The advancement of technology has brought risks of data breaches worldwide. While we’re not seeing any sort of global authority on how to handle data breaches, countries across the globe are taking various forms of action. Some countries are making national laws, and others are making new state or regional laws. Australia has taken note and issued their version of the data privacy and notification law, which becomes effective this year.
The European Union recently issued GDPR (General Data Protection Regulation) and most of the states in the United States have some form of data privacy laws as well. Similar to GDPR, the Australian version of data privacy and notification law is a move toward strengthening transparency and accountability in governance. Another similarity between Australia’s new data privacy law and GDPR is that the Australian law applies to nonprofit entities as well as for-profit corporations because many nonprofits collect large amounts of personal information. The new law defines eligible data breaches and makes a few notable exceptions.
What Nonprofits Need to Know About Australia’s Notifiable Data Breaches Scheme
Australian government agencies, businesses and nonprofits with an annual turnover of more than $2.3 million in US dollars, private-sector health service providers and agencies that report credit ratings are subject to the Scheme. International entities that fall under the same categories must also comply with the Scheme if they have an Australian link.
The definition of an Australian link includes entities that collect or hold personal information in Australia while conducting business in Australia or its external territories. The Australian link applies to everyone, whether they are Australian citizens or not.
How Does the Scheme Affect Nonprofit Entities?
Entities that collect or hold personal data must notify the Office of Australian Information Commissioner (OAIC) and anyone else who becomes affected by an eligible data breach, which is a breach that contains personal information and that could cause serious harm to any affected individual.
How Does the Scheme Determine Risk of Harm?
The design of the Scheme discourages over-notification. The law applies when an entity holds personal information and an unauthorized person or persons accesses or discloses personal information that may cause serious harm to one or more individuals. The law further clarifies risk of harm by stating that the entity hasn’t been able to prevent incidences of serious harm by taking remedial action.
This leaves entities with the responsibility for making a subjective decision about whether or not they should notify the OAIC of a breach. Entities will need to assign a person with reasonable qualifications to make an objective assessment about whether to report a breach within at least 30 days of the date that they become aware of the breach.
The OAIC is available to offer advice and guidance for entities that need clarification about notification requirements.
What Qualifies as Personal Information Under the Scheme?
The Scheme outlines the type of information the law classifies as personal information. The definition of personal information includes names, addresses, medical records, bank account information, photos, videos and other information that describes an individual’s likes, opinions and vocation.
Personal information also includes information and opinions that can identify an individual, whether that information or opinion is recorded and whether it is true or not.
What Are the Notable Exceptions Under the Scheme?
The Scheme allows for certain exceptions to the basic rules. Entities don’t have to report breaches under the following circumstances:
- When law enforcement organizations have a reasonable belief that notification will prejudice a law enforcement investigation or activity
- When the notification is inconsistent with Australian law regarding data disclosure
- When the entity receives word from the Commissioner that notification isn’t required
- There are certain exclusions under the My Health Records system
If more than one entity holds personal information jointly with another entity and that information gets breached, the Scheme only requires one of the entities to report the breach to the Commissioner.
What Types of Information Do Entities Report?
The Commissioner requires entities to report a description of the data breach and the kinds of information that are at risk. Organizations must also describe their plan of action, including specific steps that they plan to take in response to the breach, along with their contact information.
Entities may use an online reporting form to report the breach.
The Scheme also has requirements for reporting to individuals affected by a data breach. Entities must notify all individuals related to the breach if they can’t determine which of them is at risk of serious harm. If an entity is able to determine the exact individuals who are at risk of serious harm, they’re only obligated to notify those individuals.
It’s acceptable for entities to use a published notification when they don’t have contact information for all individuals and there’s no other way to contact them individually.
Entities must notify individuals as soon as practicable after they’ve informed the Commissioner.
How Will Australia Enforce the Scheme?
The OAIC is the enforcing body for the Scheme. For entities that violate the Scheme, the Commissioner retains the authority to initiate enforcement proceedings, to seek injunctions and to issue civil penalties. Entities that fail to comply with the Scheme may be subject to fines of $330,000 in US dollars for serious or repeated violations of privacy. The maximum penalty is $1.65 million in US dollars.
Things for Nonprofits to Consider With Implementation of the Scheme
Certainly, not all nonprofits will meet the requirements for notification in Australia. For those that do, it’s worth noting a few important issues. International organizations that are subject to the Scheme need to review their data privacy response plans if they haven’t already and make sure that they are in compliance with the Scheme. Response plans should take the guidance of the OAIC into account as they pertain to the definition of serious harm.
Until there is more experience under the Scheme, the Commissioner recommends that entities err on the side of caution in processing personal information.