Notifiable data breaches

Posted on February 22, 2018

Worried about a ‘notifiable data breach’ (‘NDB’)? Don’t be. The sky is not falling in.

The new scheme comes into effect today and is potentially far reaching, but in practice is not a game-changer.

So what does it all mean?

From 22 February 2018, organisations (including businesses, charities, NFPs) which may handle personal information (PI) of individuals are subject to a regime which obliges them to take certain steps if there is an actual or potential 'serious breach' of privacy in that information.

The regime only applies to organisations which have a turnover of $3M, or which provide health services.

An NDB arises where:

  • there is a suspected or known data breach; and
  • this is likely to result in serious harm to any of the individuals whose information was involved.

There should then be a ‘stepped’ process within the organisation, to include the following:

  1. Is there an expected or known data breach, ie unauthorised access to or unauthorised disclosure or a loss of PI.
  2. Contain the suspected or known breach if possible; limit any further access or distribution of the PI or possible compromise of PI.
  3. Assess – is the data breach likely to result in serious harm?
    1. initiate; plan the assessment and assign a team or person
    2. investigate; gather relevant information
    3. evaluate; is serious harm likely?
  4. Take remedial action.
  5. If serious harm is still likely, notify AOIC (the Australian Office of the Information Commissioner).
  6. Review

The practicalities are that there will only be a small handful of NDBs in Australia each year. Yes, it is of course important to get your ‘ducks in a row’; but only a few organisations need lose too much sleep worrying about the possibility of a NDB.

We have helped several clients work their way through the requirements of the scheme and cybersecurity more generally. If you would like some help, please do get in touch with us.

View all articles