))
- any relevant advice given to the Commissioner by an enforcement body or the Australian Signals Directorate (ASD) (s 26WQ(3)(b)) , and
- such other matters (if any) as the Commissioner considers relevant (s 26WQ(3)(c))
9.15 An entity that is considering applying to the Commissioner for a s 26WQ declaration should do so as soon as practicable after the entity is aware that there are reasonable grounds to believe an eligible data breach has occurred.
9.16 In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objects of the Privacy Act and other relevant matters. The Commissioner will consider whether the risks associated with notifying of a particular data breach outweigh the benefits of notification to individuals at risk of serious harm.
9.17 Given the clear objective of the scheme to promote notification of eligible data breaches, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will only be made in exceptional cases and only after a compelling case has been put forward by the entity seeking the declaration.
Applying for a s 26WQ declaration
9.18 An entity considering making an application under s 26WQ should contact the OAIC in the first instance to discuss its intention.
9.19 If the entity decides to make an application, it should provide the following information and documents to the OAIC:
- a detailed description of the data breach
- a statement outlining the entity’s reasons for seeking a s 26WQ notice
- a draft notice setting out the terms that it believes should be included in the notice issued by the Commissioner
- relevant supporting documents and evidence (including, if applicable, relevant advice from an enforcement body or the ASD)
- contact details of an employee or representative of the entity
9.20 The onus is on the entity to demonstrate to the Commissioner that it is appropriate for the Commissioner to make a declaration. As such, the entity applying for a declaration will be expected to make a well-reasoned and compelling case detailing how the data breach is an eligible data breach, why any relevant exceptions do not apply, and why notification should not occur or should be delayed. The entity should provide detailed evidence or information in support of its application.
9.21 The Commissioner may seek further information from the entity or third parties. However, given the time critical nature of data breach notifications, the entity may not have a further opportunity to provide evidence or submissions to the OAIC before the Commissioner makes a decision on the application. As such, the entity should include all relevant information in its written application.
9.22 In considering whether to make a declaration, the Commissioner will have regard to relevant factors which may include:
- the objects in s 2A of the Privacy Act
- the purposes of the NDB scheme, which include enabling individuals to take steps to protect themselves from serious harm arising from a data breach
- the circumstances of the eligible data breach
- the extent to which notification will cause harm to particular groups or to the community at large
- the extent to which benefits of notification will be lost or diminished if notification does not occur or is delayed
- whether advice from an enforcement body or the ASD indicates that notification would be contrary to the public interest in the effective conduct of enforcement related activities or national security matters
- whether the entity responsible for the eligible data breach has been the subject of prior compliance or regulatory enforcement action by the OAIC, and the outcome of that action
- whether the eligible data breach is an isolated instance, or whether it indicates a potential systemic issue (either within the entity concerned or within an industry) or a potential issue which may pose ongoing compliance or enforcement issues
- such other matters as the Commissioner considers relevant
9.23 After considering the application, the Commissioner will make one of the following decisions:
- a declaration that notification does not need to occur
- a declaration that notification can be delayed (either for the period proposed by the applicant, or another period selected by the Commissioner)
- a refusal of the application
9.24 Where the Commissioner refuses a declaration, the Commissioner will give written notice of the refusal (s 26WQ(7)).
9.25 Decisions by the Commissioner under s 26WQ are reviewable by the Administrative Appeals Tribunal (AAT). An application for review by the AAT may be made by the entity that made the application for the declaration, or another entity whose obligations under the NDB scheme are affected by the declaration.
Direction of Commissioner — requiring notification (s 26WR)
9.26 The Commissioner may direct an entity to:
- prepare a statement about the eligible data breach
- give a copy of the statement to the Commissioner, and
- notify individuals about the eligible data breach
9.27 In deciding whether to give a direction to an entity under s 26WR(1), the Commissioner must consider:
- any relevant advice given to the Commissioner by an enforcement body or the ASD (s 26WR(6)(a))
- any relevant submission made by the entity (s 26WR(6)(b))
- such other matters (if any) as the Commissioner considers relevant (s 26WR(6)(c))
9.28 Under s 26WR(5), a direction by the Commissioner may require an entity to include specified information about the eligible data breach, in addition to the information required in a statement prepared for the Commissioner under s 26WR(4).
9.29 The specified information that relates to an eligible data breach is likely to be information that the Commissioner considers would assist individuals to take appropriate action in response to the eligible data breach. Examples could include:
- information about the risk of harm to individuals that the Commissioner considers exists as a result of the eligible data breach
- recommendations about steps the Commissioner considers individuals should take in response to the eligible data breach
- information about complaint mechanisms available under the Privacy Act to individuals affected by the eligible data breach
- other specified information relating to the eligible data breach that the Commissioner considers reasonable and appropriate in the circumstances to include in the statement
Process for making a s 26WR direction
9.30 Before directing an entity to notify, the Commissioner will usually ask the entity to agree to notify voluntarily.
9.31 If the Commissioner and the entity cannot agree about whether notification should occur, the Commissioner will formally invite the entity to make a submission about the direction under consideration, within a specified period (s 26WR(3)). The form of the invitation, and the period of time specified in the invitation for the entity to respond, will be for the Commissioner to determine depending on the particular circumstances. In deciding the form and period of time to respond, the Commissioner will have regard to the impact on the entity and the nature and imminence of the risk of harm to individuals who would receive notification of the eligible data breach the Commissioner has reasonable grounds to believe has happened.
9.32 The Commissioner will consider submissions and any other relevant information provided by the entity within the period specified before deciding whether to direct the entity to notify under s 26WR.
9.33 The Commissioner’s decision will be communicated to the entity in writing. Entities can apply to the AAT for review of a decision by the Commissioner under s 26WR(1) to make a direction.
9.34 An entity must comply with a direction made under s 26WR(1) as soon as practicable (s 26WR(10)). Contravention of s 26WR(10) is an interference with the privacy of an individual (s 13(4A)).
Publication and disclosure of information
9.35 The OAIC will publish statistics in connection with the NDB scheme, with a view to reviewing this approach 12 months after the scheme’s commencement.
9.36 The OAIC will respect the confidence of commercially or operationally sensitive information that is provided voluntarily in support of a data breach notification.
9.37 As a matter of course, the Commissioner will consult with entities following a request for information made under FOI law. For FOI requests relating to agencies, the Commissioner will offer to transfer requests to the agency in question.
9.38 Decisions about public communications will be made in accordance with the considerations set out in the Public Communication as Part of Privacy Regulatory Action section of the Privacy Regulatory Action Policy.
Reporting under the My Health Records Act
9.39 Under s 75 of the My Health Records Act, some entities have a mandatory obligation to provide notification of certain data breaches, including potential breaches, in connection with the My Health Record system. The mandatory notification obligation applies to entities that are, or have at any time been, the System Operator, a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider (as defined in the My Health Records Act). Depending on the entity involved, notification must be made to either the OAIC or the System Operator or both.
9.40 A failure by a registered healthcare provider organisation, a registered repository operator, a portal operator or a registered contracted service provider to notify in accordance with s 75 is a breach of a civil penalty provision and may result in that entity being liable to pay a penalty.
9.41 The My Health Records Act also outlines in s 75(5) and (6) the steps an entity must take to contain and respond to the breach, or potential breach. The OAIC has developed the Guide to Mandatory Data Breach Notification in the My Health Record System to assist entities to comply with their mandatory data breach obligations.
9.42 Data breaches that are notified under s 75of theMy Health Records Act, do not need to be notified under the NDB scheme.
Responding to data breach notifications under the My Health Records Act
9.43 In assessing and responding to mandatory notifications, the OAIC will consider compliance with the My Health Records Act in addition to compliance with the APPs where relevant. The OAIC may also consider whether the breach was reported ‘as soon as practicable’, as required under s 75(2).
9.44 Section 75(5) of the My Health Records Act requires entities to take certain steps in responding to a data breach that may have occurred or arisen. These steps include containing the breach, evaluating the risks arising from the breach, notifying affected healthcare recipients (if the entity is the System Operator) or asking the System Operator to notify affected healthcare recipients (as applicable). The OAIC will consider these steps when assessing the severity of the breach and the entity’s response. Section 75(6) of the My Health Records Act also requires entities to take steps in responding to a data breach that has occurred (rather than to a potential data breach). These steps include containing the breach (and to undertake a preliminary assessment of the causes), evaluating the risks related to or arising from the breach, notifying affected healthcare recipients (if the entity is the System Operator) or asking the System Operator to notify affected healthcare recipients (as applicable) and taking steps to prevent or mitigate the effects of further breaches.
9.45 The Commissioner has investigative powers under s 73(3) of the My Health Records Act, and may use these powers instead of the investigative powers under the Privacy Act if an investigation is warranted following a mandatory notification. However, the Commissioner will generally conduct investigations under the Privacy Act rather than the My Health Records Act unless there is a reason to conduct the investigation under the latter Act.
9.46 When entities are required to notify both the OAIC and the My Health Record System Operator of data breaches, the OAIC may consult with the System Operator when responding to the notification.
Reporting under the National Cancer Screening Register Act
9.47 Under s 22A of the National Cancer Screening Register Act 2016 (NCSR Act), the Secretary of the Department of Health (the Secretary), contracted service providers and former contracted service providers have a mandatory obligation to notify the Information Commissioner of certain data breaches, including potential breaches, in connection with the National Cancer Screening Register.
9.48 A failure by the Secretary, contracted service providers or former contracted service providers to notify in accordance with s 22A is a breach of a civil penalty provision and may result in that entity being liable to pay a penalty.
9.49 The NCSR Act also outlines in ss 22A(4) and (5) the steps the Secretary, contracted service providers or former contracted service providers must take to contain and respond to the breach, or potential breach.
9.50 Data breaches that are notified under s 22A of the NCSR Act, may also need to be notified under the NDB scheme, depending on the circumstances.
9.51 For more information on reporting under the NDB scheme, see paragraph 9.2.
Responding to data breach notifications under the NCSR Act
9.52 The OAIC will generally follow similar steps to the process outlined in relation to the My Health Records Act above [see paras 9.43 to 9.46] when responding to mandatory data breach notifications under s 22A of the NCSR Act.