The Notifiable Data Breach Scheme (NDB) will come into effect on February 22. The legislation imposes changes to the existing Privacy Act to ensure businesses and organisations are obliged to notify all affected persons and the Office of the Australian Information Commissioner (OAIC) if an eligible data breach has occurred.
But what exactly is an ‘eligible data’ breach…if one of your staff accidentally cops a glimpse of a client’s file, is that a data breach? Do you really have to notify the OAIC? Or is it reserved for a more serious breach of privacy?
According to the OAIC an ‘eligible data breach’, which triggers notification obligations, is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
This usually occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.
Some examples of a data breach include:
There are some exceptions to this, but unless you’re working in the field of law enforcement they’re unlikely to apply to you. But are these breaches significant enough to be considered an ‘eligible data breach’?
Some things to consider:
Serious harm’ is not defined, by the Privacy Act, but the Act lists a number of relevant matters to assess whether serious harm is likely, including:
For most small business owners, the likelihood of committing a serious eligible data breach is slim.
In fact, small business owners should check Privacy business resource 10: Does my small business need to comply with the Privacy Act?.[16] to see whether they will be affected. Generally, SBOs do not have obligations under the APPs unless an exception applies.
Businesses that must comply with the NDB scheme include those that:
If your business falls outside these realms you most likely won’t need to worry too much about the NDB scheme.
Nonetheless, SBOs should put an action plan in place to safeguard their customers’ data and plan to minimise impact should a breach take place.
Should a data breach occur, organisations should take action immediately to attempt to lessen the impact of a breach.
For example, stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, then revoke or change computer access privileges or address weaknesses in physical or electronic security.
Data breach action plan
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
You can find out more about the NDB scheme here.
Editor
Cec has been telling stories and chasing headlines for more than 25 years. These days, she’s editor of Private Media’s Business Builders and Flying Solo, and the voice behind the Flying Solo and First Act podcasts. She kicked off her editing career as the founding editor of Sydney street press The Brag and has since worn the editor’s hat across a stack of titles – from SX and CULT to Better Pictures, Total Rock, MTV, fasterlouder, mynikonlife and Fantastic Living. Cec’s reporting runs the gamut. She’s covered small business, politics, health and LGBTQIA+ issues with equal passion. And when she’s not in print or online, you might have caught her behind the mic at FBi Radio or in front of the camera on OutTV.
Comments