Fact sheet - NSW public sector agencies and data breaches involving tax file numbers
Read the document below or download it here Fact Sheet - NSW public sector agencies and data breaches involving tax file numbers, updated July 2022
The Privacy Act 1988 (Cth) (the Privacy Act) established the Commonwealth Notifiable Data Breaches (NDB) scheme, which came into effect on 22 February 2018.
The Commonwealth NDB scheme requires organisations covered by the Privacy Act to notify individuals likely to be at risk of serious harm due to a data breach.
Although the Commonwealth NDB scheme is aimed primarily at Commonwealth government agencies and private sector organisations regulated by the Australian Privacy Principles (APPs) under the Privacy Act, there are provisions that apply to NSW public sector agencies.
Tax file number collection
Any agency that collects tax file numbers (TFNs) has obligations under the Commonwealth NDB scheme when a data breach occurs involving a TFN. This includes state and local government agencies, and public universities in NSW that routinely collect and hold TFN information.
A TFN is a unique number issued by the Australian Taxation Office (ATO) to identify individuals. TFN information is information that connects a TFN with the identity of a particular individual.
The Privacy (Tax File Number) Rule 2015 (TFN Rule) issued under section 17 of the Privacy Act regulates the collection, storage, use, disclosure, security and disposal of individuals’ TFN information. The TFN Rule requires any organisation holding TFNs to protect the information by implementing reasonable security safeguards in the circumstances.
The obligations under the TFN Rule are in addition to responsibilities under other laws, such as the Privacy and Personal Information Protection Act 1998 (PPIP Act).
What is a TFN data breach?
A TFN data breach occurs where TFN information is lost, or subject to an unauthorised access or disclosure.
There are a number of ways this can occur. For example, if a database containing TFN information is hacked, if a TFN is mistakenly provided to the wrong person, or when paper records containing any TFN information are stolen.
When is a TFN data breach ‘notifiable’?
The notification requirements under the Commonwealth NDB scheme are triggered if the TFN data breach is ‘likely to result in serious harm’ to any individual.
Responding to a TFN data breach
Each TFN data breach will have to be dealt with on a case-by-case basis. However, there are four key steps to consider when responding to a breach:
- Contain the breach
Depending on the type of TFN data breach, containing the breach may involve a range of responses. This could include searching for and recovering the TFN data, confirming that no copies were made or that the information was destroyed by the party receiving it, conducting a remote wipe on a lost portable device, implementing a computer system shut down, or changing passwords and system usernames.
When a TFN data breach occurs, you should conduct preliminary fact-finding about the breach (including the cause, risk of spread, options to mitigate risk) and assess the risk posed by the breach.
It is important to inform the relevant key people in your organisation of the breach, such as the Privacy Officer and the Chief Executive Officer. In certain circumstances, it may also be necessary to inform Cyber Security NSW or the police.
- Evaluate and mitigate the risks
Taking prompt remedial action will minimise the likelihood that the breach will result in harm to any individual. For example, depending on the type of data breach, employees might be told to change passwords, not to open emails with attachments, and to be aware of phishing attacks.
An assessment of the likely harm resulting from a TFN breach should be conducted as soon as practicable after an agency becomes aware of the breach.
Ideally this will occur within 2-3 days but all reasonable steps must be taken to ensure the assessment is completed within 30 days.
The assessment should determine whether your agency reasonably believes that the loss, access or disclosure is ‘likely to result in serious harm to any of the individuals to whom the information relates’. ‘Serious harm’ is not defined in the Privacy Act, but guidance from the Australian Privacy Commissioner suggests that it could include such things as serious financial, physical, psychological, emotional or reputational harm.
- Notification and communication under the Commonwealth NDB scheme
When the assessment at step 2 has been completed, notification (if required) must be commenced as soon as practicable.
Notification is required by law if the assessment has concluded that there are reasonable grounds to believe that the breach has resulted in, or is likely to result in, serious harm to one or more of the individuals to whom the information relates.
The notification requirements under the Commonwealth NDB scheme relate to notifying both the Australian Privacy Commissioner and the affected individuals.
A statement must be prepared about the TFN data breach which sets out the following:
- Identity and contact details of the agency that experienced the breach
- A description of the breach
- The kind or kinds of information concerned
- Recommendations about any steps that the individuals should take in response to the breach.
The statement may also include:
- any action that has been, or is being taken, to rectify the breach and mitigate any harm;
- details about any other party that has been notified (e.g. the NSW IPC or NSW Police); and
- if relevant, the identity and contact details of any other related organisations that are likewise affected by the data breach.
The statement must be sent to the Australian Privacy Commissioner at the Office of the Australian Information Commissioner (OAIC) as soon as practicable.
The statement must also be provided to the affected individuals as soon as practicable. As a minimum requirement, the statement must be:
- provided directly to only those individuals at risk of serious harm; or
- provided to all individuals whose TFN information was breached; or
- (only if the affected individuals cannot be contacted directly) publicised more broadly.
This notification can be in the form of an email, letter or by phone contact. Additional steps may include a dedicated website, a media release or posts on social media.
Note: If NSW Police or another law enforcement agency is investigating the breach, they must be consulted before making details of the breach public.
4. Prevention of future breaches
Following a TFN data breach, agencies should fully investigate the cause of the breach and consider developing a prevention plan.
To mitigate the risk of any future data breaches, agencies may take a range of steps, including:
- a security audit and any modifications to physical controls such as locks, alarms, visitor access control;
- a review of policies and procedures including the privacy management framework;
- a review of employee training;
- a review of suppliers and third parties; and
- updating passwords, or altering deployments of technology.
More information about TFN data breaches
The OAIC has a dedicated website for the Commonwealth NDB scheme – see https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
In addition, further information about the handling of TFN information is available at: https://www.oaic.gov.au/privacy-law/privacy-act/tax-file-numbers
To contact the OAIC, call 1300 363 992.
Other data breach notification schemes that NSW public sector agencies should be aware of
In addition to the Commonwealth NDB scheme and NSW MNDB scheme, there are three other data breach notification schemes which create responsibilities for NSW public sector agencies in certain circumstances.
- Sharing of government sector data
The Data Sharing (Government Sector) Act 2015 (DSGS Act) has a data breach notification scheme in respect of sharing of government sector data under the DSGS Act with the NSW Data Analytics Centre, or between other government sector agencies.
If an agency that is receiving personal or health information under the DSGS Act becomes aware that privacy legislation has been (or is likely to have been) breached, the agency must, as soon as practicable, inform the data provider and the NSW Privacy Commissioner of the breach.
- European Union’s General Data Protection Regulation
The General Data Protection Regulation (GDPR) commenced on 25 May 2018 and applies to any organisation offering goods or services to, or monitoring the behaviour of, individuals living in the European Union (EU). This may include some NSW public sector agencies (e.g. universities offering educational packages to international students).
The data breach notification requirements under the GDPR include notification to the relevant EU supervisory authority within 72 hours after having become aware of the breach.
Further information about the GDPR is available on the OAIC’s website at: https://www.oaic.gov.au/privacy/guidance-and-advice/australian-entities-and-the-eu-general-data-protection-regulation.
- Data breaches involving My Health Records
The My Health Records Act 2012 (Cth) (MHR Act) requires registered healthcare provider organisations, registered repository operators, registered portal operators and registered contracted service providers to report a notifiable data breach arising from their local records as soon as practicable after becoming aware of the breach.
NSW public sector agencies are not required to report these types of notifiable data breaches to the OAIC. However, they must report the notifiable data breach to the My Health Record System Operator and the NSW Privacy Commissioner.
Further information about the notification obligations under the MHR Act is available on the OAIC’s website at: https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-mandatory-data-breach-notification-in-the-my-health-record-system.
Notification of data breaches to the Information and Privacy Commission NSW (IPC)
As a matter of best practice, agencies are encouraged to voluntarily report all other types of data breaches to the IPC, and to affected individuals as appropriate. This may include data breaches involving personal information other than TFNs, or data breaches involving TFNs but which are not likely to result in serious harm.
Notification should contain similar content to that provided to individuals/organisations. The personal information about the affected individuals is not required. It may be appropriate to include:
- a description of the breach;
- the type of personal information involved in the breach;
- what response the agency has made to the breach;
- what assistance has been offered to affected individuals;
- the name and contact details of the appropriate contact person; and
- whether the breach has been notified to other external contact(s).
Having a data breach procedure or policy can make it easier to handle a data breach. The IPC has proactively released its IPC Data Breach Policy and agencies are encouraged to refer to it when reviewing their own policies. The IPC Data Breach Policy is available on the IPC website.
Further information on the NSW voluntary notification scheme and resources for agencies is available on the IPC website.
If a data breach or suspected data breach raises cybersecurity concerns, you may also need to notify Cyber Security NSW.
For more information
Contact the Information and Privacy Commission NSW (IPC):
NOTE: The information in this fact sheet is to be used as a guide only.
Legal advice should be sought in relation to individual circumstances.