Australia's Data Breach Reporting Now In Effect
Increasingly we are seeing individuals and companies announcing that their systems have been breached, followed by consequences such as financial and reputation damage. In Australia alone, studies report that 44 per cent of businesses are NOT fully prepared. Breaches have been increasing gradually and to protect people’s privacy the Federal Government has launched the “Notifiable Data Breach” scheme. This new legislative direction aims to boost privacy governance in Australia. This now requires businesses to formally report a breach of their digital systems and files – with penalties of as much as $1.8 million for failing to do so.
[ultimate_heading main_heading=”What is the Notifiable Data Breaches (NDB) scheme? ” alignment=”left” margin_design_tab_text=””][/ultimate_heading]The NDB scheme in Part IIIC of the Privacy Act requires entities to notify affected individuals and the Commissioner of certain data breaches.
The NDB scheme requires entities to notify individuals and the Commissioner about ‘eligible data breaches’. An eligible data breach occurs when the following criteria are met:
- There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
- This is likely to result in serious harm to any of the individuals to whom the information relates.
- The entity has been unable to prevent the likely risk of serious harm with remedial action.
- Entities that have existing obligations under the Privacy Act to secure personal information must comply with the NDB scheme.
- This includes Australian Government agencies, businesses and not-for profit organisation’s that have an annual turnover of more than AU$3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.
- Entities that have Privacy Act security obligations in relation to particular types of information only (for example, small businesses that are required to secure tax file number information) do not need to notify about data breaches that affect other types of information outside the scope of their obligations under the Privacy Act.