Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Draft: Guide to OAIC Privacy Regulatory Action — Chapter 9: Data breach incidents

pdfPrintable version555.02 KB

The Office of the Australian Information Commissioner (OAIC) published this resource as an exposure draft on 27 September 2017. Comments are now closed.

Notifiable Data Breaches (NDB) scheme

9.1 The OAIC administers a Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.

9.2 Under Part IIIC, entities that have information security obligations under the Privacy Act[1] must generally notify the Australian Information Commissioner (the Commissioner), and individuals whose information was involved, about eligible data breaches (ss 26WK and 26WL).

9.3 The Commissioner has the following functions under the scheme:

  • promoting compliance with the scheme
  • receiving notifications from entities
  • directing an entity to notify under s 26WR
  • declaring that notification need not be made, or that notification be delayed under s 26WQ
  • offering advice and guidance to regulated entities, and providing information to the community about the operation of the scheme.

Promoting compliance with the scheme

9.4 Section 13(4A) provides that if an entity contravenes any of the following requirements of the NDB scheme, the contravention is taken to be an act that is an interference with the privacy of an individual, subject to possible enforcement action:

  • carry out an assessment of a suspected eligible data breach (s 26WH(2))
  • prepare a statement about the eligible data breach, and give a copy to the Commissioner as soon as practicable (s 26WK(2))
  • notify the contents of the statement to individuals whose personal information was involved in the eligible data breach (or, in certain circumstances, publish the statement) as soon as practicable (s 26WL(3))
  • comply with a direction from the Commissioner to notify the eligible data breach (s 26WR(10)).

9.5 The Commissioner’s preferred approach is to work with entities to encourage and facilitate voluntary compliance with an entity’s obligations under the NDB scheme before taking enforcement action in relation to any interferences with privacy. The OAIC has developed guidance about the NDB scheme to assist entities.

9.6 The Commissioner may, on the Commissioner’s own initiative, investigate an act or practice that may be an interference with privacy where the Commissioner thinks it is desirable to do so (s 40(2)). The Commissioner must also investigate complaints made by individuals where an act or practice may be an interference with the privacy of the individual (s 40(1)).

9.7 Where the Commissioner has identified an interference with privacy, there are a number of enforcement powers available to the Commissioner, ranging from less serious to more serious regulatory action depending on the relevant factors. These include powers to:

  • accept an enforceable undertaking (s 33E) and bring proceedings to enforce an enforceable undertaking (s 33F)
  • make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62)
  • seek an injunction to prevent ongoing activity or a recurrence (s 98)
  • apply to a court for a civil penalty order for a breach of a civil penalty provision (s 80W), which includes serious or repeated interferences with privacy.

9.8 In deciding whether an investigation or enforcement action is appropriate in the circumstances, the Commissioner will act in accordance with the OAIC’s Privacy regulatory action policy.

Receipt of notifications

9.9 The Commissioner will acknowledge receipt of all data breach notifications.

9.10 The Commissioner may or may not take any action in response to a data breach notification. The Commissioner will decide which notifications to respond to depending on available resources, and the Commissioner’s evaluation of the extent to which taking action in response to the notification will further the objects of the Privacy Act.

9.11 Some notifications may point to a possible interference with privacy. Under s 42, the Commissioner may make preliminary inquiries to determine whether to investigate an act or practice that may be an interference with privacy, where there has been a complaint or on the Commissioner’s own initiative. In deciding whether to make preliminary inquiries or offer advice and guidance in response to a notification, the Commissioner may consider:

  • the type and sensitivity of the personal information involved
  • the numbers of individuals potentially at risk of serious harm
  • whether the data breach has been contained or is in the process of being contained where feasible
  • steps the notifying entity has taken, or is taking, to mitigate the impact on individuals at risk of serious harm
  • measures that the entity has taken, or is taking, to minimise the likelihood of a similar breach occurring again.

9.12 The Commissioner may also inquire about the incident to determine whether the OAIC can provide assistance to the entity, such as best practice advice on data breach responses and the future prevention of similar incidents.

Declaration of Commissioner – exception to notification (s 26WQ)

9.13 The Commissioner may declare that an entity does not need to comply with the notification requirements in the NDB scheme in relation to an eligible data breach. Under s 26WQ the Commissioner may give written notice declaring that a statement to the Commissioner (under s 26WK) and notification to individuals (under s 26WL) is not required,[2] or that notification to individuals is delayed for a specified period.[3]

9.14 The Commissioner must not make a declaration unless satisfied that it is reasonable in the circumstances to do so, having regard to:

  • the public interest (s 26WQ(3)(a))
  • any relevant advice given to the Commissioner by an enforcement body or the Australian Signals Directorate (ASD) (s 26WQ(3)(b))[4] , and
  • such other matters (if any) as the Commissioner considers relevant (s 26WQ(3)(c)).

9.15 An entity that is considering applying to the Commissioner for a s 26WQ declaration should do so as soon as practicable after the entity is aware that there are reasonable grounds to believe an eligible data breach has occurred.

9.16 In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objects of the Privacy Act and other relevant matters. The Commissioner will consider whether the risks associated with notifying of a particular data breach outweigh the benefits of notification to individuals at risk of serious harm.

9.17 Given the clear objective of the scheme to promote notification of eligible data breaches, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will only be made in exceptional cases and only after a compelling case has been put forward by the entity seeking the declaration.

Applying for a s 26WQ declaration

9.18 An entity considering making an application under s 26WQ should contact the OAIC in the first instance to discuss its intention.

9.19 If the entity decides to make an application, it should provide the following information and documents to the OAIC:

  • a detailed description of the data breach
  • a statement outlining the entity’s reasons for seeking a s 26WQ notice
  • a draft notice setting out the terms that it believes should be included in the notice issued by the Commissioner
  • relevant supporting documents and evidence (including, if applicable, relevant advice from an enforcement body or the ASD)
  • contact details of an employee or representative of the entity.

9.20 The onus is on the entity to demonstrate to the Commissioner that it is appropriate for the Commissioner to make a declaration. As such, the entity applying for a declaration will be expected to make a well-reasoned and compelling case detailing how the data breach is an eligible data breach, why any relevant exceptions do not apply, and why notification should not occur or should be delayed. The entity should provide detailed evidence or information in support of its application.

9.21 The Commissioner may seek further information from the entity or third parties. However, given the time critical nature of data breach notifications, the entity may not have a further opportunity to provide evidence or submissions to the OAIC before the Commissioner makes a decision on the application. As such, the entity should include all relevant information in its written application.

9.22 In considering whether to make a declaration, the Commissioner will have regard to relevant factors which may include:

  • the objects in s 2A of the Privacy Act
  • the purposes of the NDB scheme, which include enabling individuals to take steps to protect themselves from serious harm arising from a data breach
  • the circumstances of the eligible data breach
  • the extent to which notification will cause harm to particular groups or to the community at large
  • the extent to which benefits of notification will be lost or diminished if notification does not occur or is delayed
  • whether advice from an enforcement body or the ASD indicates that notification would be contrary to the public interest in the effective conduct of enforcement related activities and national security matters
  • whether the entity responsible for the eligible data breach has been the subject of prior compliance or regulatory enforcement action by the OAIC, and the outcome of that action
  • whether the eligible data breach is an isolated instance, or whether it indicates a potential systemic issue (either within the entity concerned or within an industry) or an increasing issue which may pose ongoing compliance or enforcement issues
  • such other matters as the Commissioner considers relevant.

9.23 After considering the application, the Commissioner will make one of the following decisions:

  • a declaration that notification does not need to occur
  • a declaration that notification can be delayed (either for the period proposed by the applicant, or another period selected by the Commissioner)
  • a refusal of the application.

9.24 Where the Commissioner refuses a declaration, the Commissioner will give written notice of the refusal (s 26WQ(7)).

9.25 Decisions by the Commissioner under s 26WQ are reviewable by the Administrative Appeals Tribunal (AAT).[5] An application for review by the AAT may be made by the entity that made the application for the declaration, or another entity whose obligations under the NDB scheme are affected by the declaration.[6]

Direction of Commissioner – requiring notification (s 26WR)

9.26 The Commissioner may direct an entity to:

  • prepare a statement about the eligible data breach
  • give a copy of the statement to the Commissioner, and
  • notify individuals about the eligible data breach.

9.27 In deciding whether to give a direction to an entity under s 26WR(1), the Commissioner must consider:

  • any relevant advice given to the Commissioner by an enforcement body or the ASD (s 26WR(6)(a))
  • any relevant submission made by the entity (s 26WR(6)(b))
  • such other matters (if any) as the Commissioner considers relevant (s 26WR(6)(c)).

9.28 Under s 26WR(5), a direction by the Commissioner may require an entity to include specified information about the eligible data breach, in addition to the information required in a statement prepared for the Commissioner under s 26WR(4).

9.29 The specified information that relates to an eligible data breach is likely to be information that the Commissioner considers would assist individuals to take appropriate action in response to the eligible data breach. Examples could include:

  • information about the risk of harm to individuals that the Commissioner considers exists as a result of the eligible data breach
  • recommendations about steps the Commissioner considers individuals should take in response to the eligible data breach
  • information about complaint mechanisms available under the Privacy Act to individuals affected by the eligible data breach
  • other specified information relating to the eligible data breach that the Commissioner considers reasonable and appropriate in the circumstances to include in the statement.

Process for making a s 26WR direction

9.30 Before directing an entity to notify, the Commissioner will usually ask the entity to agree to notify voluntarily.

9.31 If the Commissioner and the entity cannot agree about whether notification should occur, the Commissioner will formally invite the entity to make a submission about the direction under consideration, within a specified period (s 26WR(3)). The form of the invitation, and the period of time specified in the invitation for the entity to respond, will be for the Commissioner to determine depending on the particular circumstances. In deciding the form and period of time to respond, the Commissioner will have regard to the impact on the entity and the nature and imminence of the risk of harm to individuals who would receive notification of the eligible data breach the Commissioner has reasonable grounds to believe has happened.

9.32 The Commissioner will consider submissions and any other relevant information provided by the entity before deciding whether to direct the entity to notify under s 26WR.

9.33 The Commissioner’s decision will be communicated to the entity in writing. Entities can apply to the AAT for review of a decision by the Commissioner under s 26WR(1) to make a direction.[7]

9.34 An entity must comply with a direction made under s 26WR(1) as soon as practicable (s 26WR(10)). Contravention of s 26WR(10) is an interference with the privacy of an individual (s 13(4A)).

Publication and disclosure of information

9.35 The OAIC will publish statistics in connection with the NDB scheme, with a view to reviewing this approach 12 months after the scheme’s commencement.

9.36 The OAIC will respect the confidence of commercially or operationally sensitive information that is provided voluntarily in support of a data breach notification.

9.37 As a matter of course, the Commissioner will consult with entities following a request for information made under FOI law. For FOI requests relating to agencies, the Commissioner will offer to transfer requests to the agency in question.

9.38 Decisions about public communications will be made in accordance with the considerations set out in the ‘Public communication as part of privacy regulatory action’ section of the Privacy regulatory action policy.

Back to Contents

Mandatory reporting under the My Health Records Act

[This section will discuss a separate system of mandatory data breach reporting in relation to the My Health Record system.]

Back to Contents

Footnotes

[1] For more information, see Entities covered by the NDB scheme.

[2] Under s 26WQ(1)(c).

[3] Under s 26WQ(1)(d).

[4] The Commissioner may be given such advice or the Commissioner may or may not request such advice.

[5] Privacy Act, ss 96(1)(ba) and 96(bb).

[6] Privacy Act, ss 96(2A) and 96(2B).

[7] Privacy Act, s 96(1)(bc).

Back to Contents