The Notifiable Data Breaches scheme (NDB Scheme), as enacted by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Act) comes into effect on 22 February 2018. Under the NDB Scheme, organisations covered by the Privacy Act 1988(Cth) (Privacy Act)willbe required to investigate suspected data breaches and notify of `eligible data breaches'. The NDB Scheme is intended to:
- require businesses to proactively respond to suspected or actual data breaches and be transparent;
- give individuals the opportunity to change or otherwise `re-secure' information which has been subject to unauthorised access, disclosure or loss; and
- encourage businesses to improve their information security practices.
The requirements of the NDB Scheme apply to APP entities, credit reporting bodies and tax file number recipients. In effect, an APP entity is required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when it has reasonable grounds to believe that there has been an `eligible data breach', being where:
- there has been unauthorised access or disclosure, or a loss of information where unauthorised access or disclosure is likely; and
- a reasonable person would conclude that the access or disclosure would likely result in `serious harm' to any individualto whom the information relates.
The NDB Scheme sets out specific information to be included in the breach notification including name and contact details of the entity, the kind or kinds of information affected and recommended steps individuals can take in response to the breach. Where it is not possible to notify affected individuals directly, the entity must publish a copy of the statement on its website and take reasonably steps to bring its content to the attention of affected individuals. Failure to notify an eligible data breach is an `interference with the privacy of an individual' under the Privacy Act and serious or repeated offences can giv e rise to civil penalties.
The OAIC has produced guidance resources to help entities to understand and comply with the NDB Scheme, available here. After two rounds of consultation in 2017, many of these resources are now in final form .
PwC's detailed summary of the NDB Scheme can be found here.
The NDB Scheme poses regulatory, financial, and reputational risks for entities that are not sufficiently protected from and/or prepared to respond to data breaches. Entities should review and update their policies, processes, staff training, IT security systems, technology solutions and third party engagement, to ensure compliance with this new regulatory requirement. However, data protection is a `whole of business' imperative and the NDB Scheme also provides an opportunity to improve cybersecurity measures and engage with customers on privacy protection and to build and maintain trust.