The Notifiable Data Breach Scheme (NDB Scheme) came into force on 22 February 2018, resulting in various changes to Australia’s privacy law. In previous posts, we have considered the nature and contents of notification statements, how to identify which data breaches need to be notified, and the steps to be taken when an organisation suspects a data breach.
In this post, we look at which organisation is responsible for notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach occurs and information is jointly held by two or more organisations.
When is information jointly held?
The holding of personal information by two or more organisations is more common than you might think. If any organisation has possession or control of personal information, it is taken to ‘hold’ that information. This extends beyond physical possession to include the power or right to deal with the information.
For example, storage of information on a cloud would be classified as jointly held. Both the cloud provider and the organisation storing the information ‘hold’ it, for the purposes of the NDB Scheme. The organisation that requested the use of the server is generally taken to hold the information as it has the contractual right over the information. The cloud server itself is also taken to hold the information as it has actual possession.
Examples of common circumstances where information is jointly held include:
- Commonwealth contracts;
- Outsourcing arrangements;
- IT vendor agreements; and
- Joint ventures.
Who is responsible for compliance?
In short, the NDB Scheme is silent on which organisation is responsible for assessing the breach and notifying both the affected individuals and the OAIC. What is clear, however, is that only one organisation needs to conduct the assessment and notify the relevant parties in order to satisfy the NDB Scheme requirements.
If no action is taken following a data breach of jointly held information, each organisation deemed to have held the information may be found to have breached the NDB Scheme requirements.
Importantly, the OAIC recommends that the organisation with the most “direct relationship” to the potentially affected individuals should be the organisation to notify the relevant parties. So using the example above, it is the organisation with the direct relationship with the customer, not the cloud provider, which the OAIC recommends be the entity to notify.
Given there is no prescribed formula for which organisation is responsible for notification, we encourage all organisations with obligations under the NBD Scheme to establish clear procedures for complying with the NDB Scheme before entering into contractual arrangements with any other organisation which will hold its customer data.
If your organisation requires assistance with drafting contractual terms to deal with notification obligations under the NBD Scheme, or has experienced a breach of jointly held information and you don’t know what to do next, it may be necessary to seek legal advice.