The Notifiable Data Breaches (NDB) scheme (Australia) starts 22 Feb 18. Is your company affected?
From 22th February 2018, the Notifiable Data Breaches scheme (NDB) comes into effect in Australia. Does your company have to comply with the requirements?
The NDB Scheme – Executive summary in layman’s terms
If your company or your employer stores sensitive information about it’s customers in a database or on a computer they are going to have to be very careful with that information or face the consequences.
Employers need to increase their IT security to minimise the chances of being hacked and having that sensitive data fall into the wrong hands.
If a security breach DOES happen, from 22 February 2018, the company needs to assess the breach and possibly notify each customer of that breach along with the Office of the Australian Information Commissioner.
The NDB is an extension of the Australian Privacy Act 1988 (Privacy Act) and failure to comply may mean a breach of the Act.
See also ABC News Article here: http://www.abc.net.au/news/science/2018-02-22/-companies-must-inform-consumers-of-data-breaches/9462170
The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.
The NDB scheme will apply to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes:
- Australian Government agencies
- All businesses and not-for-profit organisations with an annual turnover of $3 million or more
- plus some small business operators such as:
+ entities that provide any health services or private sector health service providers. Organisations providing a health service include:
+ traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professional
+ complementary therapists, such as naturopaths and chiropractor
+ gyms and weight loss clinic
+ child care centres,
+ private schools
+ private tertiary educational institutions.
- entities that trade in personal information – that is, entities that disclose personal information about individuals to anyone else for a benefit, service or advantage; or entities that provide a benefit, service or advantage to collect personal information about another individual from anyone else (Brokers)
- credit reporting bodies
- Tax File Number (TFN) recipients (if annual turnover is below $3 million, the NDB scheme will apply only in relation to TFN information) applies to Accountants
- Organisations providing services to the Commonwealth under a contract.
- Credit providers (Banks, Mortgage Brokers, Finance Brokers)
- entities operating a residential tenancy data base ie Real Estate or Rental Agencies
Penalties for non-compliance
Penalties for not notifying affected parties and the OAIC of a notifiable breach include fines of $360,000 for individuals and $1.8 million for organisations.
Preventing Data Breaches
To prevent a data breach occurring in the first place there are a number of recommended steps as provided by the Office of the Australian Information Commissioner.
Software Security, Network Security, Testing, Backing Up, Email Security, Access Security and Cloud Security.
Data Breach Response Plan
All eligible companies require a Data Breach Response Plan To meet your obligations under the Privacy Act — an entity must take reasonable steps to protect the personal information that it holds; those reasonable steps include having a data breach response plan.
Data Breach Prevention and Compliance Auditing
The IT Guys can perform auditing of your ICT systems to help you comply with the Australian Privacy Act and develop policies, procedures and increase your cyber-security to reduce the likelihood of a data breach but also respond and deal with such breaches should they occur.
Please call and speak to John or Tim to arrange a meeting.
Need more help?
If you live in Western Australia, and you need any kind of computer help, please bring your computer to us at 315 Rokeby Road, Subiaco, Western Australia or call us out. You can contact us here or call: