The Privacy Amendment (Notifiable Data Breaches) Act 2017, which was examined in The Gatherer vol.1 (see here) and here, establishes a Notifiable Data Breaches scheme in Australia.

The NDB scheme will commence on 22 February 2018 and will apply to organisations already covered by the Privacy Act 1988 – including businesses with an annual turnover of more than $3 million, government agencies and private health service providers. The NDB scheme will require these organisations to take certain steps if an eligible data breach occurs, that is, a data breach likely to result in serious harm to the affected individuals.

In the event of an eligible data breach, these organisations must:

  • Prepare a statement to the Information Commissioner which includes a description of the breach, the kinds of information concerned, and a recommended response plan for affected individuals.
  • Take steps to notify any affected or at risk individuals by communicating the statement directly to them or, if this is not practicable, publishing the statement on its website.

The NDB scheme will impose greater accountability and responsibilities on organisations to maintain robust security over their data – and assist individuals compromised by data breaches to reduce any resulting harm. Organisations must also be capable of conducting quick assessments of suspected data breaches to determine if they are likely to result in serious harm.