Complying with the Notifiable Data Breaches scheme
What is the Notifiable Data Breaches scheme?
As personal data breaches become an ever-growing hot topic, governments around the world are implementing legislative measures to provide citizens with greater transparency on their data.
In Australia the Notifiable Data Breaches scheme (which came into force on February 22nd) is one such measure and requires all organisations with personal data security obligations under the Privacy Act to report a breach if it is likely to cause harm to the person affected.
Who does the NDB apply to?
The NDB applies to all companies with existing personal information security obligations under the Privacy Act. This includes business and NFP organisations with a yearly turnover of $3m or more.
Organisations that fall under this definition include health service providers, government bodies, credit reporting bodies, and TFN recipients.
What types of breaches should be reported?
The scheme only requires “eligible data breaches” to be notified to persons affected and the OAIC (Office of the Australian Information Commission). An assessment of the data breach must take within 30 days of the incident assessing whether a data breach is likely to cause serious harm.
A notifiable breach occurs if 3 criteria are met:
- Personal information is lost (e.g. misplacing a hard drive)
- Unauthorised disclosure of personal information to third party (e.g. accidental disclosure through email)
- Unauthorised third party access to information (e.g. database hack)
To require reporting, all three criteria must be met. You can find more about what constitutes an “eligible data breach” here.
What happens if an organisation does not comply?
As a regulatory body, the OAIC Commissioner can take regulatory action in response to non-compliance. The OAIC can also impose civil penalties and issue fines of up to 10,000 penalty units or $2.1m – non-compliant entities may be sued for damages by those affected.
How do organisations comply?
There are three main ways that a business can prepare for the NDB scheme:
- Review IT contracts under which the business discloses or receives personal data
- Create a form process/mechanism to determine whether breaches are notifiable data breaches or an “eligible data breach”.
To help with tracking and classifying breaches per the NDB’s compliance process, Checkbox’s platform provides an intuitive and easy-to-use form-building process to ensure that companies meet all compliance provisions. Find out more here: http://checkbox.ai/