Feedback on Notifiable Data Breaches Scheme Draft Resources
The Law Council of Australia thanks the Office of the Australian Information Commissioner (OAIC) for the opportunity to provide feedback on the Notifiable Data Breaches (NDB) scheme draft resources.
The Law Council acknowledges the assistance of its Privacy Law Committee of the Business Law Section, the Law Society of South Australia, and the Law Society of New South Wales in the preparation of this submission.
The Law Council considers that the draft resources will be helpful for agencies and organisations because they summarise the law. However, the Law Council considers that the draft resources should provide clearer direction on what organisations are subject to the NDB scheme, what types of breaches must be notified, and the manner of notification. For example, as most law practices hold data they would fall within the scope of the NDB scheme. Therefore, the issue to consider is under what circumstances they are required to report breaches of that data.
The Law Council has the following general suggestions on how to enhance the draft resources:
- add a paragraph addressed to individuals explaining that they may expect to receive notifications and how to respond;
- make it clear to organisations that they are not expected to make external enquiries to assess impact on individuals and can rely on the knowledge they have of the customer (e.g. a bank will have financial details, a hospital will have health information, etc.);
- add a flow chart that demonstrates the process (especially of the notifications to the OAIC);
- add a checklist for organisations based on the criteria with steps to be taken if notification is necessary;
- add a comment about the status of voluntary notifications;
- add a comment to help address notifications under other schemes or jurisdictions; and
- add additional examples as to what is notifiable.
You can read the full submission below.