Are you a not-for-profit organisation or a business with an annual turnover of $3 million? Did you know there are changes coming in how you must report data breaches to your clients? You might want to read on…
As of the 22nd of February the Notifiable Data Breaches (NDB) scheme will introduce an obligation under the Privacy Amendment (Notifiable Data Breaches) Act 2017 where businesses MUST notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.
Who Has to Comply?
The scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes; Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers and TFN recipients. Check the Privacy Act here if you’re not sure if this applies to you.
What Kind of Data Breaches Require Notification?
The scheme only applies to data breaches that involve personal information that could result in serious harm to any individual affected. This could be something like unauthorised access of personal information eg. An employee browses sensitive customer records with no legitimate purpose. Or unauthorised disclosure which is when an entity discloses personal information to others outside the entity whether intentional or unintentional. For more information on what constitutes a data breach read here.
What you Must Do if there is a Breach
You are obligated to notify the individual/s at likely risk of serious harm. You MUST also notify the Commissioner as soon as you can with a statement. For more information on how to do that, click here.
If you’re unsure of any of this, check out the Office of the Australian Information Commissioner website here where you will find all of the relevant information.