Guide to the Government’s New Mandatory Data Breach Laws

August 24, 2017 - 4 minutes read

OAIC logo 3The Australian Government has introduced new legislation to strengthen the protection of privacy and personal information, and to improve organisational transparency regarding data breaches. This is known as Notifiable Data Breach (NDB) scheme. The government brought this into effect in February 2018.

Who does it apply to?

The legislation applies to all organisations currently under the Australian Privacy Act – that is, those that already have a responsibility to keep personal and sensitive information secure. This includes not-for-profits such as worship centres, charities, and church-based organisations as well as commercial businesses.

What type of information does it apply to?

The scheme applies to all kinds of personal and sensitive information. Examples include names, addresses, email addresses, genders, family members, financial information, tax file numbers, medical history and so on.

If you collect and store information of these types, you need to take steps to keep it secure and safe and to avoid loss and unauthorised disclosure.

Why is this needed?

There are several reasons why privacy needs further strengthening:

  • A lack of reporting requirements for data breaches has led to some organisations hiding or covering up instances of serious privacy breaches.
  • The invasion of privacy and / or the theft of personal information can impact seriously on an individual or an organisation or business. Types of harm caused may include financial, reputational, psychological and / or physical.
  • Information theft can result in identity crime, which is expensive. It costs Australia approximately $2.2 billion each year according to the Federal Attorney-General’s department.

What types of breaches are  ‘notifiable’?

A data breach could occur due to a cyber attack, loss or theft of a device that contains information, or because personal information gets published or shared without authorisation (whether deliberate or inadvertent). Breaches are considered notifiable when they are likely to cause serious harm to the individual or organisation affected.

‘Serious harm’ could include financial losses, risks to personal safety, damage to reputation, or serious psychological harm. It will be up to the organisation concerned to investigate breaches and to determine if serious harm is likely to occur, within 30 days of the breach. The organisation should also take steps to prevent any further harm or damage from happening.

If a notifiable breach has occurred, the organisation must report details of it to those affected by it, and to the OAIC (Office of the Australian Information Commissioner). Organisations should also notify the police if they suspect criminal activity.

Next steps to take

Strengthening data protection benefits everyone, including your organisation. It helps to reduce the risk of insurance claims, financial losses, damaged reputation, and loss of trust.

Organisations need to take a proactive approach when it comes to managing personal information. They may need to:

  • Develop a culture of privacy. This includes ensuring that any personal information collected is treated as an asset to be protected and managed.
  • Strengthen internal procedures and systems regarding the handling of personal information.
  • Make effective use of technology to increase data security – e.g. encryption, backups, restricted access, and passwords.
  • Appoint staff members to oversee information management and to investigate breaches.

More information on the legislation can also be found at the OAIC Notifiable Data Breaches web page.

Also check our previous article on privacy law reform in Australia.

Written by Tess Oliver

Tags: ,