Australia’s new Notifiable Data Breaches scheme is designed to bring our privacy laws up to the standard the community expects in the information age.
It takes effect on 22 February, 2018, and, in many cases, obliges organisations to notify both the Office of the Australian Information Commissioner (OAIC) and all affected individuals if there is a data breach. This notification must include the recommended steps set out in the legislation.
Apart from receiving notifications of eligible breaches, the role of the OAIC includes offering advice and guidance to organisations covered by the scheme, and providing information to the community about how it operates.
Why the NDB?
The Notifiable Data Breaches scheme (NDB) strengthens the protections afforded to everyone’s personal information and improves transparency in the way agencies and organisations respond to serious data breaches.
It is intended to give the broader community confidence that their personal information is being protected and respected, and to encourage a higher standard of personal information security across Australian industries.
Notification also gives those affected by data breaches the opportunity to take steps to minimise the damage that can result from a data breach.
Who must comply?
The NDB applies to all organisations with existing obligations under APP 11 of the Privacy Act to protect the personal information they hold.
This includes Australian government agencies, and all businesses and not-for profit organisations that have an annual turnover of more than $3 million.
Small businesses with a turnover below the $3 million threshold are generally excluded under the APPs, but there are several exceptions. These include businesses that trade in personal information, and organisations that provide a health service to, and hold health information about, individuals.
For more information about the Notifiable Data Breaches scheme, see this link
Rise in digital transformation
With the growth of digital transformation and the adoption of this new law, organisations may find themselves even more so exposed to potential IT risks. Networks are more vulnerable than ever and all endpoint devices could be a potential target for hackers.