On February 22nd, 2018, Australia’s Notifiable Data Breaches Scheme starts. The scheme is designed to safeguard the privacy of individuals and ensure transparency after a data breach. After five years of parliamentary argy-bargy, Australia will bring its data breach notification laws in sync with Europe, most US states, Japan, UK and a host of other countries.
Are you prepared for these laws? Read on to find out if these laws apply to your organisation and what you need to know about the scheme. What are the steps that you must take if a notifiable data breach occurs? Don’t risk a hefty fine!
The scheme started on February 22nd, 2018
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 commences this week. Before you dismiss this information as something that only applies to big business or public sector organisations, read on.
Does this law apply to your business or organisation?
- Australian businesses and organisations with a turnover exceeding $3 million.
- Health service providers.
- Public sector agencies.
- Credit reporting bodies.
- Companies that trade in personal information, e.g. market research.
- Organisations that are covered by the Privacy Act.
Want to know more about the entities that are covered by the NDB scheme? Read more.
What is a data breach?
A data breach is an unauthorised access, downloading, sharing or publication of an individual’s private or confidential information. The sources of a data breach include:
- Hacking and cyber attack.
- Inside job or human error.
- Stolen or lost media/laptop/computer.
- Inadequate security measures.
- Accidentally published.
Which data breaches require notification?
The Notifiable Data Breaches Scheme (NDB) applies if a data breach involves the disclosure or access of personal information that could result in serious harm to the individuals affected.
What is the serious harm?
Remember the well-publicised Ashley Madison dating service data breach in 2015? This malicious attack resulted in the embarrassing leak of personal details of people who had signed-up to the site. It caused untold damage to the individual’s whose ‘extramarital affairs’ had been revealed.
A recent Yahoo cyber attack resulted in 3 billion compromised email accounts, exposing people to the risk of their personal information being sold on the black market.
These high profile cases are examples of ‘serious harm’. The type of information that may be involved in a data breach include:
- Sensitive or confidential personal information.
- Documents that may be used for identity theft, e.g. passport details, driver’s license, Medicare card.
- Financial information.
- A range of information that may cause harm to the individual affected.
The NDB Scheme looks at the nature of the harm and the measures that were taken to protect the information. To read more about eligible data breaches, click here.
What must I do if a Notifiable Data Breach occurs?
Organisations that suspect that an eligible data breach has occurred have 30 days to make an assessment of the breach, notify the Office of the Australian Information Commissioner (OIAC) and individuals who have been affected by the data breach.
What are the penalties for not disclosing a breach?
- For a company: Fines up to $1.8 million
- For individuals: Fines up to $360,000
How do I prepare for the NDB Scheme?
You need to undertake a security audit of your business now. Don’t wait until it is too late. For website owners, who collect sensitive and confidential information from their customers, you need to audit this information and the measures you have in place to protect it. Contact Eightball Media today with questions regarding your website.