New Notifiable Data Breaches scheme

You may or may not be aware that the recent passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017, established a mandatory Notifiable Data Breaches (NDB) scheme in Australia.

The NDB scheme will apply to agencies and organisations that the Australian Privacy Act 1988 requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, among others.

Whilst DHS has included some high-level information on the Notifiable Data Breaches scheme below, for detailed information on how the scheme will apply to your organisation and what your potential obligations are, please refer to the official Australian Government website link below:

Notifiable Data Breaches scheme

When does the NDB scheme take effect?
The new Notifiable Data Breach laws and scheme comes into effect on 22nd February 2018 and only applies to eligible data breaches that occur on or after that date.

Which data breaches require notification?
An ‘eligible data breach’, which triggers notification obligations, is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates. A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

Examples of a data breach include when:

  • A device containing customers’ personal information is lost or stolen
  • A database containing personal information is hacked
  • Personal information is mistakenly provided to the wrong person.

Assessing suspected data breaches?
Agencies and organisations that suspect an eligible data breach may have occurred, must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected.

How to notify?
When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.

The notification to affected individuals and the Commissioner must include the following information:

  • The identity and contact details of the organisation
  • A description of the data breach
  • The kinds of information concerned and;
  • Recommendations about the steps individuals should take in response to the data breach.

Additional resources from the Office of the Australian Information Commissioner (OAIC) on the NDB scheme

  1. The OAIC has a comprehensive Guide to securing personal information to assist you in implementing practices, processes, and systems to secure personal information.
  2. The OAIC’s Data breach notification – A guide to handling personal information security breaches and Guide to developing a data breach response plan provide a best practice model for informing any data breaches under the scheme.
  3. The OAIC hosted a webinar on preparing for the NDB scheme in November 2017. The webinar covered the key requirements of the scheme and the slide presentation can be viewed here.

If you have any questions, or wanted to discuss the upcoming NBD scheme in more detail, please contact your DHS representative on 1300 564 988