The amendments to the Privacy Act 1988 introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 come into force on 23 February 2018. These amendments establish the Notifiable Data Breaches (NDB) scheme.
From that date, notification of “eligible data breaches” involving personal information will be mandatory for certain businesses and organisations. Notification must be made to the Office of the Australian Information Commissioner (OAIC). A draft of the form to use for this notification is currently on the OAIC website.
What is an “eligible data breach”?
To be an eligible data breach, the following three criteria must be satisfied:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
- this is likely to result in serious harm to one or more individuals, and
- the entity has not been able to prevent the likely risk of serious harm with remedial action.
“Serious harm” is not defined in the Privacy Act but assessment is from the perspective of a “reasonable person”. The legislation includes a non-exhaustive list of relevant matters that may assist entities to assess the likelihood of serious harm.
Does this apply to your business?
Entities which already have obligations under the Privacy Act to secure personal information must comply with the NDB scheme. These includes businesses and not-for-profit organisations with an annual turnover of $3 million or more. Some small businesses may also have obligations under the Privacy Act, for example, if they trade in personal information.
What you should be doing
If you are a business with obligations under the Privacy Act, you must implement practices, processes, and systems to secure personal information. These should now be updated to include a data breach response plan to ensure the business is able to respond quickly to suspected data breaches, and conduct an assessment as required under the NDB scheme.
For more information visit oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme