Notifiable data breaches
Posted on February 22, 2018
Worried about a ‘notifiable data breach’ (‘NDB’)? Don’t be. The sky is not falling in.
The new scheme comes into effect today and is potentially far reaching, but in practice is not a game-changer.
So what does it all mean?
From 22 February 2018, organisations (including businesses, charities, NFPs) which may handle personal information (PI) of individuals are subject to a regime which obliges them to take certain steps if there is an actual or potential 'serious breach' of privacy in that information.
The regime only applies to organisations which have a turnover of $3M, or which provide health services.
An NDB arises where:
- there is a suspected or known data breach; and
- this is likely to result in serious harm to any of the individuals whose information was involved.
There should then be a ‘stepped’ process within the organisation, to include the following:
- Is there an expected or known data breach, ie unauthorised access to or unauthorised disclosure or a loss of PI.
- Contain the suspected or known breach if possible; limit any further access or distribution of the PI or possible compromise of PI.
- Assess – is the data breach likely to result in serious harm?
- initiate; plan the assessment and assign a team or person
- investigate; gather relevant information
- evaluate; is serious harm likely?
- Take remedial action.
- If serious harm is still likely, notify AOIC (the Australian Office of the Information Commissioner).
The practicalities are that there will only be a small handful of NDBs in Australia each year. Yes, it is of course important to get your ‘ducks in a row’; but only a few organisations need lose too much sleep worrying about the possibility of a NDB.
We have helped several clients work their way through the requirements of the scheme and cybersecurity more generally. If you would like some help, please do get in touch with us.