Publication date: January 2023

Notifiable Data Breaches (NDB) scheme

11.1 The OAIC administers a Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.

11.2 Under Parts IIIC and VIIIA, entities that have information security obligations under the Privacy Act[1] must generally notify individuals or consumers in relation to CDR data, whose information was involved and the Australian Information Commissioner (the Commissioner), about eligible data breaches (ss 26WK and 26WL and s 94S).

11.3 The Commissioner has the following functions under the scheme:

  • offering advice and guidance to regulated entities, and providing information to the community about the operation of the scheme.
  • promoting compliance with the scheme
  • receiving notifications from entities
  • directing an entity to notify under s 26WR
  • declaring that notification need not be made, or that notification be delayed under s 26WQ.

11.4 Section 56ES(1) and (2) of the Competition and Consumer Act provides that Part IIIC of the Privacy Act applies to accredited data recipients or designated gateways in relation to their handling of CDR data, within the CDR scheme. This means data breaches within the CDR scheme, that relate to the handling of CDR consumers (including individuals and small businesses), must be reported to the OAIC and are subject to the same requirements of Part IIIC of the Privacy Act.

11.5 Additionally, s 37 of the Data Availability and Transparency Act 2022 (DAT Act) provides that if a data custodian of public sector data has shared personal information with or through an accredited entity under the scheme then Part IIIC of the Privacy Act will apply as if the personal information were held by the data custodian. This has the effect that the data custodian has responsibilities under Part IIIC in relation to the personal information held by the accredited entity.[2] Section 37(3) of the DAT Act provides that if an accredited entity reasonably suspects or becomes aware that a data breach of the entity has occurred, the accredited entity must give the data custodian written notice of the suspected or actual data breach in sufficient time and detail to enable the data custodian to comply with its obligations under Part IIIC of the Privacy Act.

Promoting compliance with the scheme

11.6 The OAIC has developed guidance about the NDB scheme to assist entities to comply.

11.7 Section 13(4A) of the Privacy Act provides that if an entity contravenes any of the following requirements of the NDB scheme, the contravention is taken to be an act that is an interference with the privacy of an individual, subject to possible enforcement action:

  • carry out an assessment of a suspected eligible data breach (s 26WH(2))
  • prepare a statement about the eligible data breach, and give a copy to the Commissioner as soon as practicable (s 26WK(2))
  • notify the contents of the statement to individuals whose personal information was involved in the eligible data breach (or, in certain circumstances, publish the statement) as soon as practicable (s 26WL(3))
  • comply with a direction from the Commissioner to notify the eligible data breach (s 26WR(10)).

11.8 The OAIC has developed guidance about the NDB scheme to assist entities.

11.9 The Commissioner may, on the Commissioner’s own initiative, investigate an act or practice that may be an interference with privacy where the Commissioner thinks it is desirable to do so (s 40(2)). The Commissioner must also investigate complaints made by individuals where an act or practice may be an interference with the privacy of the individual (s 40(1)).

11.10 If the Commissioner has reason to believe that a person or entity has information or documents regarding an actual or suspected eligible data breach and/or an entity’s compliance with the data breach notification requirements in the Act, the Commissioner may issue a notice under s 26WU of the Privacy Act requiring the production of that information or documentation from any person or entity.

11.11 It is important that the OAIC has a comprehensive knowledge of the information compromised in an actual or suspected eligible data breach in order to assess the particular risk of harm to individuals. For example, additional information may assist the Commissioner in determining whether to issue a notification under section 26WR to direct an entity to notify the Commissioner and affected individuals about an eligible data breach.

11.12 The persons or entities need not be the entity that has suffered the actual or suspected eligible data breach. The party need only be a party which the Commissioner has reason to believe can assist. The parties could include entities who store or handle personal information that may have been affected by the data breach and entities who have information about the arrangements under which the personal information was secured or stored.

11.13 The Commissioner may also issue a notice under s 26WU requiring such a third party to answer questions. Failure to comply with the Commissioner's notice under s 26WU is subject to penalties including an infringement notice. These penalties are discussed in Chapter 8 above.

11.14 Where the Commissioner has identified an interference with privacy, there are a number of enforcement powers available to the Commissioner, ranging from less serious to more serious regulatory action depending on the relevant factors. These include powers to:

  • accept an enforceable undertaking (s 80V of the Privacy Act and s 114 of the Regulatory Powers Act) and bring proceedings to enforce an enforceable undertaking (s 115 of the Regulatory Powers Act)
  • make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62)
  • seek an injunction to prevent ongoing activity or a recurrence (s 80W)
  • apply to a court for a civil penalty order for a breach of a civil penalty provision (s 80U), which includes serious or repeated interferences with privacy.

11.15 In deciding whether an investigation or enforcement action is appropriate in the circumstances, the Commissioner will act in accordance with the OAIC’s Privacy Regulatory Action Policy, and the CDR Regulatory Action Policy where applicable.

Receipt of notifications

11.16 The Commissioner will acknowledge receipt of all data breach notifications.

11.17 The Commissioner may or may not take any action in response to a data breach notification. The Commissioner will decide which notifications to respond to depending on available resources, and the Commissioner’s evaluation of the extent to which taking action in response to the notification will further the objects of the Privacy Act and the objects of Part IVD of the Competition and Consumer Act for the CDR scheme where appropriate.

11.18 Some notifications may point to a possible interference with privacy. Under s 42, the Commissioner may make preliminary inquiries to determine whether to investigate an act or practice that may be an interference with privacy, or in relation to the CDR scheme, that may be a breach of a privacy safeguard or a privacy or confidentiality related Rule, where there has been a complaint or on the Commissioner’s own initiative. In deciding whether to make preliminary inquiries or offer advice and guidance in response to a notification, the Commissioner may consider:

  • the type and sensitivity of the personal information involved
  • the numbers of individuals or CDR consumers potentially at risk of serious harm
  • whether the data breach has been contained or is in the process of being contained where feasible
  • steps the notifying entity has taken, or is taking, to mitigate the impact on individuals or CDR consumers at risk of serious harm
  • measures that the entity has taken, or is taking, to minimise the likelihood of a similar breach occurring again.

11.19 The Commissioner may also inquire about the incident to determine whether the OAIC can provide assistance to the entity, such as best practice advice on data breach responses and the prevention of similar incidents in the future.

Declaration of Commissioner — exception to notification (s 26WQ)

11.20 The Commissioner may declare that an entity does not need to comply with the notification requirements in the NDB scheme in relation to an eligible data breach. Under s 26WQ the Commissioner may give written notice declaring that a statement to the Commissioner (under s 26WK) and notification to individuals or CDR consumers (under s 26WL) is not required,[3] or that notification to individuals or CDR consumers is delayed for a specified period.[4]

11.21 The Commissioner must not make a declaration unless satisfied that it is reasonable in the circumstances to do so, having regard to:

  • the public interest (s 26WQ(3)(a))
  • any relevant advice given to the Commissioner by an enforcement body or the Australian Signals Directorate (ASD) (s 26WQ(3)(b)),[5] and
  • such other matters (if any) as the Commissioner considers relevant (s 26WQ(3)(c)).

11.22 An entity that is considering applying to the Commissioner for a s 26WQ declaration should do so as soon as practicable after the entity is aware that there are reasonable grounds to believe an eligible data breach has occurred.

11.23 In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objects of the Privacy Act and other relevant matters. The Commissioner will consider whether the risks associated with not notifying of a particular data breach outweigh the benefits of notification to individuals or CDR consumers at risk of serious harm.

11.24 Given the clear objective of the scheme to promote notification of eligible data breaches, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will only be made in exceptional cases and only after a compelling case has been put forward by the entity seeking the declaration.

Applying for a s 26WQ declaration

11.25 An entity considering making an application under s 26WQ should contact the OAIC in the first instance to discuss its intention.

11.26 If the entity decides to make an application, it should provide the following information and documents to the OAIC:

  • a detailed description of the data breach
  • a statement outlining the entity’s reasons for seeking a s 26WQ notice
  • a draft notice setting out the terms that it believes should be included in the notice issued by the Commissioner
  • relevant supporting documents and evidence (including, if applicable, relevant advice from an enforcement body or the ASD)
  • contact details of an employee or representative of the entity.

11.27 The onus is on the entity to demonstrate to the Commissioner that it is appropriate for the Commissioner to make a declaration. As such, the entity applying for a declaration will be expected to make a well-reasoned and compelling case detailing how the data breach is an eligible data breach, why any relevant exceptions do not apply, and why notification should not occur or should be delayed. The entity should provide detailed evidence or information in support of its application.

11.28 The Commissioner may seek further information from the entity or third parties. However, given the time critical nature of data breach notifications, the entity may not have a further opportunity to provide evidence or submissions to the OAIC before the Commissioner makes a decision on the application. As such, the entity should include all relevant information in its written application.

11.29 In considering whether to make a declaration, the Commissioner will have regard to relevant factors which may include:

  • the objects in s 2A of the Privacy Act and the objects of the CDR scheme in Part IVD of the Competition and Consumer Act (set out in s 56AA) if applicable
  • the purposes of the NDB scheme, which include enabling individuals (and in the case of the CDR scheme, CDR consumers) to take steps to protect themselves from serious harm arising from a data breach
  • the circumstances of the eligible data breach
  • the extent to which notification will cause harm to particular groups or to the community at large
  • the extent to which benefits of notification will be lost or diminished if notification does not occur or is delayed
  • whether advice from an enforcement body or the ASD indicates that notification would be contrary to the public interest in the effective conduct of enforcement related activities or national security matters
  • whether the entity responsible for the eligible data breach has been the subject of prior compliance or regulatory enforcement action by the OAIC, and the outcome of that action
  • whether the eligible data breach is an isolated instance, or whether it indicates a potential systemic issue (either within the entity concerned or within an industry) or a potential issue which may pose ongoing compliance or enforcement issues
  • such other matters as the Commissioner considers relevant.

11.30 After considering the application, the Commissioner will make one of the following decisions:

  • a declaration that notification does not need to occur
  • a declaration that notification can be delayed (either for the period proposed by the applicant, or another period selected by the Commissioner)
  • a refusal of the application.

11.31 Where the Commissioner refuses a declaration, the Commissioner will give written notice of the refusal (s 26WQ(7)).

11.32 Decisions by the Commissioner under s 26WQ are reviewable by the Administrative Appeals Tribunal (AAT).[6] An application for review by the AAT may be made by the entity that made the application for the declaration, or another entity whose obligations under the NDB scheme are affected by the declaration.[7]

Direction of Commissioner — requiring notification (s 26WR)

11.33 The Commissioner may direct an entity to:

  • prepare a statement about the eligible data breach
  • give a copy of the statement to the Commissioner, and
  • notify individuals or CDR consumers about the eligible data breach.

11.34 In deciding whether to give a direction to an entity under s 26WR(1), the Commissioner must consider:

  • any relevant advice given to the Commissioner by an enforcement body or the ASD (s 26WR(6)(a))
  • any relevant submission made by the entity (s 26WR(6)(b))
  • such other matters (if any) as the Commissioner considers relevant (s 26WR(6)(c)).

11.35 Under s 26WR(5), a direction by the Commissioner may require an entity to include specified information about the eligible data breach, in addition to the information required in a statement prepared for the Commissioner under s 26WR(4).

11.36 The specified information that relates to an eligible data breach is likely to be information that the Commissioner considers would assist individuals or CDR consumers to take appropriate action in response to the eligible data breach. Examples could include:

  • information about the risk of harm to individuals that the Commissioner considers exists as a result of the eligible data breach
  • recommendations about steps the Commissioner considers individuals should take in response to the eligible data breach
  • information about complaint mechanisms available under the Privacy Act to individuals and under the Competition and Consumer Act to CDR consumers who are affected by the eligible data breach
  • other specified information relating to the eligible data breach that the Commissioner considers reasonable and appropriate in the circumstances to include in the statement.

Process for making a s 26WR direction

11.37 Before directing an entity to notify, the Commissioner will usually ask the entity to agree to notify voluntarily.

11.38 If the Commissioner and the entity cannot agree about whether notification should occur, the Commissioner will formally invite the entity to make a submission about the direction under consideration, within a specified period (s 26WR(3)). The form of the invitation, and the period of time specified in the invitation for the entity to respond, will be for the Commissioner to determine depending on the particular circumstances. In deciding the form and period of time to respond, the Commissioner will have regard to the impact on the entity and the nature and imminence of the risk of harm to individuals or CDR consumers who would receive notification of the eligible data breach the Commissioner has reasonable grounds to believe has happened.

11.39 The Commissioner will consider submissions and any other relevant information provided by the entity within the period specified before deciding whether to direct the entity to notify under s 26WR.

11.40 The Commissioner’s decision will be communicated to the entity in writing. Entities can apply to the AAT for review of a decision by the Commissioner under s 26WR(1) to make a direction.[8]

11.41 An entity must comply with a direction made under s 26WR(1) as soon as practicable (s 26WR(10)). Contravention of s 26WR(10) is an interference with the privacy of an individual (s 13(4A)).

Publication and disclosure of information

11.42 The OAIC publishes statistics in connection with the NDB scheme.

11.43 The OAIC will respect the confidence of commercially or operationally sensitive information that is provided voluntarily in support of a data breach notification.

11.44 As a matter of course, the Commissioner will consult with entities following a request for information made under FOI law. For FOI requests relating to agencies, the Commissioner will offer to transfer requests to the agency in question.

11.45 Decisions about public communications will be made in accordance with the considerations set out in the ‘Public communication as part of privacy regulatory action’ section of the Privacy Regulatory Action Policy, and where appropriate, the CDR Regulatory Action Policy.

Reporting under the My Health Records Act

11.46 Under s 75 of the My Health Records Act, some entities have a mandatory obligation to provide notification of certain data breaches, including potential breaches, in connection with the My Health Record system. The mandatory notification obligation applies to entities that are, or have at any time been, the System Operator,[9]8 a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider (as defined in the My Health Records Act). Depending on the entity involved, notification must be made to either the OAIC or the System Operator or both.

11.47 A failure by a registered healthcare provider organisation, a registered repository operator, a portal operator or a registered contracted service provider to notify in accordance with s 75 is a breach of a civil penalty provision and may result in that entity being liable to pay a penalty.

11.48 The My Health Records Act also outlines in s 75(5) and (6) the steps an entity must take to contain and respond to the breach, or potential breach. The OAIC has developed the Guide to Mandatory Data Breach Notification in the My Health Record system to assist entities to comply with their mandatory data breach obligations.

11.49 Data breaches that are notified under s 75 of the My Health Records Act, do not need to be notified under the NDB scheme.

Responding to data breach notifications under the My Health Records Act

11.50 In assessing and responding to mandatory notifications, the OAIC will consider compliance with the My Health Records Act in addition to compliance with the APPs where relevant. The OAIC may also consider whether the breach was reported ‘as soon as practicable’, as required under s 75(2).

11.51 Section 75(5) of the My Health Records Act requires entities to take certain steps in responding to a data breach that may have occurred or arisen. These steps include containing the breach, evaluating the risks arising from the breach, notifying affected healthcare recipients (if the entity is the System Operator) or asking the System Operator to notify affected healthcare recipients (as applicable). The OAIC will consider these steps when assessing the severity of the breach and the entity’s response. Section 75(6) of the My Health Records Act also requires entities to take steps in responding to a data breach that has occurred (rather than to a potential data breach). These steps include containing the breach (and to undertake a preliminary assessment of the causes), evaluating the risks related to or arising from the breach, notifying affected healthcare recipients (if the entity is the System Operator) or asking the System Operator to notify affected healthcare recipients (as applicable) and taking steps to prevent or mitigate the effects of further breaches.

11.52 The Commissioner has investigative powers under s 73(3) of the My Health Records Act, and may use these powers instead of the investigative powers under the Privacy Act if an investigation is warranted following a mandatory notification. However, the Commissioner will generally conduct investigations under the Privacy Act rather than the My Health Records Act unless there is a reason to conduct the investigation under the latter Act.

11.53 When entities are required to notify both the OAIC and the My Health Record System Operator of data breaches, the OAIC may consult with the System Operator when responding to the notification.

Reporting under the National Cancer Screening Register Act

11.54 Under s 22A of the National Cancer Screening Register Act 2016 (NCSR Act), the Secretary of the Department of Health (the Secretary), contracted service providers and former contracted service providers have a mandatory obligation to notify the Information Commissioner of certain data breaches, including potential breaches, in connection with the National Cancer Screening Register.

11.55 A failure by the Secretary, contracted service providers or former contracted service providers to notify in accordance with s 22A is a breach of a civil penalty provision and may result in that entity being liable to pay a penalty.

11.56 The NCSR Act also outlines in ss 22A(4) and (5) the steps the Secretary, contracted service providers or former contracted service providers must take to contain and respond to the breach, or potential breach.

11.57 Data breaches that are notified under s 22A of the NCSR Act, may also need to be notified under the NDB scheme, depending on the circumstances.

11.58 For more information on reporting under the NDB scheme, see paragraph 11.2.

Responding to data breach notifications under the NCSR Act

11.59 The OAIC will generally follow similar steps to the process outlined in relation to the My Health Records Act above (see paragraphs 11.4to 11.7) when responding to mandatory data breach notifications under s 22A of the NCSR Act.

Footnotes

[1] For more information see Entities covered by the NDB scheme.

[2] Section 37(4) of the DAT Act provides that ss 37(2) and 37(3) do not apply if the accredited entity is an APP entity and the data sharing agreement under which the personal information was shared with the entity provides that subsections (2) and (3) are not to apply in relation to the personal information. This has the effect that only the entity with which the personal information was shared, and not the data custodian, has responsibilities under Part IIIC of the Privacy Act.

[3] Under s 26WQ(1)(c).

[4] Under s 26WQ(1)(d).

[5] The Commissioner may be given such advice  or the Commissioner may or may not request  such advice.

[6] Privacy Act, ss 96(1)(ba) and 96(bb).

[7] Privacy Act, ss 96(2A) and 96(2B).

[8] Privacy Act, s 96(1)(bc).

[9] ‘System Operator’ is defined in s 14 of the My HealthRecords Act.