The Australian Government has established a Notifiable Data Breaches (NDB) scheme, to ensure that affected individuals are notified about serious data breaches.
The NDB scheme will apply to all businesses, government agencies and other organisations covered by the Australian Privacy Act 1988 (Privacy Act) and will commence on 22 February 2018.
What is a Notifiable Data Breach?
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
The NDB scheme requires organisations to notify any individuals affected by these serious data breaches.
This notice must include recommendations about the steps that individuals should take in response to a serious data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
What is a data breach?
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.
Examples of a data breach include:
- when customers personal information is lost or stolen
- This includes loss or theft of hard copy documents, removable storage devices, backup tapes, tablets, smart phones etc.
- This can also include electronic losses of personal information such as failing to keep adequate backups of personal information in the event of a systems failure.
- unauthorised access to a database (or backup of a database) containing personal information
- This includes unauthorised access by an employee, former employee or independent contractor, as well as unauthorised access by an external third party (such as by hacking).
- when personal information is mistakenly provided to the wrong person.
- Such as when personal information, intentionally or otherwise, is accessible or visible to others outside of the company and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee.
Who does this apply to?
All organisations bound by the Privacy Act and APP are affected by this new legislation, which includes:
- Most Australian Government agencies
- Businesses and not-for-profit organisations with an annual turnover of over $3 million
However, the Privacy Act and APP applies to some types of smaller organisations that deal with sensitive personal information and as such, the mandatory data breach notification applies to them as well. Here are some examples:
- Child care centres
- Private schools and private education institutions
- Private sector health service providers
- Any individuals/companies who primarily handle personal information such as tax file numbers, credit applications and other personal sensitive records.
What can you do to make sure you are compliant?
Australian Privacy Principle 11 (APP 11), requires an entity to take active measures to ensure the security of personal information it holds, and to actively consider whether it is permitted to retain personal information.
An entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Additionally, an entity must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs.
What are "reasonable steps"?
What qualifies as reasonable steps to ensure the security of personal information depends on the circumstances, including the following:
- the nature of your entity
- the amount and sensitivity of the personal information held
- the possible adverse consequences for an individual in the case of a breach
- the practical implications of implementing the security measure, including the time and cost involved
- whether a security measure is itself privacy invasive.
As a guideline, the OAIC has provided some steps and strategies which may be reasonable to take. These cover the following 9 key areas:
- Governance, culture and training
- Internal practices, procedures and systems
- ICT security
- Access security
- Third party providers (including cloud computing)
- Data breaches
- Physical security
- Destruction and de-identification
How can Keyspace assist?
Keyspace Technologies is happy to provide a FREE NDB Risk Assessment to go through the 9 areas outlined in the OAIC Steps and Strategies and provide you with a gap analysis detailing focus areas for your company and a roadmap to make sure you're covered by the time that the NDB Scheme takes effect.
Contact us to book your FREE NBD Risk Assessment.
OAIC Reference Information: