Understanding the Australian Notifiable Data Breach Scheme
Australian Privacy Amendment (Notifiable Data Breaches) Act 2017
Fortinet is a cyber-security company for SME to Enterprise sized businesses.
Here we take a look at the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 so that you can understand what is required of businesses to be in compliance with the legislation and the potential pitfalls and issues associated with becoming compliant.
The legislation is in effect as of 22nd February 2018. Find out how Fortinet can help get you ready for both this and the European Union’s General Data Protection Regulation (GDPR) now in effect in May 2018 in a cost-effective way.
Frequently Asked Questions:
The Federal Government of Australia passed the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017, which introduced the Notifiable Data Breaches (NDB) scheme.
The NDB came into effect in February 2018, and applies to all agencies and organisations that collect and hold people's personal information and are subject to obligations under the Australian Privacy Act 1988.
Should a data breach occur, the NDB requires that all individuals must be notified if their personal information has been put at risk which could result in serious harm. This compulsory notification must also include a recommended course of action that the individuals should follow in response to minimise their risk. The Australian Information Commissioner must also be notified.
The NDB was established to protect individuals and improve the overall standard of personal information security by enforcing a greater responsibility on business' data collection practises and privacy policies.
As data collection is a common business practise today, it applies to a significant majority of organisations across Australia.
Each business must regularly review their practices, procedures and systems for securing personal information to ensure that they meet the requirements of the Notifiable Data Breaches scheme.
A data breach occurs when personal information that is held by an organisation is lost, stolen or exposed to unauthorised access or disclosure.
An 'eligible data breach', which triggers NDB notification obligations, is a data breach that places the individuals to whom the information relates to at risk of serious harm.
- a device or physical record containing customers' personal information is lost or stolen
- a database containing personal information is hacked
- personal information is mistakenly provided to the wrong person
- unauthorised access to personal information by an employee
- inadvertent disclosure of personal information due to human error
- disclosure of an individual's personal information to a scammer due to inadequate identity verification procedures
Upper management is expected to be responsible and highly involved in this process.
If an organisation was to experience a breach, the obligations under the NDB require that an assessment is completed to judge the severity, and then appropriate action is taken.
In the event of an eligible breach, not only does an organisation have to take steps to mitigate the damage, the resulting notification process requires additional resources to craft the warning and potential remedies, then send it out to everyone who has been put at risk.
If an organisation is caught unaware, the result could be disastrous, which is why it's expected that management has already implemented practises, procedures and systems in place and ready.
This also has negative implications from a Public Relations perspective too, as having to notify a database of current and potential customers who they have been put at risk can cause significant damage to the organisation's reputation.
As soon as an organisation suspects a serious breach, it has 30 calendar days to conduct an assessment to verify its significance. As soon as it is deemed eligible under the NDB scheme, it must promptly send out notifications to all individuals and the Commissioner, as required.
If an organisation is found to have hidden an eligible data breach or failed to report it as required by the NDB, then the penalty regime under the Privacy Act applies.
This includes fines of up to $1.8 million for organisations and $360,000 for individuals for serious or repeated breaches.
When an organisation believes that an eligible data breach has occurred, The Australian Information Commissioner must also be notified as soon as practicable (in addition to the individuals affected).
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned
- recommendations about the steps individuals should take in response
A report can be made online via the official OAIC's Notifiable Dad Breach Form, available here which includes all the necessary information required.