From 22th February 2018, the Notifiable Data Breaches scheme (NDB) comes into effect in Australia. Does your company have to comply with the requirements?
The NDB Scheme – Executive summary in layman’s terms
If your company or your employer stores sensitive information about it’s customers in a database or on a computer they are going to have to be very careful with that information or face the consequences.
Employers need to increase their IT security to minimise the chances of being hacked and having that sensitive data fall into the wrong hands.
If a security breach DOES happen, from 22 February 2018, the company needs to assess the breach and possibly notify each customer of that breach along with the Office of the Australian Information Commissioner.
The NDB is an extension of the Australian Privacy Act 1988 (Privacy Act) and failure to comply may mean a breach of the Act.
See also ABC News Article here: http://www.abc.net.au/news/science/2018-02-22/-companies-must-inform-consumers-of-data-breaches/9462170
The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
What is the Notifiable Data Breaches scheme?
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.
Who must comply with the NDB scheme
The NDB scheme will apply to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes:
- Australian Government agencies
- All businesses and not-for-profit organisations with an annual turnover of $3 million or more
- plus some small business operators such as:
+ entities that provide any health services or private sector health service providers. Organisations providing a health service include:
+ traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professional
+ complementary therapists, such as naturopaths and chiropractor
+ gyms and weight loss clinic
+ child care centres,
+ private schools
+ private tertiary educational institutions.
- entities that trade in personal information – that is, entities that disclose personal information about individuals to anyone else for a benefit, service or advantage; or entities that provide a benefit, service or advantage to collect personal information about another individual from anyone else (Brokers)
- credit reporting bodies
- Tax File Number (TFN) recipients (if annual turnover is below $3 million, the NDB scheme will apply only in relation to TFN information) applies to Accountants
- Organisations providing services to the Commonwealth under a contract.
- Credit providers (Banks, Mortgage Brokers, Finance Brokers)
- entities operating a residential tenancy data base ie Real Estate or Rental Agencies
Penalties for non-compliance
Penalties for not notifying affected parties and the OAIC of a notifiable breach include fines of $360,000 for individuals and $1.8 million for organisations.
Preventing Data Breaches
To prevent a data breach occurring in the first place there are a number of recommended steps as provided by the Office of the Australian Information Commissioner.
This link provides recommendations on ICT Security including:
Software Security, Network Security, Testing, Backing Up, Email Security, Access Security and Cloud Security.
Data Breach Response Plan
All eligible companies require a Data Breach Response Plan To meet your obligations under the Privacy Act — an entity must take reasonable steps to protect the personal information that it holds; those reasonable steps include having a data breach response plan.
Data Breach Prevention and Compliance Auditing
The IT Guys can perform auditing of your ICT systems to help you comply with the Australian Privacy Act and develop policies, procedures and increase your cyber-security to reduce the likelihood of a data breach but also respond and deal with such breaches should they occur.
Please call and speak to John or Tim to arrange a meeting.
:jk:
2 comments to “The Notifiable Data Breaches (NDB) scheme (Australia) starts 22 Feb 18. Is your company affected?”
Mark - February 22, 2018
Finance and Mortgage brokers are technically not captured here as they are credit assistant providers and not credit providers. As for trading in personal information, brokers don’t do that for profit…so again technically an exemption based on the strict interpretation of the inclusion criteria (brokers collect information and most have their own consent for collection and retention of personal information). Most brokers (about 99% of brokers) don’t meet the profit / revenue benchmarks either.
The only reason that brokers abide by existing NPP guidance is due to marketing being a secondary activity of a mortgage brokers business and by association, generate leads which may or may not lead to profit….but they certainly do not trade in personal information.
Having said that it s a great article and its fantastic that you post these messages.
John Kirkby - February 22, 2018
Thanks for the comments Mark.
The act is rather confusing and I can see many people may be unsure of thei obligations under the privacy act.
I found a very handy Q & A that should clear it up for most people here:
Appendix A: Checklist — Does my small business need to comply with the Australian Privacy Principles?
https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-10