A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your organisation or agency, you must notify affected individuals and us when a data breach involving personal information is likely to result in serious harm.
The Federal Government of Australia passed the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017, which introduced the Notifiable Data Breaches (NDB) scheme. The NDB came into effect in February 2018, and applies to all agencies and organisations that collect and hold people’s personal information and are subject to obligations under the Australian Privacy Act 1988.
Should a data breach occur, the NDB requires that all individuals must be notified if their personal information has been put at risk which could result in serious harm. This compulsory notification must also include a recommended course of action that the individuals should follow in response to minimise their risk. The Australian Information Commissioner must also be notified.
What impact will the eNDB have on Australian businesses?
The NDB was established to protect individuals and improve the overall standard of personal information security by enforcing a greater responsibility on business’ data collection practises and privacy policies. As data collection is a common business practise today, it applies to a significant majority of organisations across Australia. Each business must regularly review their practices, procedures and systems for securing personal information to ensure that they meet the requirements of the Notifiable Data Breaches scheme.
What constitutes a reportable data breach?
A data breach occurs when personal information that is held by an organisation is lost, stolen or exposed to unauthorised access or disclosure. An ‘eligible data breach’, which triggers NDB notification obligations, is a data breach that places the individuals to whom the information relates to at risk of serious harm.
What are some examples of a reportable data breach?
- a device or physical record containing customers’ personal information is lost or stolen
- a database containing personal information is hacked
- personal information is mistakenly provided to the wrong person
- unauthorised access to personal information by an employee
- inadvertent disclosure of personal information due to human error
- disclosure of an individual’s personal information to a scammer due to inadequate identity verification procedures
Why should I care about NDDB?
Upper management is expected to be responsible and highly involved in this process. If an organisation was to experience a breach, the obligations under the NDB require that an assessment is completed to judge the severity, and then appropriate action is taken. In the event of an eligible breach, not only does an organisation have to take steps to mitigate the damage, the resulting notification process requires additional resources to craft the warning and potential remedies, then send it out to everyone who has been put at risk.
If an organisation is caught unaware, the result could be disastrous, which is why it’s expected that management has already implemented practises, procedures and systems in place and ready. This also has negative implications from a Public Relations perspective too, as having to notify a database of current and potential customers who they have been put at risk can cause significant damage to the organisation’s reputation.
What is the timeframe for reporting data breaches?
As soon as an organisation suspects a serious breach, it has 30 calendar days to conduct an assessment to verify its significance. As soon as it is deemed eligible under the NDB scheme, it must promptly send out notifications to all individuals and the Commissioner, as required.
What are the fines for not reporting a reportable data breach?
If an organisation is found to have hidden an eligible data breach or failed to report it as required by the NDB, then the penalty regime under the Privacy Act applies. This includes fines of up to $1.8 million for organisations and $360,000 for individuals for serious or repeated breaches.
How do you report an eligible breach to the Privacy Commission?
When an organisation believes that an eligible data breach has occurred, The Australian Information Commissioner must also be notified as soon as practicable (in addition to the individuals affected). This includes:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned
- recommendations about the steps individuals should take in response
A report can be made online via the official OAIC’s Notifiable Data Breach Form, which includes all the necessary information required.
Read up on how you can protect your business with Xari Group’s IT & Cyber Security Solutions.