From 22 February 2018, the Notifiable Data Breaches (NDB) scheme applies to organisations and agencies regulated by the Privacy Act 1988 (Cth). This includes businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies and health service providers. The NBD scheme requires these entities to notify the Australian Information Commissioner, as well as affected individuals, of an eligible data breach.

The gestation of the scheme has had a long and tortuous history which we have written about here. But, with the commencement of the NBD scheme, regulated entities need to be aware of the disclosure obligations that exist when there is an eligible data breach.

What is an eligible data breach?

A data breach occurs where there is unauthorised access to, unauthorised disclosure or loss of, personal information held by an entity. An eligible data breach is one which a reasonable person would conclude is likely to result in serious harm to any of the individuals to whom the information relates.

Not all data breaches are likely to cause serious harm. For example, if the breach is rectified quickly and there is not likely to be serious harm, then there is no requirement to notify under the scheme. Whether serious harm is likely will require careful consideration.

OAIC

The Office of the Australian Information Commissioner (OAIC) is the regulatory body for the NDB scheme. Its role includes:

  • Receiving notifications of eligible breaches
  • Handling complaints, conducting investigations and taking regulatory action in response to non-compliance
  • Providing guidance to regulated organisations and advising the community about the operation of the scheme.

The OAIC has produced an extensive set of resources to assist regulated entities to comply with the new NDB scheme. The OAIC resources can be accessed here.

Do you need advice?

Losing an expensive company laptop or having your client data base 'hacked' can be costly to remedy, and embarrassing. But now it is clear that there are Privacy Act implications if your organisation is regulated by the Act and the data breach involves personal information which is likely to cause serious harm.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.