LegislationImage of Notifiable Data Breaches Scheme

The NDBS and How It Will Affect You

The end of February is usually only relevant for being the end of summer, but this year, it also signalled a significant change to the Privacy Act with the implementation of the Notifiable Data Breaches Scheme from the 22nd of February.

 

What is the Notifiable Data Breaches Scheme?

The Federal Government via the Office of the Australian Information Commissioner (OAIC) has put in place a new amendment to the Privacy Act 1988 around what businesses and agencies need to do in the event they suffer any form of data breach (hacking, cyber theft etc), that could lead to those individuals whose information are involved in the breach suffering “Serious harm”.

The schemes places a legal obligation on those who are victims of a data breach to notify the OAIC of the breaches and the steps the effected individuals should take in response to the breach.

 

Who must comply with the NDB Scheme?

Any Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others, will all fall under the scheme.

Be careful, as if you are related to any of the above, then you may fall under the scheme as well.  The other aspect to be mindful of is the TFN recipients – as this could also be interpreted to include anyone who has staff and holds a file with the Tax File Numbers on record.

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/entities-covered-by-the-ndb-scheme

 

Which data breaches require notification?

The NDB scheme only applies to data breaches involving personal information that is likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’. There are a few exceptions which may mean notification is not required for certain eligible data breaches.

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/identifying-eligible-data-breaches

 

What Happens If I Don’t Notify?

Like all breaches of the Privacy Act, failure to adhere to it can result in fines.  A serious or repeated occurrence could lead to a $420,000 fine.  The maximum fine is 5 times this – $2.1M.

 

What Can I Do To Protect Myself?

Cyber Insurance covers have been modified to assist in the NDB process.  If you have a Cyber cover and suffer any sort of Cyber event, the insurer response teams will, as part of the claim process, determine if it is a notifiable breach.  With some Cyber Covers starting from as low as $350, it is an investment well worth the cost.

 

For more information, please refer to https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

Leave a Reply