The Notifiable Data Breaches (‘NDB’) scheme established under the Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect on 22 February 2018. The NDB scheme requires organisations to notify the Australian Information Commissioner and affected individuals when an eligible data breach has occurred.
Who must comply?
The NDB scheme applies to any organisation that has responsibilities under the Privacy Act 1988, including Australian government agencies and all businesses and not-for-profit organisations with an annual turnover of $3m or more. The NDB scheme also applies to certain other businesses such as private sector health service providers, educational and child care institutions and those that buy or sell personal information including credit reporting bodies.
What is considered an eligible data breach?
The NDB scheme applies only to eligible data breaches. The government considers a data breach to be eligible if there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity that is likely to result in serious harm to the individual affected.
Although ‘serious harm’ is not defined in the Privacy Act 1988, in the context of a data breach it is taken to include physical, psychological, emotional, financial or reputational harm. Directors of organisations will need to perform an objective assessment to determine if a data breach is likely to result in serious harm.
What must be reported and how?
When there are reasonable grounds to believe that an eligible data breach has occurred, an organisation is obligated to notify the Australian Information Commissioner and affected individuals of the breach as soon as practicable. The notification of the breach must include a description of the data breach, the kinds of information concerned and recommended steps for the affected individual to take in order to protect themselves.
How to protect your organisation?
The NDB scheme shifts more of the onus of overseeing cybersecurity to directors of the organisation. It is important for directors to understand the potential risk areas and have a breach management plan in place regarding data security as they can be held liable if it is shown their organisation has been willfully negligent about securing data.
The Australian Information Commissioner can seek civil penalties for not adhering to the legislation of up to $340,000 for individuals and $1.7 million for corporates, as well as the payment of compensation for damages or other remedies.
Directors need to review their organisations to identify what data they hold and where it may be at risk. It is then important that the organisation develop a data protection plan to manage the risk areas identified and confirm that all personnel understand the importance of data security and how to ensure it is protected. Organisations also need to develop systems to identify and respond to any breaches in a timely and appropriate fashion that will ensure compliance with the NDB scheme.
Click here for further information on the NBD scheme.
Need help?
If you would like more information or have any questions, please feel free to contact us to discuss further.
