This summary of regulations is provided for informational purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.
DATA BREACH REPORTING AND NOTIFICATION
Australian Privacy Act of 1988 Specifically, Part IIIC:
Notifiable Data Breach (NDB) Scheme Effective February 22, 2018
My Health Records Act 2012
Notifiable Data Breach (NDB) Scheme
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. Entities covered under the NDB scheme are required to report a data breach to the Office of the Australian Information Commissioner and provide notification to individuals.
My Health Records
The My Health Records Act makes it mandatory for particular entities to notify the Office of the Australian Information Commissioner (OAIC) and the My Health Record System Operator of a data breach involving the My Health Record system. The My Health Record System Operator is the Australian Digital Health Agency.
- Australian Securities & Investments Commission (ASIC)
- Australian Prudential Regulation Authority (APRA)
- Australian Taxation Office (ATO)
- Australian Transaction Reports and Analysis Centre (AUSTRAC)
- Australian Cyber Security Centre (ACSC)
- Australian Digital Health Agency (ADHA)
- Department of Health
- Financial Institutions/Service Providers/Credit Companies
- Professional Associations and Regulatory Bodies
QUESTIONS & ANSWERS
Does the NDB scheme apply to you?
The NDB scheme applies to Australian Government agencies, businesses and not-for profit organisations that have an annual turnover of more than AU$3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.
There are exceptions as well as inclusions that must be taken into consideration, such as if the breaches involve multiple entities or if the breach is not in Australia but still has entities with an "Australian link".
Does the My Health Records Act apply to you?
Entities covered by the My Health Records Act data breach provision include:
- My Health Record System Operators
- Registered healthcare provider organisations
- Registered Repository Operators (RROs)
- Registered Portal Operators (RPOs)
- Registered Contracted Service Providers
All Businesses have Personal Information!
OAIC states “Personal information is information about an identified individual, or an individual who is reasonably identifiable.1 Entities should be aware that information that is not about an individual on its own can become personal information when it is combined with other information, if this combination results in an individual becoming ‘reasonably identifiable’ as a result.”
The Privacy Act defines personal information as:
Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
1 See the OAIC’s “What is Personal Information?”
STATES AND TERRITORIES
These states and territories have laws established for the collection, handling, and protection of personal information; although, it is mainly directed at their government organisations, local councils and government-contracted service providers.
Most of these agencies “strongly encourage” their applicable entities to provide data breach reporting to them. This could be separate or in addition to the requirements under the Federal Notifiable Data Breach scheme and the My Health Records Act.
Australian Capital Territory
The Australian Capital Territory’s Information Privacy Act 2014 regulates the collection, storage, use, security, and access of personal information for public entities and contracted service providers for public entities.
New South Wales
The New South Wales Privacy and Personal Information Act 1998 (PPIP Act), regulates collection and handling of personal information by New South Wales public sector agencies. New South Wales highly encourages all agencies to report all types of data breaches to the NSW Information Privacy Commissioner (IPC) and affected individuals, which may involve personal information other than TFN numbers.
The Northern Territory of Australia Information Act, effective 12 April 2017, regulates public sector organisations (PSO) collection and handling of personal information. The Office of the Information Commissioner for the Northern Territory oversees the Information Act.
The Right to Information Act 2009 and the Information Privacy Act 2009 promotes access to government-held information, and to protect people’s personal information held by the public sector. These Acts are facilitated by the Queensland Office of the Information Commissioner (IOC). Queensland encourages public entities to report data breaches to directly to the IOC.
In addition to the Information Privacy Principles Instruction and the Code of Fair Information Practice, South Australia has published a Personal Information Data Breaches guideline for the public sector. The Privacy Committee of South Australia must be notified. In some circumstances it may be appropriate to notify State Records, South Australian Government Chief Information Security Officer, the Agency Security Executive, Office for Cyber Security, and others.
The Personal Information Protection Act 2004 regulates the collection, use and disclosure of personal information, and applies to Personal Information Custodians. Instead of establishing a central body, such as Privacy Commissioner, the Tasmanian Ombudsman investigates and makes any recommendation it considers appropriate in relation to the subject matter of a complaint.
The Office of Victorian Information Commissioner (OVIC) administers the Privacy and Data Protection Act 2014 (PDP Act) which specifically regulates how government organisations, local councils and government-contracted service providers collect and handle personal information. Victoria’s OVIC strongly recommends that these entities report data breaches to them.
The state public sector in Western Australia does not currently have a legislative privacy regime. The Office of the Information Commissioner oversees their Freedom of Information Act 1992.
What if I fail to report data loss?
It’s critical that you take the right steps to comply with all the rules and regulations for breach reporting and consumer notification, whether the breach is actual or suspected. Regulators will not be lenient! Non-compliance can result in fines and penalties, injunction, as well as civil and criminal legal action.
The ‘civil penalty provisions’ in the Privacy Act include penalties up to $420,000 but the court can increase the fine by up to five times the amount listed in the civil penalty provision (current maximum $2.1 million).