On 22 February 2018, the Notifiable Data Breaches (NDB) scheme will take effect, introducing new obligations for Australian businesses that suffer a data breach.
Governed by the Office of the Australian Information Commissioner (OAIC), the scheme strengthens the existing data privacy regulations in the Privacy Act by requiring businesses to notify individuals when the loss of their information is likely to result in serious harm.
The new laws come as data breaches continue to escalate in Australia, with recent high profile cases causing severe problems for businesses and government agencies alike.
Here we’ll provide an overview of the NDB scheme, who it applies to, and your obligations:
Will my business need to comply with the scheme?
If you’re a business or non-profit covered by the Privacy Act and have an annual turnover of $3 million or more, you will need to comply with the scheme.
If your business makes less than $3 million a year, you may be exempt, however there are exceptions.
The scheme similarly applies to Australian government agencies, credit reporting bodies, health service providers, and TFN recipients, among others.
What are my obligations under the NDB scheme?
If you have reasonable grounds to believe your business has suffered an “eligible data breach” – one that reveals personal information likely to result in serious harm to any individual – you must notify those individuals and the OAIC within 30 days of becoming aware of the breach.
The scheme stipulates that a notification statement must include recommended steps individuals should take in response to the breach, amongst other details. It’s important to note that the scheme only applies to eligible data breaches that occur on or after 22 February 2018.
If you only have reasonable grounds to suspect your business may have suffered an eligible data breach, you are not required to notify anyone immediately. However, you must complete a "reasonable and expeditious" assessment into the relevant circumstances within 30 days. While it’s left up to businesses to develop their own procedures for assessing a suspected data breach, the OAIC provides a guide to doing so.
What are the penalties for failing to comply?
Serious or repeated instances revealing the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for companies.
How can you prepare for the NBD scheme?
If your business stores confidential information about your customers, it’s wise to put a plan in place to ensure you can respond quickly to data breaches, and conduct an assessment as required under the NDB scheme.
A good place to start is the OAIC website, where you can find a data breach response summary and a comprehensive guide to handing personal information security breaches.