Contact us on 07 3263 7030 or tax@mcfillin.com

NOTIFIABLE DATA BREACHES SCHEME

NOTIFIABLE DATA BREACHES SCHEME

The Privacy Amendment (Notifiable Data Breaches) Act 2017 made its way through both houses of Parliament with bipartisan support and received Royal Asset on 22 February 2017. From 23 February 2018, the Privacy Act 1988 (Cth) will include a mandatory data breach notification scheme.

The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) established requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

Who must comply with the NDB scheme

The NDB scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.

Assessing suspected data breaches

Agencies and organisations that suspect an eligible data breach may have occurred must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected

How to notify

When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.

The notification to affected individuals and the Commissioner must include the following information:

  • the identity and contact details of the organisation
  • a description of the data breach
  • the kinds of information concerned and;
  • recommendations about the steps individuals should take in response to the data breach.

The notification to the Commissioner can be made using the OAIC’s Notifiable Data Breach form.

If you would like further information regarding Data Breaches Notification Scheme visit: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme