Mandatory Data Breach Notification Australia. What You Must Know.
In 2018, mandatory laws commence in Australia regarding data breach notifications. Are you prepared for these changes? Almost 50% of Australian small businesses are ill-prepared or unaware of how these changes will impact their business.
A study by HP found that only 18% of small businesses had a compliance policy and nearly 60% has not undertaken an IT security risk assessment in the last 12 months. In fact, less than 50% of businesses had a security policy in place for employees who bring their own devices to work.
Get the facts you need to know about the Mandatory Data Breaches Notification (NDB) scheme. Find out what it means, how it works and how you can safeguard your business from costly fines.
What is the Notifiable Data Breaches Scheme?
The Notifiable Data Breaches Scheme is a long overdue amendment to Australia’s Privacy Act. The scheme has taken over five years to pass through parliament and brings Australia in line with other parts of the world including EU, UK, Japan and nearly all US states. The scheme is part of The Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 and the latest amendment to the Privacy Act 1988.
The scheme strengthens the protection of personal information and improves the transparency of data breaches, in the public and private sector. It also gives individuals the opportunity to minimise the damage that results from the unauthorised use of their personal information. Organisations that are not exempt must notify the OAIC and individuals impacted by the breach.
When does the scheme commence?
The scheme will take effect on February 22, 2018.
What is a notifiable data breach?
A data breach occurs when personally identifiable information is accessed, downloaded or viewed by someone who is not authorised to access this information. The Notifiable Data Breach Scheme applies to the disclosure of personal information that could cause serious harm to the person whose information has been disclosed.
Examples of a serious data breach include:
Stolen credit card details from a website’s database.
Confidential health records accessed by an unauthorised party.
Personal photos, chat history, employee records or customer’s financial data.
The harm that occurs includes:
Threat to physical safety and emotional wellbeing
Damage to reputation or relationships
Workplace bullying and humiliation
An organisation must give notification if it has reasonable grounds to believe that this type of data breach has occurred.
How is serious harm measured?
Under the scheme, serious harm is assessed according to the type and sensitivity of the information, whether it was protected, e.g. encryption and access controls and the people who accessed the information. The objective test assesses what is reasonable on an individual basis. The scheme uses the phrase ‘eligible data breach’ to show that not all breaches require reporting. If an organisation has taken reasonable steps to mitigate the breach, then notification may not be required.
Who must comply with the Mandatory Data Breach Notification laws?
Although protecting the personal information of your customers and stakeholders is imperative to the success of your organisation, the NDB scheme applies to the following entities:
Australian public sector agencies.
Australian organisations, businesses and not-for-profits with an annual turnover over $3 million.
Private sector health service providers.
Some small businesses and non-government organisations.
Entities that trade in personal information, e.g. marketing research companies.
Agencies and organisations covered by the Privacy Act.
To find out whether the NDB scheme applies to your organisation, click here.
What do you need to do?
Australian businesses that are not proactive in protecting their customer and stakeholders’ data have been given an overdue push to undertake a security audit for their business. The audit should include:
How and why your company collects personal information.
How you are storing and managing personal information.
Your plan for responding to privacy breaches.
What do you need to do if a notifiable breach occurs?
Within 30 days of a suspected breach, you must notify all individuals who have been affected by the breach and OAIC.
What are the penalties for not complying with the scheme?
Company fines up to $1.8 million
Individual fines up to $360,000
What are the benefits of complying with the scheme?
A data breach is a serious breach of your customer and stakeholders’ trust and can negatively impact the relationship you have with them. It may take years for a customer to trust your business again or they may switch to your competitor. Compliance with the scheme ensures that you are following best practices and your employees understand the different types of threats and cyber security. You will protect your business from hackers and malicious agents while building trust with the community.
Is your business prepared for the Notifiable Data Breaches Scheme?
The Notifiable Data Breach Scheme starts on February 22nd, 2018. Is your organisation ready? Book your security audit and find out how you can protect your business from a costly data breach.