Australia’s Answer to the GDPR: The Notifiable Data Breaches Scheme
Since its adoption the EU’s General Data Protection Regulation (GDPR) has created a domino effect around the world, with many countries moving forward with proposals for new data protection regulations or updates to existing ones. From Brazil’s Data Protection Bill of Law to China’s Internet Security Law, it seems data protection legislation is on every country’s agenda.
Australia is no different. In fact, it was one of the countries to get a head start in aligning its 1988 Privacy Act to some of the new concepts and requirements introduced by the GDPR. The Privacy Amendment (Notifiable Data Breaches) Act 2017 was adopted in November 2017 and actually came into force before the GDPR, on 22 February 2018.
As its name suggests, the Notifiable Data Breaches (NDB) scheme introduced mandatory data breach notifications into Australia’s Privacy Act 1988. It puts organizations under the obligation to notify individuals and the Office of the Australian Information Commissioner (OAIC) in case a data breach has occurred that is likely to result in serious harm. Notifications must also include steps individuals can take in response to the breach.
The NDB Scheme vs the GDPR
Unlike the GDPR, the NDB does not require only major data breaches that involve large quantities of data to be reported, but focuses instead on the gravity of the breach to an individual’s physical, psychological, emotional, financial, or reputational harm.
However, the NDB scheme does have clear application criteria: only entities processing special categories of data, agencies and organisations that already have obligations under the Privacy Act 1988, Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and tax file number recipients, among others, are required to comply with the scheme.
The NDB is also more generous with its deadlines: organizations have 30 calendar days to assess the gravity of a breach and report it to the OAIC. The GDPR, in contrast, gives companies only a 72-hour window to report breaches to national data protection agencies.
In the post-GDPR world, non-compliance with data protection regulations comes with a stiff bill. Failure to comply with the NDB also comes with serious financial consequences: fines can go up to $1.5 million for companies and up to $300,000 for individuals found guilty of serious or repeated interference with privacy.
The first results of the NDB scheme
Since the NDB has been enforced, the OAIC has published quarterly reports concerning the notifications it has received. While the first such report covered only a few weeks following the implementation of the NDB, the second, released at the end of July, was the first to cover a full quarter.
The OAIC reported receiving 242 breach notifications, 59% of which were caused by malicious or criminal attacks, 36% by human error and 5% by system faults. Health was the most affected industry by far, totaling 49% of the breaches, followed by finance with 36%, legal, accounting and management services with 20%, education with 19% and business and professional associations with 15%.
Most of the malicious or criminal breaches reported resulted from compromised credentials, while the most common human error was sending emails containing sensitive personal information to the wrong recipient. While cyber incidents were the most frequent, theft of paperwork or storage devices was also a notable source of malicious or criminal attacks. While some of these issues can be solved through staff training, Data Loss Prevention and encryption solutions can also be used as reliable tools against human error and lost or stolen devices.
The majority of data breaches reported were small scale: 61% impacted the personal information of 100 or fewer individuals, while 38% involved ten or fewer people.
While the GDPR is still waiting to prove its effectiveness in Europe, the NDB has shown its first tentative results. As companies grow accustomed to the procedures and new requirements of the Privacy Act update, its notification numbers and efficiency in dealing with data breaches are also sure to rise.