From 22 February 2018 onwards, all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 will be required to respond to data breaches under the Notifiable Data Breaches (NDB) scheme. The scheme introduces an obligation where agencies and organisations including Australian Government agencies, businesses and not-for-profits with annual turnover of $3 million or more, credit reporting bodies, health service providers and TFN recipients must notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.
It is integral that these entities are prepared to conduct quick assessments of suspected data breaches and determine whether or not it is likely to result in serious harm, and therefore require notification.
What is a data breach?
A data breach occurs when there has been unauthorised access or disclosure of personal information, or loss of personal information. The NDB scheme only applies to breaches that are likely to result in serious harm to any affected individual, these are referred to as ‘eligible data breaches’.
An eligible data breach occurs when there is unauthorised access or disclosure/loss of personal information that an entity holds, which is likely to result in serious harm to one or more individuals and remedial action has not resulted in preventing the risk of serious harm.
What type of information is involved in a data breach?
Some kinds of personal information may be more likely to cause an individual serious harm if compromised. Some examples include:
• Information about an individual’s health
• Documents commonly used for identity fraud (passport, driver’s license, Medicare card etc)
• Financial information
What constitutes ‘serious harm’?
When assessing the risk of serious harm, organisations need to consider the range of kinds of harms that may follow a data breach. Some examples could include:
• Identity theft
• Significant financial loss
• Threats to physical safety
• Loss of business or employment opportunity
• Humility and reputational damage
• Workplace and/or social bullying or marginalisation
How to prevent a data breach
The NDB scheme provides businesses with the opportunity to take positive steps to address a data breach in a timely manner while avoiding the need to notify. In addition to this, a good first step is to have a pre-incident response plan in place. That way, if a breach occurs, you’ll be prepared and know what to do and who to contact. Having a data breach plan in place is an important aspect of due diligence. We can help with other aspects of your due diligence. To find out more, click here.
To read more about the NDB scheme and what you need to know to prepare your business, click here.