ARTICLE
12 May 2018

Data Breach Notification Scheme – Is this the last nail in the coffin of trust in online living or open government?

BP
Bartier Perry

Contributor

Bartier Perry logo
Based in Sydney, we are a leading law firm with a proud 80 year history of empowering our clients with insights that unleash their potential. Our team have an inherent understanding that your need for advice serves a greater purpose. To meet this, we go beyond the technicalities of the law and provide insights into what this means for you, your company or your industry.
Explore Firm Details
Until the introduction of this Scheme in 2018, Australia's mandatory data breach notification laws were limited.
Australia Privacy
Photo of Norman Donato
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Is online still driven by trust?

What drives the internet and life online: technology or trust? Would you make a transaction or interact online without trusting that your credit card details, personal information (such as family and social information) or sensitive information (health, race, etc) would not be misused or treated insecurely? If you answered yes, perhaps the internet is now so ingrained in your daily l ife that it is too difficult to extricate yourself from it?

It's easier to build trust when you do not have to report breaches of data. Until the introduction on 22 February, 2018 of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (NDB Act), Australia's mandatory data breach notification laws were limited.

Australian government tops the charts in reporting voluntary data breaches

Despite this, the Office of the Australia Information Commissioner (OAIC) still received 107 breach notifications in 2015-2016, with the Australian Government leading the way. This is surprising; surely government is one sector we would expect to take the utmost steps to store personal information safely and securely.

Or perhaps the Government was simply acting as a good citizen, reporting breaches that others might have swept under the carpet. If so, the Notifiable Data Breaches Act now puts pressure on those others to also do the right thing.

The new Act amends the Privacy Act 1988 (Cth) (Privacy Act) to introduce Part IIIC – the Notifiable Data Breaches Scheme. The Scheme, which applies to agencies and organisations covered by the Privacy Act, requires them to notify an individual likely to be at risk of serious harm due to a data breach.

What about the NSW Public Sector's Data Breach obligations?

Generally, NSW public sector agencies are not regulated by the Privacy Act. However, given the expectation on such agencies to act as model citizens, they should take note of the Notifiable Data Breaches Scheme.

"Until the introduction on 22 February, 2018 of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (NDB Act), Australia's mandatory data breach notification laws were limited. "

What's more, public sector agencies (including local government agencies) must notify data breaches pursuant to:

  • the Privacy (Tax File Number) Rule 2015 issued pursuant to section 17 of the Privacy Act
  • the Data Sharing (Government Sector) Act 2015, which imposes an obligation on an agency that receives personal or health information to inform a data provider and the NSW Privacy Commission as soon as practicable of a breach (that is, when the agency becomes aware that a breach of privacy legislation has occurred or is likely to have occurred)
  • the General Data Protection Regulation, which comes into force on 25 May 2018 and will apply to any organisation offering goods or services to, or monitoring the behaviour of, individuals living in the European Union.

So what are the requirements under the Notifiable Data Breaches Scheme?

A breach occurs when data, such as a TFN, is lost, or where there has been unauthorised access to or disclosure of such data. A breach becomes notifiable if it is likely to result in serious harm to an individual.

The Privacy Act does not define what "serious harm" is. According to the Australian Privacy Commissioner, it may include serious financial, physical, psychological, emotional or reputational harm.

The Scheme recommends four steps when responding to a data breach. They are:

  1. contain the breach
  2. evaluate and mitigate the risks
  3. notify and communicate
  4. prevent future breaches.

In future articles we will examine the requirements of the Scheme in more detail.

Trust and Open Government

"Good government, sound policy and just decisionmaking demand that information is collected, stored, managed, used and disclosed wisely and appropriately. Every decision and every activity of government uses information. Each year the amount of information held by government grows and at a faster pace." 'Towards an Australia Government Information Policy" November 2010 Issues Paper 1 Office of the Australian Information Commissioner.

As data breach disclosure culture (whether through mandatory or voluntary disclosure) sets in, the NSW public sector response will be closely monitored and may set the scene for open government.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.

Authors
Photo of Norman Donato
Norman Donato
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More