The Notifiable Data Breaches scheme commenced Thursday Feb 22nd 2018
What is the Notifiable Data Breach scheme?
Australian Government agencies and the various organisations required to secure personal information under the Privacy Act 1988 (Privacy Act) now have data breach notification and assessment obligations under the Notifiable Data Breaches (NDB) scheme. As of 22 February 2018, these agencies and organisations are required to notify individuals affected by a data breach that is likely to result in serious harm. They are also obligated to notify the OAIC.
Who must comply with the NDB scheme?
The NDB scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.
Which data breaches require notification?
The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’. There are a few exceptions which may mean notification is not required for certain eligible data breaches.
Assessing suspected data breaches?
Agencies and organisations that suspect an eligible data breach may have occurred must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected.
How to notify?
When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.
The notification to affected individuals and the Commissioner must include the following information:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned and;
- recommendations about the steps individuals should take in response to the data breach.
The notification to the Commissioner can be made using theOAIC’s Notifiable Data Breach form which can be located on their website.
For more information click here.
To download your full copy of the Data breach preparation and response guide, click here.
