The Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme which forms Part IIIC of the Privacy Act 1988 and came into effect on 22 February 2018.

The NDB scheme introduces mandatory requirements for entities in responding to data breaches. The scheme requires an entity to notify the Office of the Australian Information Commissioner (OAIC) and any affected parties of an ‘eligible data breach.’

Who do the changes apply to?

The NDB scheme applies to all organisations with obligations under the Privacy Act 1988 including Australian Government agencies, all business and not-for-profit organisations with an annual turnover of $3 million or more and some small business operators.

What is an eligible data breach?

An eligible data breach occurs when:

There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
The unauthorised access or disclosure is likely to result in serious harm to individuals; and
The entity has not been able to prevent the likely risk of harm with remedial action.
Some examples of a breach include lost or stolen laptops, removable storage devices, or paper recordings containing personal information, digital storage media being disposed of or returned to equipment lessors without the contents first being erased and databases containing personal information being ‘hacked’.

When will a breach result in serious harm?

The legislation does not defined the term ‘serious harm.’ The OAIC have indicated that serious harm can be psychological, emotional, physical, and reputational and will require an evaluation of the context of the data breach.

What are the notification requirements?

If you think a data breach may result in ‘serious harm’ you must:

Conduct an assessment within 30 days of becoming aware of the potential breach;
Notify any individuals who are at risk of serious harm as a result of the breach; and
Notify the OAIC by lodging a statement about the breach. The statement needs to include the entities contact details, a description of the breach, information involved in the breach and what steps were taken in response to the breach.

Are there any penalties?

A failure to undertake the required assessment or comply with the notification requirements is considered a serious interference with privacy under the Privacy Act. If a breach occurs, the OAIC may investigate and impose penalties to a maximum of $420,000 for individuals and $2,100,000 for corporations.

What can I do to comply with the NDB Scheme?

The notification requirements could be costly and result in adverse publicity for your business. Here is what you can do to increase your compliance with the new legislation:

Introduce a privacy policy to ensure your organisation complies with their obligations under the Privacy Act.
Review your data breach response procedure for timely detection and response to data breaches.
Share this information with relevant staff and make sure they understand the requirements under the NDB scheme.