Notifiable Data Breaches – Are You Ready?
Notifiable Data Breaches scheme
The Notifiable Data Breaches (NDB) scheme applies from 22 February 2018. Are you ready?
The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm in addition to notifying the Australian Information Commissioner (Commissioner).
Organisations must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result require notification.
What information is captured?
Personal information includes:
- Financial details
- Tax File number
- Identity information – centrelink reference number, passport number, driver license number.
- Contact information – home address, phone number, email address
- Health information
- Other sensitive information – sexual orientation, political or religious views
Eligible data breaches
A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates.
Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the organisation’s position.
Is your conduct and behaviour linked to reporting mechanisms?
Managing eligible data breaches will require specialist input from either a compliance or legal expert requiring an assessment to be made within 30 days.
The key will be how quickly the breach can be identified at its source and notified internally through reporting mechanisms to the appropriate decision maker.
Unfortunately eligible data breaches do not pop up shouting ‘I’m an eligible data breach’, consider the following:
- A customer calls your 1800 number to advise your claims assessor provided her new confidential contact details to her former partner who is subject to an AVO;
- Your Insurtech partner inadvertently released real customer data onto their website during testing phase. The information including credit card details was available to anyone who accessed the website for a 3 hour period
- A conscientious team member doing work on their laptop on the train going home is unaware that the passenger seated beside them has taken a photo of their screen displaying details of claims in connection with life policy’s. The photo has now been distributed by social media as some of the claim circumstances are humorous.
- The full health history of a person was sent to their employer in error as part of a workers compensation claim file. The person had not advised their employer of a previous mental health condition.
Can all people in your organisation who come in contact with personal information recognise what ‘personal information’ is and are aware of what to do when that information is lost or subjected to unauthorised access or disclosure?
- How where they trained? Where they trained in their every day business language that they understand or the technical language of the Privacy Act?
- Were staff provided with documents created purely for the purposes of eligible data breach reporting or where existing interactions with customers and partners observed and areas of potential breach identified and controls introduced/enhanced?
- Were situational role plays used in the training process or was an on-line module rolled out with an assessment as evidence of compliance?
- Are relevant staff aware of the ‘triggers’ that could flag an issue? Were potential pain points identified & #hashtags applied to certain words that may signal an issue?
- Were KPI’s and reward systems aligned to the right behaviours to protect customers information?
Are you really ready?
Was your Privacy regulatory change rolled out from a risk and compliance perspective focusing upon risk procedures and systems or was it rolled out adopting a business context using behaviours and conduct underpinned by supporting process?
If the latter – then yes you are ready. If the former, perhaps you need to consider translating legal and compliance obligations into a business context primarily focusing upon usual business behaviour and customer contact (conduct).
It is a false sense of assurance if your compliance and legal specialists are well prepared and ready to anaylse eligible data breaches under the Privacy Act if no-one in the business can recognise what personal information or a data breach is.
Paul Muir is a compliance and regulatory specialist with 30 years industry experience. Paul delivers human centered compliance solutions and independent consumer advocate services to insurers. Paul can be contacted at firstname.lastname@example.org