An overview of who and what’s involved, plus recommended preparation, responses and additional resources
It might have come and gone quietly to most, but 22 February was the day the Notifiable Data Breaches (NDB) scheme, under Part IIIC of the Privacy Act 1988, came into effect. The new law requires organisations and businesses to notify the authorities and members of the public when personal information held by an APP entity (typically a government agency, private-sector or not-for-profit organisation) has been lost or subject to unauthorised access and disclosure.
But what does this mean for small businesses across Australia? Who must comply? What’s involved? How is a breach defined and how will the relevant parties be informed?
Here’s a quick and easy-to-follow guide.
Who must comply?
So far, government agencies, companies, businesses and organisations that are existing APP entities with an annual turnover in excess of $3 million will be affected by the scheme.
Definition of ‘eligible data breach’
According to the Office of the Australian Information Commissioner (OAIC), an eligible data breach arises when three criteria are satisfied.
- Data breach: The unauthorised access or disclosure of personal information, or loss of personal information held by the entity.
- Serious harm: A possible threat, which may include physical, psychological, emotional, financial or reputational, is made against the individuals whose information has been compromised.
- Failure of containment: The entity is not able to prevent further breach or harm with remedial actions on their own.
Methods of notification
Once an eligible data breach has been identified and confirmed, the agency or organisation must notify the individuals at risk and the commissioner with the following information:
- The type of data breach
- The type of data that was involved in the breach
- Recommended remedial steps to minimise harm
Battle of the bad, bad bots
As early as 2014, research has shown bots are outnumbering people on the web, making up almost 60% of the web’s traffic, mostly existing to do the dirty work for fraudsters and hackers. The machines are also learning at a remarkable speed to uncover and exploit vulnerabilities, making cyber security both a business and technology risk. For small and medium businesses, choosing the right SaaS-focussed tech solutions is, therefore, the first step towards data protection.
A move in the right direction
As digital platforms and technologies that utilise user data are improving business operations and customer experience, they are also calling for greater responsibility. According to Australian Information Commissioner and Australian Privacy Commissioner, Timothy Pilgrim, the NDB scheme is designed to mirror how privacy regulation is changing around the world, referring specifically to the General Data Protection Regulation in Europe, which is scheduled to commence in May 2018. For Australian businesses that are currently not required to comply with the NDB scheme but are storing personal information, it may only be a matter of time before the law applies to all.
Disclaimer: This material has been prepared for informational purposes only and was accurate at the time of publication. It is not intended to provide and should be relied on as legal advice. Please consult your own advisors before engaging in any transaction.