Defining eligible data breaches: a critical component of the NSW mandatory notification scheme

Coming into effect soon: NSW Mandatory Notification Scheme.

Table of contents

1. Introduction
2. The Importance of Data Breach Notification in NSW
3. Key Elements of the NSW Mandatory Notification Scheme
4. Identifying and Responding to Eligible Data Breaches
5. The Impact and Consequences of Not Reporting Eligible Data Breaches

What do you need to know to mitigate your risk?

In the digital age, protecting personal data is of paramount importance. As cyber threats become increasingly sophisticated, the need for robust data protection measures has never been greater. In New South Wales (NSW), this need is addressed through the Mandatory Notification Scheme, a legal requirement for organisations to report eligible data breaches that is coming into effect on 28 November 2023. Understanding what constitutes an eligible data breach and how to respond is critical for businesses to maintain trust and avoid potential penalties. This blog post aims to provide a comprehensive overview of eligible data breaches within the context of the NSW Mandatory Notification Scheme.

The Importance of Data Breach Notification in NSW

In recent time, data breaches have unfortunately become a common occurrence, and the importance of data breach notification cannot be overstated. In NSW, the Privacy and Personal Information Protection Act 1998 provides the legal framework for the protection of personal information. The Health Records and Information Privacy Act 2002 regulates the handling of health information.

The NSW Mandatory Notification Scheme requires organisations to notify individuals and the Information and Privacy Commission (IPC) when there is a data breach that is likely to result in serious harm. This notification must include information about the nature of the breach, the type of information involved, and what individuals can do to protect themselves.

Key Elements of the NSW Mandatory Notification Scheme

The NSW Mandatory Notification Scheme is a critical component of the state’s data protection landscape. This scheme, designed to protect personal information, hinges on the concept of “eligible data breaches” (EDB). These breaches occur when there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an entity that is likely to result in serious harm to any of the individuals to whom the information relates.

1. Understanding Eligible Data Breaches: An eligible data breach is not just any data breach. It is a breach that meets specific criteria outlined in the scheme. For a data breach to qualify as an eligible data breach, it must satisfy the following conditions:

1. • There must be unauthorised access, disclosure, or loss of personal data.
   • The data breach is likely to result in serious harm to one or more individuals.
   • The entity has not been able to prevent the likely risk of serious harm with remedial action.

2. Notification Obligations: If an entity suspects that there may have been an eligible data breach, they are obliged to carry out a reasonable and expeditious assessment within 30 days. If an eligible data breach is confirmed, the entity must notify the individuals at likely risk of serious harm and the Australian Information Commissioner as soon as practicable.
3. Exceptions to the Notification Requirement: There are some exceptions to the notification requirement. For instance, if the entity acts in response to a data breach, and because of this action, the data breach is not likely to result in serious harm, the data breach is not eligible.

To further comprehend the concept of EDBs, we need to dissect it into its fundamental elements:

1. Unauthorised Access, Disclosure, or Loss: This pertains to situations where personal information held by an entity is accessed, disclosed, or lost without proper authorisation. This could involve hacking, employee misconduct, or even accidental loss.
2. Likelihood of Serious Harm: The breach must be likely to result in serious harm to the individuals whose personal information is involved. Serious harm can include physical, psychological, emotional, financial, or reputational harm.
3. Personal Information: This refers to information or an opinion about an identified individual, or a reasonably identifiable individual, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

Identifying an Eligible Data Breach

Identifying an EDB requires a keen understanding of what constitutes a data breach. According to the Office of the Australian Information Commissioner (OAIC), an EDB is defined as:

1. Unauthorised access to or disclosure of personal information, or
2. Loss of personal information that an entity holds,
3. Which is likely to result in serious harm to any of the individuals to whom the information relates.

To identify an EDB, organisations should look out for suspicious activities such as unusual system activity, unauthorised access, or reports from individuals or external entities.

Responding to an Eligible Data Breach

Once an EDB is identified, swift action is required. Here are the key steps to take:

1. Contain the breach: Stop additional data loss by disconnecting the affected system, changing access controls, or addressing vulnerabilities.
2. Evaluate the risks associated with the breach: Understand the type of data involved, the cause and extent of the breach, and the harm that could come to the individuals involved.
3. Notification: If serious harm is likely, notify the individuals involved and the OAIC as soon as possible.

The Impact and Consequences of Not Reporting Eligible Data Breaches

The repercussions of not reporting eligible data breaches can be far-reaching and severe. It’s a Pandora’s Box that no organisation would want to open. Below, we delve into the potential impact and consequences.

1. Legal Penalties: The Office of the Australian Information Commissioner (OAIC) can impose fines of up to $2.1 million for non-compliance with the NSW Mandatory Notification Scheme. In addition, organisations may face civil lawsuits from affected individuals.
2. Reputational Damage: Trust is a fragile asset. Once breached, it’s difficult to regain. A data breach, especially one that’s not reported, can significantly tarnish an organisation’s reputation, leading to the loss of customers and business partners.
3. Financial Loss: The financial implications extend beyond legal penalties. Organisations may also incur costs related to breach rectification, customer notification, and potential loss of business.
4. Operational Disruptions: A data breach can disrupt business operations, especially if systems need to be shut down for investigations or repairs.

The consequences of not reporting eligible data breaches are not just legal but also financial and reputational. Therefore, organisations must comply with the NSW Mandatory Notification Scheme, not only to avoid these consequences but also to ensure the protection and respect of individuals’ personal information.

Ensuring you have good data quality and governance processes in place is critical to protect your organisation from the consequences of data breaches. Customer Science Group’s Data Quality Management services can be a valuable resource to help improve data governance in your organisation.

If you’re interested in understanding more about data breaches and how to prevent them, please contact the Management Consulting team at Customer Science Group or complete the form below.