The Notifiable Data Breaches Scheme and the Privacy Act 1988
Notifiable Data Breaches
The Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Privacy Act) establishes requirements for entities in responding to data breaches.
Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.
The changes at a glance
- The scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected, referred to as ‘eligible data breaches’. There are a few exceptions.
- Agencies and organisations that suspect an eligible data breach may have occurred must undertake a reasonable and prompt assessment (within 30 calendar days after the entity becomes aware). Review the assessment guidelines here.
- If an entity believes an eligible data breach has occurred, they must notify individuals at likely risk of serious harm.example: a hacker gets access to an online gym membership database that stores name, address, date of birth and credit card details of all members.
- Entities must also notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable using the Notifiable Data Breach statement — Form.
- The following information must be included when notifying affected individuals and the OAIC:
- the identity and contact details of your organisation
- a description of the data breach
- the kinds of information concerned (e.g. credit card details) and;
- recommendations about the steps the individuals should take in response to the data breach (e.g. monitor credit card transactions for suspicious transactions).
- The role of the OAIC is to review eligible data breaches, consider complaints, investigate breaches, respond to other issue of non-compliance and offer guidance and advice to organisations concerning the scheme.
Learning Seat has updated its Privacy courses to reflect the new Notifiable Data Breach scheme.