What is the Notifiable Data Breaches scheme?
The Notifiable Data Breaches (NDB) is a new section of the Privacy act with comes into effect on February 22nd 2018. The scheme requires that all qualifying entities notify all affected individuals, as well as the Australian Information Commissioner (AIC) of any data breaches.
Who must comply?
- Australian Government agency
- Business or not-for-profit organisation with an annual turnover of $3 million or more
- credit reporting body
- health service provider
- TFN recipient (someone holding a Tax File Number in your systems).
What breaches must be reported?
Any breach of personally identifiable information which may cause “serious harm”. A breach covers either the loss such data, or it’s unauthorized access and covers activity including hacking attacks on a server or individual system, the compromising of passwords which access to personal information or the loss of devices or systems which hold such data.
Serious harm to an individual includes any of the following:
- physical harm
- financial/economic harm
- emotional harm (e.g. embarrassment and humiliation)
- psychological harm (e.g. marginalisation and bullying)
- reputation harm
Organisations are expected to have policies and procedures in place outlining the actions that must be taken in response to a data breach including a Data Breach Response Plan, and policies for staff involved in collecting, using, securing and disclosing customer information.
When a breach is identified it must be assessed to verify whether notification of individuals and the AIC is required. These assessments and notifications must be completed within 30 days.
There are a number of online resources offering additional details on the NDB including:
Official Office of the Australian Information Commissioner NDB scheme site – This site includes details and a webinar on the scheme as well as links to lodgment documents and resources on securing your information.
If you would like to discuss how these new requirements effect your business or assess your options for ensuring your data is as secure as possible please contact us on 6396 0037 or at email@example.com