'An overview of the Notifiable Data Breaches scheme', Privacy Professionals Network Event
Presentation by acting Australian Information Commissioner and acting Privacy Commissioner Angelene Falk at a Privacy Professionals Network event in Brisbane
If you require these slides in a more accessible format, please contact email@example.com
Good morning everyone,
I would also like to respectfully acknowledge the traditional owners of the land, the Turrbal People, on which this morning’s event is taking place and Elders past, present and future.
It is great to be here today to talk about the Notifiable Data Breaches scheme, which came into force just under three weeks ago.
Under the scheme, it has become mandatory for various organisations and government agencies to notify individuals, and my Office, of data breaches that are likely to result in serious harm. It is also mandatory to conduct a quick assessment of a suspected data breach, in order to determine whether notification is necessary.
Specifically, these NDB scheme requirements apply to agencies and organisations with existing obligations to keep personal information secure under the Australian Privacy Act.
But before jumping into the mechanics of the scheme, I would first like to rehash the why of the scheme — because understanding why mandatory data breach notification requirements have been created in Australia and around the world will undoubtedly assist you in maintaining an effective data breach response strategy.
As you know, personal data is one of the most valuable assets a wide range of organisation’s have today, and it can be used to benefit the Australian community broadly.
Data can be used to develop more sophisticated products, identify gaps in the provision of products and services, and fuel research across industries.
But there is a substantial risk that comes with the increased involvement of personal data in an organisation’s operation and delivery of products and services.
A breach of that data is among the greatest threats to an organisation’s reputation today — because of the potential harm this can pose to individuals whose personal information is affected.
It can undermine trust in an organisation’s personal information management and undercut the social licence that is so essential to conducting projects involving personal information.
This impact is not necessarily limited to a single organisation either, as repeated incidents of breaches can have roll-on effects to public trust in data management more generally. It can prompt people to doubt the standards in place across an industry to secure personal information.
But we know trust in an organisation is not necessarily extinguished immediately when a data breach occurs. How you manage the breach really matters.
There are two significant differences that I would like to highlight between an effective data breach response and a less effective one.
Of course, first is how well an organisation reduces, or eliminates, potential harm to affected individuals — and how promptly this is accomplished. Taking quick remedial action can lessen the overall impact of a breach.
Secondly, it is meeting the community’s expectations for transparency and accountability. We know from our 2017 Australian Community Attitudes to Privacy Survey that 94 per cent of Australians believe they should be told if a business loses their personal information, and this statistic has been consistent over a number of years. This evidences almost unanimous support for the NDB scheme.
Notification provides individuals with the opportunity to take steps to reduce the chance they will experience serious harm. In various instances, simple actions such as re-securing an online account with a new password can prevent the potential harm of a data breach from materialising.
Further, as a transparency measure, the NDB scheme reinforces organisations’ accountability for personal information security, and in doing so encourages a higher standard of data security — this supports greater public trust in the management of personal information across both the public and private sector.
Remedial action may not be possible, or successful, in every instance of a data breach. When this is the case, demonstrating transparency and accountability is especially significant in determining the impact of a breach on the trust held in your organisation.
The community expectation for transparency is also likely the reason for the upwards trend in the number of data breaches reported to my office on a voluntary basis over the past few years. Last year, we received 114 voluntary data breach notifications, up from 107 the year before.
Of course, we expect to see many more notifications during the first 12 months of the NDB scheme. In the first two weeks of the scheme, we received 17 notifications.
The expectation for transparency when a breach occurs is global. Various jurisdictions have introduced mandatory data breach notification requirements. I won’t read out every one on this slide — but one of the most significant, which I am sure is top-of-mind for many of you, is the EU’s General Data Protection Regulation.
The synergies between regulatory jurisdictions show that the requirements of the NDB scheme are neither unexpected or unexceptional. In fact, they fit alongside global regulatory developments, which in combination establish a standard for transparency when a serious data breach occurs.
So — when are you required to notify individuals and the OAIC about a data breach?
As I’m sure you’re aware, not every breach triggers the notification requirements of the NDB scheme.
An eligible data breach is one that is ‘likely to result in serious harm’ to any individuals whose personal information is involved in the breach.
This threshold is in place to avoid overburdening organisations and to reduce the likelihood of individuals experiencing ‘notification fatigue’.
Over notifying can overwhelm individuals, and make it more difficult in the long-term for someone to distinguish between notifications that represent little risk, from those that will really matter to them.
Whether a breach is likely to result in harm, and whether this harm is serious, requires an objective assessment from the viewpoint of a reasonable person in the position of the organisation that experienced the breach.
What this means, in short, is that I won’t be able to tell you whether a breach is an eligible data breach or not based on a few tidbits of information.
That would require a more thorough understanding of the context of a data breach. You can find a list of relevant matters to consider in this regard under section 26WG of the Notifiable Data Breaches Act 2017.
It is important to note that ‘harm’ can arise in various ways. A breach may cause financial harm, or place an individual at a likely risk of identity fraud. It may be likely to result in serious psychological harm, or heighten a risk of physical harm.
If you take remedial action that is successful, and the breach is no longer likely to result in serious harm, notification is not required.
When a data breach occurs, it will be important to establish what sort of harm could result. This will assist you in taking effective remedial action, as well as understanding whether serious harm is likely and notification is required.
In various instances, it will be immediately clear that individuals and the OAIC must be notified. However, it won’t be clear in all cases.
When that occurs, organisations will be required to conduct an assessment of the suspected eligible data breach.
This assessment, as described in the legislation, must be ‘reasonable and expeditious’. Further, organisations must take reasonable steps to complete this assessment within 30 days.
This means that organisations must prioritise the assessment with the aim of completing it as soon as practicably possible. The 30 days is expected to be treated as a maximum — after all, the sooner individuals are notified, the sooner they can take steps to protect themselves from harm.
Prompt notification can also reduce the damage to trust in your organisation. People expect transparency – which explains the public vitriol organisations have experienced when it is perceived to have concealed a data breach, or attempted to conceal a breach.
That being said, in some instances it may be necessary to go beyond this 30 day timeframe, in which case it is important to document your assessment to show how you have taken those ‘reasonable steps’.
There is no checklist of required actions for an assessment in the NDB scheme. These actions will necessarily differ depending on the circumstances of an organisations.
Generally speaking, we suggest that an assessment can be completed in three stages:
- investigate, and
You can again refer to section 26WG for relevant matters you can consider in the ‘investigate’ component. These include, for example, the types of personal information affected, what security measures are in place to protect it, the likelihood these protections can be overcome, and the sensitivity of the personal information involved in the data breach.
To turn to how notification must occur — as I’ve mentioned, the primary purpose of the NDB scheme is to ensure individuals are promptly notified if they are at a likely risk of serious harm as a result of a data breach.
There are three options for notifying individuals.
You can notify only the individuals at a likely risk of serious harm. This would be preferable if it is possible, because it avoids potentially causing unnecessary anxiety among individuals that aren’t at risk of serious harm.
If you are unable to identify and notify these individuals, you can notify all the individuals whose personal information has been affected.
If either of these options are not available, you must publish a notification on your website and take steps to publicise its contents, so that the people affected by the breach will have a high chance of learning about it.
The notification to individuals must include the information you are required to provide to the OAIC about the data breach – which you can see listed on this slide.
But I would encourage you when notifying individuals to consider whether there is any additional information your customers or clients may appreciate receiving.
For example, the NDB scheme does not require you to apologise, or tell people what steps you will take to prevent reoccurrence — however, this information may serve to build people’s confidence that personal information security is taken seriously.
And in fact, we saw this in the response to the Red Cross data breach notification, where they apologised and accepted responsibility for the breach, despite the root cause being the actions of a third party service provider.
Customers and clients want to know that organisations care about their personal information as much as they do. Clearly expressing this can reduce the reputational impact of a data breach.
To notify the OAIC, we have developed an online form. This prompts you to provide the information required under the scheme, as well as other matters of interest to the Commissioner.
Specifically, how the breach has been contained, steps you are taking to assist individuals, and what you are doing to prevent a similar incident in the future. This information goes to Australian Privacy Principle 11, which requires organisations regulated by the Privacy Act to take steps to secure personal information.
A breach may indicate noncompliance with APP 11, but that is not always the case. As history has shown, even organisations with great information security can fall victim to a data breach, due to the rapid evolution of data security threats and the difficulty of removing the risk of human error in large and complex organisations.
Regardless, considering how you can improve personal information security after a data breach is essential.
We have recently published a guide that delves into the regulatory requirements and expectations for best practice data breach response. It is titled ‘Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988’. The information provided in it consolidates guidance we have published in recent years on data breach notification, developing a data breach response plan, and the Notifiable Data Breaches scheme requirements.
This is now available on the OAIC’s website, and provides a valuable resource for any staff member involved in compliance and risk management.
Beyond reviewing the OAIC’s resources – you may be wondering what else you can do now to make sure your data breach response is the best it possible can be.
I’d like to leave you with a few thoughts, informed from our experience with dealing with data breach incidents at the OAIC.
Firstly, it is vital that you know what data you hold. It sounds simple, but oftentimes personal information holdings can become complicated as data is collected and filed away over the years. Understanding your data is key to understanding the risks your organisation faces.
It is also important to prepare for how you will inform and communicate with your customers in the event of a data breach. Part of reducing harm to individuals is meeting their expectations in your notification. Your notification, and how you respond to individuals’ concerns following notification, can build confidence in your handling of the situation.
On the other hand, poor preparation can be noticeable and lead to the perception that the breach is not under control. For example, a commentator said the following about Equifax’s data breach statement:
‘The erratic spacing after periods, sometimes one, sometimes two…in such details, we glimpse the outer edges of a hastily assembled response: paragraphs bounced back and forth between division and departments over email, lawyers screaming at one another over the phone’.
Preparation can avoid this brand of criticism.
And, it is valuable to have a practice run of what you will do if a breach occurs. Time evaporates quickly when you are responding to a real breach – it is important staff know who to report to and what to do, so as not to waste any time.
Thank you, and I’ll now hand you over to Annan Boag for the Q&A portion of today’s event. Annan is the OAIC’s Director in Dispute Resolution, and led the development of our resources on the NDB scheme requirements for regulated organisations.