What is the Notifiable Data Breach Scheme?
Australia recently implemented a comprehensive breach notification scheme known as the Notifiable Data Breach Scheme (NDB Scheme).
The NDB Scheme applies to businesses with an annual turnover of over $3 million, credit reporting bodies, businesses that trade in personal information, health service providers and tax file number recipients.
This NDB Scheme requires any organisation or business managing personal information about an Australian citizen to notify affected individuals, the Office of the Australian Information Commissioner (OAIC), and other entities when a data breach is detected. The OAIC sets the benchmark for managing data breaches and individual privacy.
Countries like Canada, New Zealand and the United States have adopted similar data breach notification laws.
When do I need to report a data breach?
A breach is notifiable (NDB) if it meets the following criteria:
- Personal information is lost, or there is unauthorised access or disclosure of data to a third party;
- The loss, disclosure or access could result in serious harm; and
- Your business is not able to reduce this harm. A breach may not be notifiable if the damage is not severe or if steps can be implemented to reduce its impact.
When is a data breach serious?
Whether a data breach could result in “serious harm” depends on the perspective of a “reasonable person”. It considers several factors, including:
- whether the harm is financial, physical, psychological or reputational;
- whether the information lost or accessed is sensitive;
- who has obtained or could obtain the information; or
- whether effective security measures were in place to protect the information
What is required from me?
The NDB Scheme requires organisations and businesses to take reasonable steps to prevent data breaches and have appropriate systems and processes in place to detect, contain and respond to data breaches.
In order to meet these requirements, organisations and businesses will typically need to train their staff on how to properly handle data, review and update their privacy policies and have a data breach response plan in place.
Your data breach response plan should set out such things as:
- Who in the business is responsible for dealing with the breach; and
- What actions must they take if a breach occurs (e.g. shutting down/taking offline the affected systems, removing specific access to the affected system, remotely deleting files (if possible))?
Organisations and businesses must provide the OAIC with specific information about the NDB, including details about the types of data compromised and informing the individuals affected by the breach. Notification to impacted individuals should:
- summarise the events of the breach;
- outline the potential impact; and
- detail the actions you are taking to mitigate any risks.
The OAIC must then assess the breach and decide on its severity. The OAIC may issue a Data Breach Notification if the data breach is severe enough.
What happens if I don’t comply?
Organisations and businesses in Australia must comply with the NDB Scheme or risk significant penalties, including fines of up to $2.1 million. Therefore, organisations and businesses must be aware of their obligations as part of the NDB Scheme and take the necessary steps to ensure compliance.
The NDB Scheme provides important protections to Australia’s citizens regarding how personal information is managed.
Organisations and businesses must implement systems and procedures to detect, contain and respond to data breaches and report certain breaches to the OAIC if they are serious.
If you need assistance with any data breach, or to prepare your business, so you don’t have one, give our Business Lawyers a call.