Data Breach Notifications in Australia: The basic guide to who, what, when, how, and why
The Office of the Australian Information Commissioner (OAIC) recently released its Notifiable Data Breaches Report: January – June 2021 (the Report). Data breach notifications became mandatory for organisations covered by the Privacy Act in May 2018. Since then, the OAIC has released quarterly and now six-monthly reports with aggregated information from reported data breaches.
The latest Report reveals:
- The total number of reported data breaches dropped in comparison to previous periods. 446 notifications between January – June 2021, in comparison to 539 in the preceding six months;
- That cyber security incidents were the root cause of 65% of the data breaches reported to the OAIC, with ransomware and phishing behind the bulk of the cyber incident-related data breaches. This was up from 58% in the preceding period;
- Breaches attributable to human error dropped from 38% to 30%.
Access the OAIC Notifiable Data Breach Reports here.
Notwithstanding the drop in reported breaches, data breaches are increasingly impacting Australian organisations. It is important for all organisations covered by the Privacy Act 1988 to continue to meet their data breach notification obligations.
Data Breach Notification Law in Australia
The Data Breach Notification Scheme in Australia requires organisations covered by the Privacy Act 1988 to notify affected individuals and the OAIC “when a data breach involving personal information is likely to result in serious harm” and where the organisation hasn’t been able to prevent or mitigate the likely risk of serious harm with remedial action.
Here is an overview of the who, when, how and why of data breach notifications in Australia:
Why should organisations notify of a data breach?
The requirement to notify affected people about data breaches is intended to give individuals an opportunity to try and reduce any potential harm from the data breach. Affected individuals can do this, for example, by changing passwords, closing accounts or being more alert to unexpected activity on their credit cards and bank accounts.
Transparency and Accountability
An organisation’s obligation to notify is part of its transparency and accountability obligations (two principles that have been at the heart of privacy regulation from its earliest inception). By providing information about that has happened, impacted people can make better informed decisions about how best to protect themselves.
Risk and Reputation Management
Although not primarily intended to penalise or embarrass organisations who have had a breach, this has been one of the outcomes. Many reported data breaches have gained significant media attention, leading to embarrassment and possible reputation damage. In some instances, the Privacy Commissioner has also decided to investigate more closely the circumstances leading to the data breach to determine whether or not there may have been an interference with any of the privacy principles (particularly APP 11, the obligation to take reasonable steps to secure personal data). So, care should always be taken when notifying of a data breach.
From a business perspective, the data breach notification process is not just about compliance with legal requirements but also is critical in financial risk management and reputation management.
Reduce Harm to the Impacted Individuals
However, the overriding interest should always be to make sure that impacted individuals are provided with any information that might help them reduce any potential harm as expeditiously as possible. In many cases, people will expect to be notified if their personal information is accessed or disclosed to unauthorised individuals in a way that poses them significant risk of harm – regardless of whether the organisation is legally required to disclose the breach under Australian law, or the laws of other jurisdictions around the globe.
As such, businesses might consider looking beyond their legal obligations when it comes to data breach notifications. There will be circumstances where notification is something that businesses should do as part of risk management, even if there is no legal requirement to notify.
Who should organisations notify following a data breach?
You should notify any individuals whose personal information was accessed, disclosed or lost (affected individuals) as a result of the breach, as well as the OAIC.
This is a different obligation to that in other jurisdictions where there are separate requirements for reporting to the regulator versus reporting to impacted individuals. Notice in Australia should be given to both at the same time, based on the same criteria of whether or not there has been an eligible data breach (discussed further below).
What details should your data breach notification include?
Your organisation should be prepared to notify the OAIC and any affected individuals about:
- Your organisation’s name and contact details.
- A description of the data breach.
- The kinds of information involved in the data breach.
- Steps individuals should take in response to the data breach.
Data breach preparedness is key
To help with this, you should prepare draft communications as part of your data breach preparedness plan. These drafts can act as templates for the actual notification. They can significantly reduce time taken in sorting out wording if there is an approved pre-existing template that can be used.
The most difficult steps in preparing the notice will often be describing the data breach. The investigation of the data breach is often happening in parallel with the notification process, with new details about the breach becoming apparent as the investigation continues.
Organisations will have to decide what information to provide about the data breach, remembering that you can update the details when more information is available. The priority should be ensuring the protection of impacted individuals rather than whether or not the detailed investigation into the data breach has concluded.
When should the OAIC and affected individuals be notified?
If you know that you have had a reportable data breach, then it should be reported as soon as reasonably practicable.
There were concerns prior to the passing of the notifiable data breach provisions about what to do in cases where there may be an incident but where it may not be clear that there had been a data breach (in terms of the unauthorised access, disclosure or loss of personal information).
Consider these two examples of possible data breaches:
- A company is alerted by a third party that a database with personal data is accessible via the internet because of a misconfiguration error; or
- A laptop with personal data is lost but in circumstances where it is not clear whether it was simply misplaced or stolen.
In both these cases, at the time of becoming aware of the incident, there is no actual evidence that that database or laptop has been accessed but they could have been. To address these concerns, a 30-day window was introduced for ‘suspected’ data breach. The Privacy Act 1988 allows organisations to take all reasonable steps to conduct an assessment of a suspected data breach for up to 30 days of becoming aware of it. It is important to remember that this is a 30-day window for suspected data breaches only and should not be taken as general permission to not report for 30 days.The Commissioner expects organisations will treat the 30-day timeframe as a maximum time limit, suggesting that they should complete the assessment earlier wherever possible. (Read more)
What should organisations do following the assessment?
Once the assessment is completed, it is expected that the organisation will prepare a statement about the breach. A copy of the statement should be provided to the Commissioner and affected individuals should be informed about its contents as early as practicable.
In practice, the OAIC uses the 30-day time limit as a metric for comparison when it comes to notifications. In the Report, the OAIC notes that 72% of organisations notified the OAIC about a data breach within 30 days of it occurring, in the January to June 2021 period.
Remember, the primary driver of data breach notification laws is to mitigate harm to impact people and this should always be the principal consideration in determining when to notify.
How do organisations conduct the notification process after a data breach?
The OAIC has an online form for organisations to complete following a data breach. You can find it here.
Notification of affected individuals following a breach is more complicated.
As we have discussed, effective data breach notifications reduce or eliminate harm to the affected individuals and/or provide them with the chance to protect themselves. This means that notices should be informative, without causing undue stress to the affected person. They should include enough information about the data breach so people can make informed decisions about any action that they should take. Notices should also themselves include recommendations on any mitigation actions that people could consider.
There are some great resources available to support individuals impacted by data breaches including the following:
How can Privacy 108 help with data breach notifications?
Privacy108 has extensive experience navigating and advising on data breach notifications.
We advise organisations on the applicability of data breach notification schemes in any relevant jurisdictions. From there, we provide proactive planning for data breach management and business continuity. This planning contemplates privacy governance to minimise privacy risk, as well as cybersecurity best practices and in-house education that minimises risk posed by your greatest privacy threat: your staff.
Where a data breach has already occurred, we provide responsive data breach crisis management services that minimise reputational, financial, and legal risk.
Our services include:
- Development, implementation and testing of data breach response plans;
- Drafting Data Breach Response Policy and procedure documents;
- Advising and supporting data breach response efforts when a data breach has occurred;
- Legal opinions on data breach response obligations
Privacy 108 Data Breach Notification Training
If your organisation is uncertain about its data breach notification obligations in Australia, you will benefit from Privacy 108’s data breach notification training. See more about Privacy 108’s Training here or get in touch for more information: