Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme requires organisations covered by the Australian Privacy Act 1988 (Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach. The NDB scheme will commence on 22 February 2018. It only applies to eligible data breaches that occur on, or after, that date. The NDB scheme applies to entities that have an obligation under APP 11 of the Privacy Act to protect the personal information they hold (s 26WE(1)(a))
- entities that provide health services
- entities related to an APP entity
- entities that trade in personal information
- credit reporting bodies
- employee associations registered under the Fair Work (Registered Organisations) Act 2009.
- entities that ‘opt-in’ to APP coverage under s 6EA of the Privacy Act.
- providing services to the Commonwealth under a contract
- operating a residential tenancy database
- reporting under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
- conducting a protected action ballot, and
- information retained under the mandatory data retention scheme, as per Part 5-1A of the Telecommunications (Interception and Access) Act 1979.
Any organisation that is accountable to the Privacy Act will be required to inform the Australian Information Commissioner and members of the public if their data has been compromised.
The newly-passed law means organisations that determine they have been breached or have lost data will need to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of a breach.
The notification must include a description of the data breach, the kind of information involved, and how customers should respond to the security incident.
Those that fail to notify face penalties including fines of $360,000 for individuals and $1.8 million for organisations.
What is a Notifiable Data Breach?
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.
Examples of a data breach include when:
- A device containing customers’ personal information is lost or stolen
- A database containing personal information is hacked
- Personal information is mistakenly provided to the wrong person.