What is the new notifiable data breaches scheme?

  • The new Notifiable Data Breaches (NDB) scheme came into effect on 22 February 2018 under the Privacy Amendment (Notifiable Data Breaches) Act
  • The NDB scheme introduced an obligation on organisations to notify individuals whose personal information is included in a data breach that is likely to result in serious harm.

Who does the NDB scheme apply to?

  • The NDB scheme applies to businesses, not-for-profit organisations and Australian Government agencies with an annual turnover of $3 million or more, credit reporting bodies, health service providers, tax file number recipients and others.

What is required if there is a breach?

  • Those businesses and organisations that suspect an eligible data breach has occurred, must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm of any of the individuals affected.

What is considered to be an expeditious assessment?

It is critical that a business takes all reasonable steps to assess whether or not there has been eligible data breach within 30 days of the suspected breach.

How should a business notify an affected individual of a breach?

  • The NDB scheme requires a business or an organisation that has reasonable grounds to believe an eligible data breach has occurred to promptly notify the individuals likely to be at risk of serious harm and the Australian Information Commissioner as soon as practicable through a statement. There is certain information that needs to be contained in the notifying statement.

What are the penalties for non-compliance?

  • There are substantial monetary penalties that may be imposed on businesses or organisations that fail to comply with the notification requirements under the NDB scheme, and particularly those involved in serious or repeated breaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.