The Office of the Australian Information Commissioner (OAIC) has released further draft guidance on the notifiable data breaches (NDB) regime that comes into effect in just over three months’ time. It is also hosting a Webinar on 21 November 2017 at 12.00 pm AEDT to explain how the obligations of the scheme will work in practice.

The NDB scheme commences from 22 February 2018, and will require private sector businesses and government agencies covered by the Australian Privacy Act to notify affected individuals of ‘eligible data breaches’. An ‘eligible data breach’ is one that poses a likely risk of serious harm to any individual whose personal information is affected.

In addition to notifying individuals at a likely risk of serious harm, organisations will be obligated to notify the head of the OAIC, the Australian Information Commissioner.

The Webinar on 21 November will be hosted by OAIC directors Annan Boag and Sophie Higgins, who lead the development of the OAIC’s NDB resources. They will cover the key timings of the scheme, refer to case study examples, and answer questions during a Q&A session.

Annan Boag is Director — Dispute Resolution, Office of the Australian Information Commissioner. He has been the lead on a number of investigations concerning high-profile data breaches and technology and telecommunications issues, including the investigation of the 2015 Ashley Madison data breach and the 2016 Red Cross Blood Service data breach.

Sophie Higgins, Director — Regulation and Strategy, was closely involved in the privacy law reform and implementation process in 2014, including in the development of the Australian Privacy Principles Guidelines.

Recent draft documents released by the OAIC include:

• draft guidance on what information should be included when notifying the Information Commissioner of an eligible data breach
• a draft notifiable data breach statement 
• an online draft notifiable data breach statement smart form.

According to Clayton Utz lawyers, these materials provide greater clarity as to the OAIC's expectations of entities which will be subject to the NDB Scheme.

While these materials are currently in draft, Clayton Utz does not expect their final form to differ in any material respect.

The draft notifiable data breach statement, used to inform the Australian Information Commissioner of an ‘eligible data breach’, is divided into two parts.

Part one is the 'statement' about a data breach required by section 26WK of the Privacy Act 1988. If you are required to notify individuals of the breach, in your notification to those individuals you must provide them with the information you have entered into part one of the form.

Part two of the form is optional and asks entities to voluntarily provide additional information about the eligible data breach. However, the OAIC may need to contact you to seek further information if you do not complete this part of the form.

Lawyers Clyde & Co LLP advise that in order to provide the required data breach statement, organisations will need to have a strong understanding of the specific circumstances of the breach including the types of records compromised, whether other organisations may be affected and how the underlying security breach event occurred.

They add: “The depth of information which must be provided to the OAIC highlights how important it is to be fully prepared for the notifiable data breach regime. Organisations should be preparing and testing their data breach response plan and ensuring that it contains detailed policies and systems to ensure prompt notification to the OAIC and affected individuals after an eligible data breach.”