Is your business prepared for roll out of the Notifiable Data Breaches Scheme?

Share on twitter
Share on linkedin
Share on facebook

This is our second post on the Notifiable Data Breaches Scheme.

Amendments made to the Privacy Act 1988 (Cth) this year, create new obligations for certain Australian business entities and organisations with respect to data beach notifications.

The changes will come into effect on 22 February 2018.

Will my business be affected by the Scheme?

Only government agencies, companies, businesses and organisations that are ‘APP entities’ who already have obligations with respect to personal information under the Privacy Act will be affected by the Scheme.

Generally speaking, this includes federal government agencies, private sector and not-for profit organisations that have an annual turnover in excess of $3 million as well as certain businesses with an annual turnover of less than $3 million (small businesses) that handle personal information.

If you are unsure of whether you are an APP entity, seek professional advice.

What new data handling obligations does the Scheme impose on entities?

When entities identify that a ‘serious data breach’ has occurred they will be required to notify both the Privacy Commissioner and affected customers, as soon as they become aware of it.

A data breach means any unauthorised access, unauthorised disclosure or loss of personal data. This includes scenarios where:
1. An unauthorised employee, independent contractor or hacker gains access to personal information of an entity’s customers;
2. Sensitive personal information held by a health service provider is inadvertently made public due to a technical error, removing the entity’s control over the information; or
3. An employee inadvertently leaves an unsecured memory stick, device or hard copies containing employee information on public transport.

Must all breaches be reported?

No. The Scheme only requires breaches that are considered ‘serious’ to be reported. A ‘serious’ data breach is one that is likely (more probable than not) to result in serious harm to an individual whose personal information is accessed, disclosed or lost.

When determining whether a breach is serious, an entity should consider:
• the type of information involved
• its level of sensitivity
• whether it is security protected
• the type of persons who are likely to have obtained the information
• the recipient’s intentions, and
• the nature of the potential harm.

There are also circumstances specified in the act, under which an entity may not be required to report a serious data breach.

What do I need to tell my customers?

Customers and other individuals who are affected by the data breach must be provided with information about:
• the type of data breach that occurred,
• the type of data that was involved in the breach, and
• steps they should take to minimise harm.

What should APP entities do now to prepare?

Leading up to February 2018, APP entities should prepare to ensure they are compliant with the Scheme to avoid penalties. This requires the establishment of up-to-date information security policies and practices.
Entities can do this by:
• Reviewing existing policies and practices for data collection, handling and breach response in light of the scheme’s requirements;
• Strengthening online security strategies to avoid breaches; and
• Educating staff on emergency response, mitigation and notification procedures in the event of a data breach.
Complying with privacy regulation not only reduces your risk, it also promotes a trustworthy and reliable business reputation and a healthy customer base.

More to explorer

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

person wearing foo dog costume

Obligations of Energy Retailers Regarding Best Offer Information

Energy retailers in Victoria have specific obligations under the Energy Retail Code of Practice to provide clear information to customers about their ‘best offer’ – that is, the plan that would minimize the customer‘s energy costs based on their usage history. The objective is to ensure small customers can easily understand whether they are on the retailer‘s best plan for them and how to access the retailer‘s best offer if not. One of the significant challenges in the energy sector (as in banking and elsewhere) is that customers

low angle photo of sydney opera house australia

Guide to the National Energy Retail Rules

The National Energy Retail Rules (NERR) are a set of rules that govern the sale and supply of electricity and gas by retailers to consumers in Australia, alongside the related National Energy Retail Law (NERL). The NERR came into effect on 1 July 2012 in Tasmania, the Australian Capital Territory, and the Commonwealth. South Australia followed on 1 February 2013, New South Wales on 1 July 2013, and Queensland on 1 July 2015. The NERR do not yet apply in

Leave a Reply

Your email address will not be published. Required fields are marked *