The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.
- NDB Scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.
- Australian Information Commissioner must also be advised.
- Notification is done through the Notifiable Data Breach Statement -Form
- Organisations are required to do a quick assessment to determine whether the breach will result in serious harm and therefore require notification.
Who must comply with the Scheme
- The NDB scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information.
- Australian Govt Agencies
- Businesses and NFP organisations with a Turnover of >$3m pa
- Private sector health service providers
- Credit reporting bodies
- Credit providers
Which Data breaches require notification
The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’. There are a few exceptions which may mean notification is not required for certain eligible data breaches.
How to notify
When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.
The notification to affected individuals and the Commissioner must include the following information:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned and;
- recommendations about the steps individuals should take in response to the data breach.
The notification to the Commissioner can be made using the OAIC’s Notifiable Data Breach Form.
More detailed information on the NDB is on the government website: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
If a data breach does occur contact your IT provider for assistance in assessing the implications and containing the damage and your legal advisor to ensure compliance with the Act. Failure to report data breaches may result in serious penalties. To minimise the risk of data breaches undertake a security audit and implement recommendations.