The NDB scheme means consumers will no longer be left in the dark – but how will the term ‘serious harm’ be defined?

Businesses and government agencies in Australia are now legally obliged to notify individuals whose personal information is involved in a data breach, following today’s introduction of the Notifiable Data Breaches (NDB) scheme.

As previously reported in The Daily Swig, the new legislation makes it mandatory for organizations to warn consumers and the Australian Information Commissioner of any breach likely to result in “serious harm” to those whose information has been compromised.

It will apply to Australian government agencies, businesses, and non-profit organizations with an annual turnover of A$3 million or more. Credit reporting bodies, health service providers, and private schools will also be subject to the new regulations.

According to the Office of the Australian Information Commissioner (OAIC), an eligible data breach arises when there is unauthorized access to or unauthorized disclosure of personal information, and that the entity has “not been able to prevent the likely risk of serious harm with remedial action”.

Out of harm’s way

Given the significance of the NDB for thousands of Australian businesses, there has been no shortage of media coverage on the issue over recent days.

However, few outlets have pulled focus on the potential ambiguity that surrounds the term ‘serious harm’ – one of the NDB scheme’s guiding principles.

Citing the fact that ‘serious harm’ is not defined in the Privacy Amendment (Notifiable Data Breaches) Act 2017, Norton Rose Fulbright’s legal team in Australia said the term poses a “threshold question” with regard to exactly when an individual is to be notified that their data has been compromised.

Speaking to The Daily Swig via email earlier this month, Patrick Fair, partner at law firm Baker & McKenzie, provided some additional insight into what is likely to be considered ‘serious harm’ in the eyes of the OAIC.

“When the legislation was in draft, submissions were made to the government that a common law definition of harm should apply,” Fair stated. “However, the government has taken the view that in the area of privacy, a lower threshold encompassing psychological and emotional harm should apply.”

Fair said he expected more guidance around the meaning of ‘serious harm’ to emerge from decisions relating to this new regime over time. Until then, however, the Sydney-based legal expert said organizations would likely err on the side of caution when it comes to disclosing breaches.

“From a practical point of view, organizations wishing to avoid public criticism and/or regulatory action by the Privacy Commission are likely to… [set] a low threshold and therefore favor notification in cases where serious harm is arguable,” he said.

“This will particularly be the case where there is a large dataset subject to a breach.”