Notifiable Data Breach Scheme – Compliance and Protection

Posted on: April 24th, 2018

From 22 February 2018, the new Notifiable Data Breach (NDB) scheme came into effect in Australia. The NDB scheme requires the investigation, notification and reporting of data breaches involving personal information, where the breach is likely to result in serious harm to the individual. Reporting of the breach to the Privacy Commissioner is required in certain circumstances.

Penalties for failure to comply with the Notifiable Data Breach Scheme are up to $2.1 million for businesses or $420,000 for individuals. With penalties this high, can your business afford to be unprepared?

Who Must Comply?

Businesses that are required to comply with the Privacy Act must also comply with the Notifiable Data Breach Scheme. This includes:

  • Australian Government agencies
  • Businesses and not for profit organisations with an annual turnover of $3 million or more
  • A small business with less than $ 3 million turnover but which is related to a larger business
  • Credit reporting bodies and credit providers
  • Health service providers (ie medical practices, pharmacists, child care centres and gyms)
  • Businesses that provide services under Commonwealth contracts
  • Entities that trade in personal information (ie buy/sell mailing lists) or that operate a residential tenancy database

For purposes of the NDB Scheme, the new requirements also apply to any organisations that are tax file number (TFN) recipients.

Has A Breach Occurred?

A data breach occurs when:

  1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds; and
  2. This is likely to result in serious harm to one or more individuals; and
  3. The entity has not been able to prevent the likely risk of serious harm with remedial action

Examples include:

  • A lost or stolen USB, portable hard drive or laptop
  • Malicious or criminal action
  • Personal data stolen from an unsecured recycling/shredding bin
  • Human error such as an email inadvertently sent to the wrong person
  • ‘Water cooler’ conversation about someone where a third party overhears what is being said

A data breach without these three elements is not required to be reported. An example provided by The Privacy Commissioner is:

A data file, which includes the personal information of numerous individuals, is sent to an incorrect recipient outside the entity. The sender realises the error and contacts the recipient, who advises that the data file has not been accessed. The sender has an ongoing contractual relationship with the recipient, and regards the recipient as reliable and trustworthy. The sender then confirms that the recipient has not copied, and has permanently deleted the data file. In the circumstances, the sender decides that there is no likely risk of serious harm.

What is Serious Harm?

The NDB scheme applies to data breaches involving personal information that are likely to result in ‘serious harm’ to any individual affected. These are referred to as ‘eligible data breaches’.

Serious harm can be physical, psychological, emotional, financial or reputational harm and the term ‘likely to occur’ means “the risk of serious harm to an individual more probably than not (rather than possible)” according to the Privacy Commissioner.

Factors to consider when assessing the level of risk include:

  • The kind of information
  • The sensitivity of the information
  • The person/s who have obtained, or who could obtain the information
  • The potential intent of the cause harm from the information
  • The potential nature of the harm

Where the risk of serious harm is not present, the business may still have to undertake remedial steps with any affected individuals.

And if There Has Been an Eligible Data Breach?

If there has been a data breach and you believe it could meet the ‘likely to result in serious harm’ threshold, you are required to conduct an assessment, undertake remedial action and report the incident to the Privacy Commissioner and any other relevant law enforcement agency.  This must occur within 30 days of becoming aware of the breach.

The requirements and responsibilities  involved in this process are onerous and complex. We recommend you read the overview and detailed guidelines from the Privacy Commissioner.

Preventing An Eligible Data Breach

Prevention is better than cure. A recent IBM study found that 48% of data breaches come from malicious or criminal attacks. These include malware infections, criminal insiders, phishing scams and SQL injections.

If your IT systems are not managed and monitored correctly, you are opening the door to possible data breaches.  To mitigate the risk it’s recommended that you regularly review these essential aspects of your IT systems:

  • Anti-virus software is installed on all devices and is automatically updated
  • Always update every device with the latest version of software as it comes available
  • Monitor spam and increase spam protection
  • Use secure and complex passwords right across your business, and change them regularly
  • Educate your team on potential threats including the identification of phishing emails

If you are unsure if these processes are being conducted within your business IT systems, then book a complimentary IT Security Audit today.

Notifiable Data Breach Scheme - What You Need to Know - Infographic

Back to all blog posts

 
 

WHAT OUR CLIENTS SAY

onPlatinum ICT is unique in their product and service offering and have fulfilled our need to find a single vendor that would complete all of our information, technology and communication requirements. After dealing with onPlatinum ICT for in excess of 5 years we have nothing but praise and support for them as our preferred technology partner.

Brett Frizelle - CEO, Frizelle Sunshine Automotive

 

As a client since 2013, onPlatinum look after our business fibre internet, call centre phone systems, cloud and office printers. From service, sales and accounts all departments are easy and hassle free to deal with. We would have no hesitation recommending them other businesses who value service and effective IT. onPlatinum are always the first company we recommend to our clients who are looking for assistance with their ICT.

Travis Barlow - Managing Director, Vodafone Business Centre

 

onPlatinum ICT has become a core component of our business functionality. We utilise a suite of services from internet connection, cloud computing and a hosted phone system, enabling us to save on resources. Simply put, onPlatinum ICT is the perfect fit for us.

Bernie Hogan – Chief Executive, Queensland Hotel Association (QHA)

 

Being a franchise network, we at First Class Accounts understood the importance of a mobilised workforce. onPlatinum ICT implemented cloud computing virtually seamlessly, allowing us to work anywhere and on any device at any time.

Debbie Stanton - General Manager, First Class Financial Group

onPlatinum ICT is leading the way in innovative technology and we jumped at the opportunity to partner with them. They now provide us with integrated communication and technology services that we believe are enhancing our business operations.

Steve Foley - Chief Executive Officer, Coral Homes

 

 

 
Slider