Is your business prepared for roll out of the Notifiable Data Breaches Scheme?

Share on twitter
Share on linkedin
Share on facebook

This is our second post on the Notifiable Data Breaches Scheme.

Amendments made to the Privacy Act 1988 (Cth) this year, create new obligations for certain Australian business entities and organisations with respect to data beach notifications.

The changes will come into effect on 22 February 2018.

Will my business be affected by the Scheme?

Only government agencies, companies, businesses and organisations that are ‘APP entities’ who already have obligations with respect to personal information under the Privacy Act will be affected by the Scheme.

Generally speaking, this includes federal government agencies, private sector and not-for profit organisations that have an annual turnover in excess of $3 million as well as certain businesses with an annual turnover of less than $3 million (small businesses) that handle personal information.

If you are unsure of whether you are an APP entity, seek professional advice.

What new data handling obligations does the Scheme impose on entities?

When entities identify that a ‘serious data breach’ has occurred they will be required to notify both the Privacy Commissioner and affected customers, as soon as they become aware of it.

A data breach means any unauthorised access, unauthorised disclosure or loss of personal data. This includes scenarios where:
1. An unauthorised employee, independent contractor or hacker gains access to personal information of an entity’s customers;
2. Sensitive personal information held by a health service provider is inadvertently made public due to a technical error, removing the entity’s control over the information; or
3. An employee inadvertently leaves an unsecured memory stick, device or hard copies containing employee information on public transport.

Must all breaches be reported?

No. The Scheme only requires breaches that are considered ‘serious’ to be reported. A ‘serious’ data breach is one that is likely (more probable than not) to result in serious harm to an individual whose personal information is accessed, disclosed or lost.

When determining whether a breach is serious, an entity should consider:
• the type of information involved
• its level of sensitivity
• whether it is security protected
• the type of persons who are likely to have obtained the information
• the recipient’s intentions, and
• the nature of the potential harm.

There are also circumstances specified in the act, under which an entity may not be required to report a serious data breach.

What do I need to tell my customers?

Customers and other individuals who are affected by the data breach must be provided with information about:
• the type of data breach that occurred,
• the type of data that was involved in the breach, and
• steps they should take to minimise harm.

What should APP entities do now to prepare?

Leading up to February 2018, APP entities should prepare to ensure they are compliant with the Scheme to avoid penalties. This requires the establishment of up-to-date information security policies and practices.
Entities can do this by:
• Reviewing existing policies and practices for data collection, handling and breach response in light of the scheme’s requirements;
• Strengthening online security strategies to avoid breaches; and
• Educating staff on emergency response, mitigation and notification procedures in the event of a data breach.
Complying with privacy regulation not only reduces your risk, it also promotes a trustworthy and reliable business reputation and a healthy customer base.

More to explorer

Window lights in multistorey house at night, Kuala Lumpur

A Guide to the Role of the Metering Coordinator

In the complex landscape of the electricity market, the role of the Metering Coordinator (MC) is crucial for ensuring the accurate measurement and efficient coordination of metering services. With the National Electricity Rules (NER) as the guiding framework, AEMO has published a guide to the role of a metering coordinator and this article serves as a summary of that role drawing on the guide. Understanding the Purpose and Scope: The Guide to the Role of the Metering Coordinator is specifically

Digital electric meters in a row measuring power use. Electricity consumption concept.

Roles and Functions in Electricity Metering: A Short Guide

Electricity metering is a complex process that requires the collaboration of various entities to ensure accurate measurement and efficient energy management. Understanding the roles and responsibilities of these entities is crucial for maintaining compliance and facilitating the smooth functioning of the electricity market. In this article, we will explore in detail the key roles in electricity metering, including Financially Responsible Market Participants (FRMPs), Metering Coordinators (MCs), Metering Providers (MPs), and Metering Data Providers (MDPs), as outlined in Chapter 7 of

Preparing to Apply for a Retailer Authorisation: A Comprehensive Guide

The Australian Energy Regulator (AER) oversees the authorisation process for energy retailers in Australia. If you’re considering joining this market, it’s crucial to understand the AER’s guidelines and requirements. This article will outline the preparatory steps your business needs to take before applying for a retailer authorisation.

Leave a Reply

Your email address will not be published. Required fields are marked *