Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Data breaches involving more than one organisation

The NDB scheme recognises that entities often hold personal information jointly. In these circumstances, an eligible data breach of one entity will also be considered an eligible data breach of other entities that hold the affected information. However, the scheme contains a number of mechanisms to avoid duplicate obligations, so that compliance by one entity will also be taken as compliance by each of the entities that hold the information.

In general, where multiple entities jointly hold information compromised in a data breach, only one of those entities needs to take the steps required by the NDB scheme. The NDB scheme leaves it up to the entities to decide which of them should do so.

When is information held jointly?

Under s 6(1) of the Privacy Act 1988 (Cth) (Privacy Act), an entity is taken to ‘hold’ personal information if it has possession or control of a record that contains personal information. This means that the term ‘holds’ extends beyond physical possession of a record to include a record that an entity has a right or power to deal with, even if it does not physically possess the record or own the medium on which it is stored.

For example, one entity may store its records with a cloud service provider. Since the cloud service provider has possession of the records, it will be taken to hold the personal information. Because the first entity has contractual rights to retain control of the records (such as maintaining rights to access and use the records), both entities hold the information.

Whether an entity will be taken to ‘hold’ personal information will therefore depend on the particular circumstances of the arrangement.

Other examples where two or more entities may hold the same information include:

  • outsourcing arrangements
  • Commonwealth contracts
  • joint ventures.

Example: A large market research company is conducting focus groups on behalf of its client, a fast food outlet, using a list of interviewees provided by its client for that purpose. The contractual arrangements between the market research company and the fast food outlet give the fast food outlet effective control over how the information is handled by the research company. Following the focus group sessions, all participants give consent to participate in future research projects for the research company’s other clients. The research company creates a new record containing the participant’s names and contact details. Although the record contains the same information that the market research company originally received from the fast food outlet, only the market research company has possession or control over the newly created record. This means that only the market research company would have NDB scheme obligations in the event of a data breach affecting the newly created record.

Back to Contents

Responding to data breaches of jointly held information

In situations where two or more entities hold the same record of personal information, both entities are generally responsible for complying with the NDB scheme in relation to this record.

However, exceptions apply so that only one of the entities that jointly holds information needs to comply with the NDB scheme’s assessment and notification requirements on behalf of the group. For example, if a data breach affects one or more other entities that jointly hold personal information, and one entity has assessed the suspected breach, the other entities are not required to also assess the breach (s 26WJ). If no assessment is conducted, depending on the circumstances, each entity that holds the information may be found to be in breach of the assessment requirements.

Similarly, only one entity needs to notify individuals and the Commissioner (s 26WM) if there is an eligible data breach involving personal information jointly held by more than one entity (see Identifying eligible data breaches). If none of the entities notify, then all of the entities may be found to have breached the notification requirements of the NDB scheme (s 26WL(2)).

See Exceptions to notification obligations for more information about the circumstances in which specific exceptions apply to entities that jointly hold information.

Back to Contents

How to allocate responsibility for compliance

Each entity that holds personal information involved in an eligible data breach, should be able to demonstrate they are meeting the requirements of the NDB scheme.

The NDB scheme does not prescribe which entity should conduct an assessment of a suspected data breach, nor which entity should notify individuals and the Commissioner about an eligible data breach. This allows entities to tailor their arrangements to accommodate their particular contractual and customer relationships.

Accordingly, where information is held jointly, entities should establish clear procedures for complying with the NDB scheme when entering into service agreements or other relevant contractual arrangements. This may include considering obligations around the communication of suspected breaches, processes for conducting assessments, and responsibility for containment, remediation, and notification.

The Commissioner suggests that, in general, the entity with the most direct relationship with the individuals at risk of serious harm may be best placed to notify. This will allow individuals to better understand the notification, and how the eligible data breach might affect them.

Example: A medical practice stores paper-based patient records with a contracted storage provider. The storage provider’s premises are broken into and a number of items stolen. While the storage provider cannot immediately determine if the stolen items included the medical practice’s records, it suspects that they might have been included. Both the medical practice and the storage provider hold the records for the purpose of the Privacy Act, so both have an obligation to conduct an assessment and, if required, notify. Since the storage provider is more familiar with its facilities, the entities decide that the storage provider is best placed to conduct an assessment and determine if the records were stolen. Once the provider determines that the records were stolen, the medical practice assists the assessment by using its knowledge about the affected individuals to conclude that serious harm is likely. Although the storage provider’s insurance company has agreed to cover the cost of notification, the storage provider and medical practice agree that it is most appropriate that notification come from the medical practice, as the relevant individuals do not have any pre-existing relationship with the storage provider. As such, the medical practice notifies the individuals about the incident and is reimbursed by the storage provider and its insurer for the costs of notification.

Back to Contents