The Notifiable Data Breaches Scheme And NFPs: Learning From The Past

With the arrival of a mandatory Notifiable Data Breaches scheme in Australia, Demetrio Zema and Bea Stathy from Law Squared explain how not for profits can ensure they are compliant with the scheme.

The Notifiable Data Breaches scheme

Not-for-profit organisations play an important and powerful role in enhancing social wellbeing. However, in delivering services to the community, they also operate as data aggregators, often collecting data sets of personal information relating to their members and clients. This information is both useful and a burden, and NFPs covered by the Privacy Act 1988 (Cth) must be prepared to meet their obligations under the incoming Notifiable Data Breaches scheme, which commences on Thursday. 

What is an eligible data breach?

The scheme requires Australian Privacy Principle (APP) entities to notify individuals, and the Australian Information Commissioner (AIC), if they have reasonable grounds to believe the personal information they hold has been breached and the breach amounts to an “eligible data breach”.

An eligible data breach is a serious data breach. It occurs when personal information is accessed or disclosed without authority, or is lost, and a reasonable person would conclude that this breach would likely result in “serious harm” to an individual affected by it.

APP entities will therefore need to assess data breaches on their likelihood of causing harm, and this assessment will require an examination of the specific facts of a matter. For example, it will draw into consideration the kind of information affected, whether it is sensitive, the resilience of any security measures protecting the information, and an assessment of the persons who have obtained the information.

The scheme is also flexible, in that appropriate remedial action taken by an APP entity to prevent serious harm will remove the data breach from the scope of the scheme, and it will not be taken to be an eligible data breach.

However, if an eligible data breach is suspected and, following a “reasonable and expeditious assessment”, it is determined that an eligible data breach has occurred, the APP entity will need to follow the notification obligations of the scheme.

Why does this affect NFPs?

Not all NFPs are covered by the scheme. Small businesses with an annual turnover of $3 million or less are ordinarily spared the compliance obligations of the Privacy Act. Nevertheless, NFPs that are health service providers are placed in a different position because they provide a health service and (consequently) hold health information.

Health information includes information or an opinion about a person’s mental or physical health, and covers any disability or injury suffered. Generally speaking, health information is a sensitive category of personal information and the Privacy Act applies to private sector health service providers, no matter the annual turnover of the organisation.

Other categories of NFPs caught by the scheme include organisations trading in personal information, employee associations, and contracted service providers for a Commonwealth contract (regardless of whether or not they are a party to the contract).

Lessons from the past

Data breaches are not uncommon and occur for reasons other than targeted attacks by cybercriminals. Data breaches may, for example, occur by accident. This was demonstrated by the inadvertent disclosure of over 550,000 records of prospective blood donors by the Australian Red Cross Blood Service in October 2016.

Red Cross is a most trusted NFP provider of blood services, yet an accidental oversight by a third-party website developer caused the unintended disclosure of both personal and sensitive information. The commissioner concluded an investigation into the matter in August 2017 and stated that “data breaches can still happen in the best organisations”. This comment stands as a reminder to NFPs to sharpen their focus on privacy issues to conserve the privacy of the individuals they serve, and to maintain public confidence.

NFPs are arguably more exposed under the scheme than other APP entities because they exchange health data with statutory agencies, third-party contractors and corporate community partners. With increased use comes increased risk and NFPs need to test the robustness and responsiveness of their processes to ensure they can comply with the scheme.

What happens if a NFPs fails to notify?

Under the scheme, a failure to comply will be considered an “interference with the privacy of an individual” and the commissioner has broad powers to ensure APP entities remedy their failures, including by directing them to prepare a statement and to notify affected individuals. In cases of serious or repeated non-compliance, the commissioner can issue a fine of up to $2.1 million for organisations.

What you should do.

NFPs must have contingencies in place to prevent and resolve eligible data breaches. Most importantly, they must act swiftly in the face of a serious breach because health information deserves a heightened response. NFPs should therefore create and maintain a data breach response plan and ensure this area of responsibility is situated with a person qualified to manage communications with the regulator, and with affected individuals.

Given the scheme’s commencement, it is timely for NFPs (specifically boards) to review and obtain advice on the NFP’s privacy policy, data classification policy, and  data breach insurance, to determine whether these are adequate.

It is not too late to take steps to ensure your NFP complies with the scheme. Failing to consider your NFP’s preparedness could lead to your organisation breaching the requirements of the scheme and suffering both civil fines and reputational harm.

About the Authors: Demetrio Zema is the founder of Law Squared, a new gen law firm named “Australia’s most innovative Law Firm”. Law Squared takes an entrepreneurial approach to the provision of legal services working with clients, across their Melbourne, Sydney and Brisbane offices from small businesses, not for profits to ASX-listed clients. Demetrio is the current deputy chair of the Centre for Multicultural Youth and a board member of Vic Deaf, along with being a sub-committee member of their Finance, Risk and Audit Committee.

Bea Stathy is a special counsel at Law Squared and has a particular interest in privacy and data law issues, as well as the regulatory challenges posed by new technologies (such as artificial intelligence). Bea is a pragmatic and responsive lawyer with experience across a variety of sectors including fintech, biotech, healthcare, defence, software, IT, water and renewable resources, and industrial manufacturing.