Data breach responsibilities under the DATA Scheme
Guidance note 2023:4
This guidance note provides information about data breach responsibilities for the purposes of the DATA Scheme.
This guidance note is not intended to be legal advice. You should seek your own legal advice if you would like further clarification on the matters raised in this guidance.
The Data Availability and Transparency Act 2022 (the Act) sets out the responsibilities of Scheme entities in relation to data breaches under the DATA Scheme. This guidance is being provided in line with the National Data Commissioner’s Regulation and Compliance Priorities (Priority 4 – Minimising the risk of data breaches).
Data breaches under the DATA Scheme
Under section 35 of the Act, a data breach is where a Scheme entity (i.e. a data custodian, accredited user or accredited data service provider) holds Scheme data and one or more of the following occurs:
there is unauthorised access to or disclosure of the Scheme data
the data is lost in circumstances where there is likely to be unauthorised access to or disclosure of the data, or
an event prescribed by a data code occurs in relation to the data
no such code exists yet.
A Scheme entity does not have to establish whether or not a data breach incident involves personal information and/or would likely result in serious harm, for it to be a data breach under the DATA Scheme.
This is illustrated in Figure 1 below.
Figure 1: Data breaches under the DATA Scheme
1. The Scheme entity holds Scheme data
An element of a data breach under the DATA Scheme is that the Scheme entity holds Scheme data (see section 35(a)).
A Scheme entity is taken to hold Scheme data if the entity has possession or control of a record that contains the data (see section 9).
Under the DATA Scheme, ‘Scheme data’ means (see section 9):
any copy of data that has been created for the purpose of being shared under the DATA Scheme (irrespective of whether or not the data has yet been shared)
ADSP-enhanced data of a project, or
output of a project.
A copy of data that has exited the Scheme ceases to be Scheme data (see section 20E).
Examples of Scheme data include a new data set created by a data custodian to be shared with an accredited user under the DATA Scheme, data that has been de-identified by an accredited data service provider (ADSP) as part of a data sharing agreement but has not yet been shared, and data collected by the accredited user as part of a data sharing project.
2. Unauthorised access to, disclosure of, or loss of Scheme data
In addition to a Scheme entity holding Scheme data, there must be unauthorised access to, disclosure of, or loss of the data for a data breach to occur (see section 35(b)).
‘Unauthorised access’ occurs where Scheme data that a Scheme entity holds is accessed by an individual who does not have permission to access the data. For example, a cyber attack could result in unauthorised access to Scheme data held by an accredited user.
An ‘unauthorised disclosure’ occurs where:
Scheme data is made accessible or visible where it is not authorised by the Act, and
the Scheme data that is held by the Scheme entity is released from the Scheme entity’s effective control in a way that is not permitted by the Act.
For example, a disclosure of Scheme data to an employee or contracted third party who is not part of a data sharing project would be an unauthorised disclosure.
A data breach can also occur due to a loss of Scheme data, and the loss is likely to result in unauthorised access to, or disclosure of, Scheme data. This includes:
Physically losing Scheme data - a loss could occur from data spills or circumstances in which an employee of a Scheme entity accidentally leaves hard copy documents containing Scheme data in a public place where other individuals can easily access the data
Electronically losing Scheme data – a loss could occur from failing to keep adequate backups of Scheme data in the event of a systems failure.
Data breach responsibilities
Scheme entities have data breach responsibilities under the DATA Scheme. These responsibilities enliven when Scheme entities reasonably suspect or become aware that a data breach under the DATA Scheme has occurred.
Figure 2 illustrates the data breach responsibilities of Scheme entities.
Figure 2: Data breach responsibilities under the DATA Scheme
Taking steps to mitigate data breaches
When a Scheme entity reasonably suspects or becomes aware of a data breach within its entity, it must take reasonable steps to prevent or reduce any harm arising from the breach to entities, groups of entities and things (see section 36(1)).
A data custodian also has responsibility to take steps to mitigate harm if it becomes aware or reasonably suspects a data breach has occurred within an accredited user or ADSP’s entity, where Scheme data it has shared may be involved (see section 36(2)).
A Scheme entity may be subject to a civil penalty of 300 penalty units if it does not comply with these requirements (see sections 36(1) and (2)).
Scheme entities must take steps to mitigate any harm from data breaches and suspected data breaches as soon as practicable after the breach occurs (see section 36(3)).
Notification of breaches involving personal data
Section 37 of the Act preserves the Australian Information Commissioner’s oversight of data breaches involving personal information through a mechanism that engages the Notifiable Data Breaches (NDB) Scheme under Part IIIC of the Privacy Act 1988 (the Privacy Act). For more information about the NDB Scheme, visit: About the Notifiable Data Breaches scheme - Home (oaic.gov.au)
The definition of ‘personal information’ under the Act is the same as its definition under the Privacy Act.
Default responsibility to undertake relevant obligations under Part IIIC of the Privacy Act lies with the data custodian (see section 37(2)) unless expressed otherwise in a data sharing agreement with an accredited entity that is also an APP entity (see section 37(4)).
An accredited entity that is party to a data sharing agreement must notify the data custodian who has responsibility under Part IIIC of the Privacy Act if it reasonably suspects or becomes aware that a data breach of that entity has occurred. This written notification must occur in sufficient time and contain sufficient detail to enable the data custodian to comply with its NDB Scheme obligations (see section 37(3)).
Where both the data custodian and the accredited entity are APP entities, the accredited entity, and not the data custodian, is responsible for undertaking obligations under Part IIIC of the Privacy Act when this is expressed in the data sharing agreement (see section 37(4)).
A Scheme entity must also give the National Data Commissioner a copy of any eligible data breach statement it gives to the Australian Information Commissioner under section 26WK of the Privacy Act as soon as practicable, if the eligible data breach relates to Scheme data (see section 37(5)).
Notification of breaches involving non-personal data
A Scheme entity must notify the National Data Commissioner if it reasonably suspects or becomes aware that a data breach involving non-personal information has occurred (see section 38(1)). ‘Non-personal information’ is information that is not personal information about one or more individuals. A Scheme entity may be subject to a civil penalty of 300 penalty units if it does not comply with this requirement (under section 38(1)).
Information that has been de-identified for the purpose of being shared under the Scheme is non-personal information (see the definition of ‘personal information’ under section 9). However, it is possible that a data breach may result in deidentified information becoming re-identified, thus becoming a data breach involving personal information.
A Scheme entity must notify the National Data Commissioner of a non-personal data breach as soon as practicable after the end of the financial year in which the breach occurs (see section 38). A data code may prescribe different periods for notification. No such period has been specified, although it may occur in the future.
Reporting events and changes in circumstances affecting accreditation
Accredited users and ADSPs have an ongoing responsibility under the Act to report events and changes in circumstances to the National Data Commissioner that are relevant to its accreditation (see section 31). Data custodians that are accredited users and/or ADSPs also have this responsibility.
A data breach under the DATA Scheme is an event that is relevant to an accredited user or ADSP’s accreditation and should also be reported.
Seeking your own legal advice on matters covered by this guide
This guidance note is not intended to be legal advice. You should seek your own legal advice if you would like further clarification on the matters raised in the guidance.
Guidance note 2023:4
Last updated 31 March 2023