Update: Mandatory Notification of Data Breaches

Known as the Notifiable Data Breaches (NDB) Scheme, the new laws form part of the Privacy Act 1988 (Cth) and reflect similar laws introduced in other jurisdictions including the European Union and USA.

Which Organisations are impacted?

The Scheme applies to any agency or organisation already subject to the Privacy Act.  This includes Australian Government agencies, businesses and not-for-profit organisations (including most schools) with an annual turnover of at least $3 million, as well as health service and credit providers amongst others. 

What are the new obligations?

If an "eligible data breach" takes place, the entity breached must notify individuals, whose personal information is affected, of the breach, within 30 days. The notification must include recommendations about the steps individuals should take in response to the breach. The organisation must also notify the Australian Information Commissioner of the breach. An online form, the Notifiable Data Breach Statement is available for this purpose.   The contents of the Statement must be communicated to affected individuals.

What is an Eligible Data Breach?

An eligible data breach is one in which there is ‘unauthorised access, disclosure, or loss, of personal information’ held by an entity and that access, disclosure, or loss is likely to result in serious harm to any of the individuals to whom the information relates.  Examples may include the hacking of a database containing personal information, the mistaken provision of personal information to the wrong person, or the loss or theft of digital devices or storage media containing (accessible) personal information.

What happens if a Breach occurred before 22 February 2018, but is discovered after it?

The Scheme only applies to data breaches occurring on or after 22 February 2018. If the breach occurred prior to 22 February 2018, even if it is discovered after this date, then it is not considered an eligible data breach for the purposes of the Scheme.  

What are the Consequences of failing to notify?

A business that fails to notify an eligible breach faces significant penalties. These are up to $360,000 for individuals and $1.8 million for organisations.  There is also the risk of reputational damage.  For the individuals affected, access to their names, email addresses and phone numbers may leave them susceptible to phishing attacks and unwanted spam.  Access to information such as driver's licence and Medicare numbers, along with dates of birth and bank account details could result in fraud, identity theft and money laundering.

How can we prepare?

  • Familiarise yourself with the AIS Privacy Compliance Manual 2018
  • Confirm whether your organisation is subject to the NDB Scheme.  Most schools will be.
  • Read and develop an understanding of the Information Commissioner's Guide to securing personal information.
  • Be aware of what personal information your organisation holds and how it is stored and managed.
  • Train staff in the area of information privacy and, in particular, the obligations to take steps to secure personal information held, prevent data breaches and respond appropriately if a breach does occur.
  • Ensure that you have a data breach response plan and related procedures and protocols. The AIS Privacy Compliance Manual has a chapter (26) entitled “Responding to Data Breaches” as well as annexures (6 – 8) containing a summary and diagram of the key steps to be taken (contain, assess, notify and review), material on assessing risk and a Template Data Breach Response Plan.  These have been developed specifically for schools – with reference to materials and resources developed by the Office of the Australian Information Commissioner (OAIC).
  • Seek legal advice at any time/stage.

Useful Links

AIS: (Non-Government Schools) Privacy Compliance Manual 2018

Legislation: Privacy Amendment (Notifiable Data Breaches) Act 2017

Key OAIC Resources: Guide to handling data breachesand a webpage summary regarding the Notifiable Data Breaches Scheme, with inbuilt links to more information.

Australian Signals Directorate: 8 key strategies to mitigate cyber security risks - the Essential Eight

CERT Australia: Various resources including ‘Stay Smart Online’ and ‘Top Control Systems Tips’, providing information and strategies for protecting against common cyber security threats

This article provides general information about the subject matter only. Specialist advice should be sought about specific circumstances.


Latest News