The introduction of the NDB (Notifiable Data Breaches) scheme and the EU’s GDPR (General Data Protection Regulation) in 2018 places a considerable responsibility on Australian organisations that process personal data.
Both laws grant data subjects increased rights when it comes to how their information is used and require organisations that process personal data to overhaul their data protection mechanisms.
They both also specify conditions for mandatory data breach reporting.
Data breach notification under the NDB scheme
From 22 February 2018, the NDB scheme has applied to organisations with personal information security obligations under the Australian Privacy Act 1988 (Privacy Act).
Data subjects must be informed of incidents in which unauthorised access to, or loss or disclosure of, their personal information is likely to result in serious harm to them that cannot be prevented with remedial action. These are referred to as ‘eligible data breaches’. (There are some exceptions to the notification obligations.)
The Australian Information Commissioner must also be informed.
The Commissioner has a number of enforcement powers under the Privacy Act to ensure that organisations meet their obligations under the scheme, including:
- Accepting an enforceable undertaking and bringing proceedings to enforce an enforceable undertaking.
- Making a determination and bringing proceedings to enforce a determination.
- Seeking an injunction to prevent ongoing activity or a recurrence.
- Applying to court for a civil penalty order for a breach of a civil penalty provision, which includes a serious or repeated interference with privacy.
The Commissioner is also required, in most circumstances, to investigate complaints made by individuals relating to interference with their privacy, including failing to notify them of an eligible data breach where required.
Data breach notification under the GDPR
Although the GDPR is an EU law, its scope extends around the world to every organisation that processes EU residents’ personal data.
From 25 May 2018, data processors have been required to report all personal data breaches to data controllers, and data controllers have been required to report breaches to the supervisory authority within 72 hours of their discovery if there is a risk to data subjects’ rights and freedoms.
Data subjects themselves must be notified without undue delay if there is a high risk to their rights and freedoms.
Failure to do so risks an administrative fine of up to €10 million or 2% of annual global turnover (whichever is greater) – the lower tier of GDPR fines.
For other GDPR infringements relating to data processing, organisations risk administrative fines of up to €20 million or 4% of annual global turnover (again, whichever is greater).
A personal data breach is defined by the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Complying with the NDB scheme and the GDPR
The GDPR sets out stringent requirements for all organisations that process personal data. Achieving compliance with it means you will implement technical and organisational measures that will substantially help your compliance with the NDB and the Privacy Act.