Amendments to the Privacy Act introducing the Notifiable Data Breaches (NDB) scheme has commenced.
The NDB scheme applies to all organisations currently required to take steps to secure personal information, including but not limited to businesses and not-for-profit organisations with an annual turnover of $3 million, health service providers, TFN recipients etc.
If your organisation is currently required to secure personal information under the Privacy Act, including compliance with the Australian Privacy Principles under the Act, it will need to comply with the NDB scheme on and from 22 February 2018.
The NDB scheme applies to data breaches of personal information likely to result in serious harm to individuals affected. Consider the following three questions when assessing a data breach:
- Is there an unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that your organisation holds?
- Is this likely to result in serious harm to one or more individuals?
- Was your organisation not able to prevent the likely risk of serious harm with remedial action?
If the answer is “yes” to all of the above, then a notifiable data breach has occurred.
If a notifiable data breach has occurred you need to notify the affected individual(s) and the Office of the Australian Information Commissioner. Significant legal penalties of up to $1.8 million could apply for not complying with the NDB scheme.
What your organisation should do:
- Understand the requirements of the NDB scheme. There are resources and guidelines available on the OAIC website.
- Carry out an audit of your organisation from a privacy perspective. Consider asking yourself questions such as:
- Does your staff understand your organisation’s obligations in respect of privacy and do you have an adequate policy in place?
- How are you securing personal information and what might need to be done to better secure such information?
- Where are the vulnerabilities in your organisation that could lead to a data breach?
- Have a data breach response plan drafted and tailored to the needs of your organisation and the personal information it holds.
- Train your staff as to the requirements of NDB scheme and your organisation’s data response plan.
Should you require any further information or specific advice in relation to the NDB scheme or if you have any other privacy-related questions, please do not hesitate to contact our office.