Australia’s Notifiable Data Breaches (NDB) scheme came into effect on 22 February 2018, requiring organisations in Australia that are covered by the Privacy Act to notify individuals whose personal information is involved in a data breach as soon as they become aware of a breach. Failure to do so, may result in hefty fines of up to $1.8million dollars, as well as potential compensation of damages.
With countless media stories of cyber security attacks and identity theft, this amendment to the Privacy Act ultimately holds the customer as key and reinforces the responsibility on each organisation to secure the data it holds. In addition to notifying individuals affected, under the scheme, organisations must provide recommendations on how those affected should respond and notify the Office of the Australian Information Commissioner.
We’ve put together a quick guide of what you need to know.
Who needs to comply?
A broad selection of Australian business and government organisations are affected by the law.
Importantly, all Federal Government agencies, businesses and not-for-profits with greater than $3 million in turnover must disclose breaches.
Which data breaches require notification?
If you’re covered under the NDB scheme, you must report any breach of personal information that is likely to result in serious harm
An eligible data breach occurs when three criteria are met:
- There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
- This is likely to result in serious harm to one or more individuals, and
- The entity has not been able to prevent the likely risk of serious harm with remedial action
- “Serious harm” can be psychological, emotional, physical, reputational, or other forms of harm
When do you need to notify?
You must notify appropriate parties as soon as you have grounds to believe that an eligible data breach has occurred. A reasonable assessment of the circumstances that surround the suspected breach must be completed within 30 days and should include recommendations about the steps individuals should take in response to the breach.
Who do you report to and what do you say?
Reporting a breach to the Office of the Australian Information Commissioner (OAIC) is as easy as filling out an online form. To ensure that you have met your statutory obligations when reporting the breach, OAIC has created a guide of what to include in an eligible data breach statement.
How do I mitigate risk?
The prevalence of major data breaches in recent years demonstrates the need for organisations to be prepared to respond quickly and effectively, whether they suffer an accidental breach or a major cyber-attack by hackers. The NDB scheme adds an extra layer of legal obligation and compliance.
Organisations and agencies should, if they have not already done so:
- Identify at-risk data
- Audit current security processes and procedures which protect the data. In particular, assess the ability of the organisation to detect a data breach as soon as possible and respond quickly
- Update data collection notices, privacy policies and employee training manuals to include specific provisions relating to data security and data breaches
- Implement a data breach response policy
- Train staff in the implementation of the policy and action plan
Then ensure you have procedures in place for contacting all those potentially affected parties. Rehearse your processes for disclosing and reporting a notifiable breach and have a communications plan in place for letting customers and the public know what happened.