Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Draft: Australian Information Commissioner’s role in the NDB scheme

pdfPrintable version426.96 KB

The Office of the Australian Information Commissioner (OAIC) published this resource as an exposure draft on 2 June 2017. Comments are now closed.

The Australian Information Commissioner (the Commissioner) has a number of roles under the Notifiable Data Breaches (NDB) scheme in the Privacy Act 1988 (Cth) (Privacy Act). These include:

  • receiving notifications of eligible data breaches
  • encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance
  • offering advice and guidance to regulated entities, and providing information to the community about the operation of the scheme.

This document summarises how the Commissioner anticipates exercising these functions.

Receiving notifications of data breaches

How the Commissioner will receive notification

Once an entity has reasonable grounds to believe there has been an eligible data breach and is not exempted from notifying, it is required to provide notification to the Commissioner and, usually, individuals at risk of serious harm. When notifying the Commissioner, the entity must provide a notification statement that contains the following information (s 26WK(3)):

  1. the identity and contact details of the notifying entity
  2. a description of the data breach
  3. a description of the personal information involved
  4. recommendations to individuals about the steps that they should take to minimise the impact of the breach.

Although not required by the Privacy Act, entities may also provide additional supporting information to the Commissioner to explain the circumstances of the data breach and the entity’s response in further detail. This information will assist the Commissioner to decide whether to make further inquiries or to take any other action.

The Commissioner will publish an online form to help entities lodge notification statements and provide additional supporting information.

Confidentiality of information provided in notifications

If an entity elects to provide additional supporting information to the Commissioner, they may request that the Commissioner hold that information in confidence. The Commissioner will respect the confidence of commercially sensitive information provided voluntarily in support of a data breach notification, and will only disclose such information after consulting with the notifying entity, and with the entity’s agreement or where required by law.

If the Commissioner receives a freedom of information (FOI) request for a notification statement or additional supporting information, the Commissioner will consult with the entity that made the notification (if it is an organisation) or will offer to transfer the request to the entity (if it is an agency).

Responding to notifications

The Commissioner will acknowledge receipt of all data breach notifications.

The Commissioner may also make inquiries or offer advice and guidance in response to notifications. In deciding whether to make inquiries or offer advice and guidance in response to a notification, the Commissioner may consider the type and sensitivity of the personal information, the numbers of individuals potentially at risk of serious harm, and the extent to which the notification statement and any additional supporting information provided demonstrate that:

  • the data breach has been contained or is in the process of being contained where feasible
  • the notifying entity has taken, or is taking, reasonable steps to mitigate the impact of the breach on the individuals at risk of serious harm
  • the entity has taken, or is taking, reasonable steps to minimise the likelihood of a similar breach occurring again.

The Commissioner may also decide to take regulatory action on the Commissioner’s own initiative in response to a notification, or series of notifications, if this indicates a serious or systemic breach of the Privacy Act. In deciding whether to take regulatory action, the Commissioner will have regard to the OAIC’s Privacy regulatory action policy[1] and Guide to privacy regulatory action.[2] However, the Commissioner’s priority when responding to notifications is to provide guidance to the entity and to assist individuals at risk of serious harm.

Back to Contents

Enforcing compliance with the scheme

The Commissioner has a number of enforcement powers to ensure that entities meet their obligations under the scheme. A failure to meet any of the following requirements of the scheme is an interference with the privacy of an individual (s 13(4A)):

  • conduct a reasonable and expeditious assessment of a suspected eligible data breach (s 26WH(2))
  • prepare a statement about the data breach, and give a copy to the Commissioner, as soon as practicable (s 26WK(2))
  • notify the contents of the statement to individuals at risk of serious harm (or, in certain circumstances, publish the statement) as soon as practicable (s 26WL(3))
  • comply with a direction from the Commissioner to notify as soon as practicable (s 26WR(10)).

The enforcement powers available to the Commissioner in response to an interference with privacy, which range from less serious to more serious regulatory action, include powers to:

  • accept an enforceable undertaking (s 33E) and bring proceedings to enforce an enforceable undertaking (s 33F)
  • make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62)
  • seek an injunction to prevent ongoing activity or a recurrence (s 98)
  • apply to court for a civil penalty order for a breach of a civil penalty provision (s 80W), which includes any serious or repeated interference with privacy.

The Commissioner is also required, in most circumstances, to investigate a complaint made by an individual about an interference with the individual’s privacy (s 36), which would include a failure to notify an individual at risk of serious harm of an eligible data breach where required to do so.

In deciding when to exercise enforcement powers in relation to a contravention of the NDB scheme, the Commissioner will have regard to the OAIC’s Privacy Regulatory Action Policy.

The preferred approach of the Commissioner is to work with entities to encourage and facilitate voluntary compliance with an entity’s obligations under the Privacy Act before taking enforcement action.

The Commissioner acknowledges that it will take time for all regulated entities to become familiar with the requirements of the NDB scheme. During the first 12 months of the scheme’s operation, the Commissioner’s primary focus will be on working with entities to ensure that they understand the new requirements and are working in good faith to implement them.

Back to Contents

Other powers and functions under the scheme

Direction to notify (s 26WR)

The Commissioner can direct an entity to notify the Commissioner and individuals at risk of serious harm about an eligible data breach in certain circumstances.

Before directing an entity to notify, the Commissioner will usually ask the entity to agree to notify. This might happen if a data breach comes to the attention of the Commissioner but has not come to the attention of the relevant entity, or if the Commissioner does not agree with an entity’s initial view about whether a data breach triggers an obligation to notify.

If the Commissioner and the entity cannot agree about whether notification should occur, the Commissioner will give the entity an opportunity to make a formal submission about why notification is not required, or if notification is required, on what terms. The Commissioner will consider the submission and any other relevant information before deciding whether to direct the entity to notify under s 26WR.

Declaration that notification need not be made, or that notification be delayed (s 26WQ)

The Commissioner may declare that notification of a particular data breach is not required (s 26WQ(1)(c)). The Commissioner may also modify the period in which notification needs to occur (s 26WQ(1)(d)).

The Commissioner cannot make a declaration under s 26WQ unless satisfied that it is reasonable in the circumstances to do so, having regard to the public interest, relevant advice received from an enforcement body or the Australian Signals Directorate, and any other relevant matter. While the Commissioner is empowered to make a declaration if it is ‘reasonable in the circumstances to do so’, the Commissioner still has discretion about whether to make a declaration, and on what terms.

In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objectives of the Privacy Act and other relevant matters. The Commissioner will consider whether the risks associated with notifying of a particular data breach outweigh the benefits of notification to individuals at risk of serious harm.

Given the clear objective of the scheme to promote notification of eligible data breaches, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will be limited to exceptional cases.

An entity applying for a declaration will be expected to make a well-reasoned and convincing case detailing how the data breach is an eligible data breach, why any relevant exceptions do not apply, and why notification should not occur or should be delayed. The entity should provide detailed evidence or information in support of its application.

Back to Contents

Advice, guidance, and community information

The Commissioner provides general information to the community about the Privacy Act, including the NDB scheme, via its public enquiries service and on its website.

The Commissioner is developing a range of guidance material that will be published on the OAIC’s website to help entities comply with the scheme.

However, the Commissioner will not be able to provide detailed advice about the application of the scheme to specific data breaches. Entities will need to seek their own legal advice.

The Commissioner intends to provide information to the community about the operation of the scheme.

Back to Contents

Footnotes

[1] Available at https://www.oaic.gov.au/about-us/our-regulatory-approach/privacy-regulatory-action-policy/.

[2] Available at https://www.oaic.gov.au/about-us/our-regulatory-approach/guide-to-privacy-regulatory-action/.

Back to Contents