From 22 February 2018, the new Notifiable Data Breach (NDB) scheme came into effect in Australia. The NDB scheme requires the investigation, notification and reporting of data breaches involving personal information, where the breach is likely to result in serious harm to the individual. Reporting of the breach to the Privacy Commissioner is required in certain circumstances.
Penalties for failure to comply with the Notifiable Data Breach Scheme are up to $2.1 million for businesses or $420,000 for individuals. With penalties this high, can your business afford to be unprepared?
Businesses that are required to comply with the Privacy Act must also comply with the NDB Scheme. This includes:
For purposes of the NDB Scheme, the new requirements also apply to any organisations that are tax file number (TFN) recipients.
A data breach occurs when:
A data breach without these three elements is not required to be reported. An example provided by The Privacy Commissioner is:
A data file, which includes the personal information of numerous individuals, is sent to an incorrect recipient outside the entity. The sender realises the error and contacts the recipient, who advises that the data file has not been accessed. The sender has an ongoing contractual relationship with the recipient, and regards the recipient as reliable and trustworthy. The sender then confirms that the recipient has not copied, and has permanently deleted the data file. In the circumstances, the sender decides that there is no likely risk of serious harm.
The NDB scheme applies to data breaches involving personal information that are likely to result in ‘serious harm’ to any individual affected. These are referred to as ‘eligible data breaches’.
Serious harm can be physical, psychological, emotional, financial or reputational harm and the term ‘likely to occur’ means “the risk of serious harm to an individual more probably than not (rather than possible)” according to the Privacy Commissioner.
Factors to consider when assessing the level of risk include:
Where the risk of serious harm is not present, the business may still have to undertake remedial steps with any affected individuals.
If there has been a data breach and you believe it could meet the ‘likely to result in serious harm’ threshold, you are required to conduct an assessment, undertake remedial action and report the incident to the Privacy Commissioner and any other relevant law enforcement agency. This must occur within 30 days of becoming aware of the breach.
The requirements and responsibilities involved in this process are onerous and complex. We recommend you read the overview and detailed guidelines from the Privacy Commissioner.
Prevention is better than cure. A recent IBM study found that 48% of data breaches come from malicious or criminal attacks. These include malware infections, criminal insiders, phishing scams and SQL injections.
If your IT systems are not managed and monitored correctly, you are opening the door to possible data breaches. To mitigate the risk it’s recommended that you regularly review these essential aspects of your IT systems:
If you are unsure if these processes are being conducted within your business IT systems, then book a complimentary IT Security Audit today.