The Notifiable Data Breach (NDB) Scheme comes into effect 22 February 2018 but what does this mean?
Under Part IIIC of the Privacy Act 1988 (Privacy Act), companies are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals after a data breach that is likely to result in serious harm to individuals whose personal information is lost or subjected to unauthorised access or disclosure. Serious harm can be classed as psychological, emotional, physical or reputational or other forms of harm.
The NDB Scheme applies to companies with an annual turnover of $3 million dollars or more, private health service providers, companies that trade in personal information and companies that hold personal information in relation to certain activities for example, providing services to the Commonwealth under a contract.
Notifications must include recommendations on steps affected individuals can take in response to the data breach. Recommendations will depend on the personal information held by the company and services they provide and should be practical and easy for affected individuals to take.
What is an eligible data breach?
The Office of the Australian Information Commissioner states that an eligible data breach arises when the following three criteria are satisfied:
- There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds,
- This is likely to result in serious harm to one or more individuals, and
- The entity has not been able to prevent the likely risk of serious harm with remedial action.
How to prepare
- Know your data. Audit what eligible data is processed by your organisation, how it moves, where data is stored and how it is destroyed.
- Protect your data. Consider encryption of eligible data to shift protection efforts from data itself to the encryption/decryption keys.
- Protect your IT infrastructure. Review your company’s cyber security tools and solutions.
- Strengthen your information management policies. Process and analyse your data to identify your business’ strong and weak points to compare against industry standards. Consider ISO27001 requirements and Australian Signals Directorate’s Top 4 Strategies to Mitigate Targeted Cyber Intrusions.
- Educate. Inform your employees with relevant information and training and address the weakest element of information and data handling.
- Monitor, maintain and control. Compliance and security never rest, as a business grows, environments change, people and processes alter and technologies become obsolete.
How to notify affected individuals
If an eligible notifiable data breach has occurred, you are required to promptly notify affected individuals as well as the Office of the Australian Information Commissioner.
The Office of the Australian Information Commissioner states that there are three options when notifying affected individuals:
1. Notify all individuals whose personal information is involved in the eligible data breach
2. Notify only the individuals who are at likely risk of serious harm; or
3. Publish notification to the public on the company’s website and publicise it with the aim of bringing it to the attention of all individuals at likely risk of serious harm.
The Office of the Australian Information Commissioner states that your notification must be in the form of a statement, which includes the following information:
- The identity and contact details of your agency/organisation
- A description of the eligible data breach
- The kind or kinds of information involved in the eligible data breach
- What steps your agency/organisation recommends that individuals take in response to the eligible data breach
It is important to understand that people, processes and technology are important when mitigating risks and all companies should review their data breach response framework before 22 February 2018 to ensure you are able to quickly respond to any suspected data breaches.
Technology is the piece of the data protection framework that we excel in and we would love to help you choose the right product for your business. Call us on 02 9199 0888 or email us at email@example.com.
If you are unsure of how the Notifiable Data Breach Scheme impacts you, please seek legal advice.