Guide to the Government’s New Mandatory Data Breach Laws

August 24, 2017 - 4 minutes read

OAIC logo 3The Australian Government has introduced new legislation to strengthen the protection of privacy and personal information, and to improve organisational transparency regarding data breaches. This is known as Notifiable Data Breach (NDB) scheme and came into effect on the 22nd February 2018.

Who does it apply to?

The legislation applies to all organisations currently under the Australian Privacy Act. These are organisations that are already charged with the responsibility to keep personal and sensitive information secure. This includes not-for-profits such as churches or church-based organisations as well as commercial businesses.

What type of information does it apply to?

The scheme applies to all kinds of personal and sensitive information. Examples include names, addresses, email addresses, genders, family members, financial information, tax file numbers, medical history and so on.

When information of these types is collected and stored, steps must be taken to keep it secure and safe and to avoid loss and unauthorised disclosure.

Why is this needed?

There are several reasons why privacy was found to need further strengthening:

  • A lack of reporting requirements for data breaches has led to some organisations hiding or covering up instances of serious privacy breaches.
  • The invasion of privacy and / or the theft of personal information can impact seriously on an individual or an organisation or business. Types of harm caused may include financial, reputational, psychological and / or physical.
  • Information theft can result in identity crime, which is expensive. It costs Australia approximately $2.2 billion each year according to the Federal Attorney-General’s department.

What types of breaches are  ‘notifiable’?

A data breach could occur due to a cyber attack, loss or theft of a device that contains information, or because personal information gets published or shared without authorisation (whether deliberate or inadvertent). Breaches are considered notifiable when they are likely to cause serious harm to the individual or organisation affected.

‘Serious harm’ could include financial losses, risks to personal safety, damage to reputation, or serious psychological harm. It’s up to the organisation concerned to investigate breaches and to determine if serious harm is likely to occur. This needs to be done within 30 days of the breach. The organisation should also take steps to prevent any further harm or damage from happening.

If a notifiable breach has occurred, the organisation must report details of it to those affected by it, and to the OAIC (Office of the Australian Information Commissioner). The police may also need to be notified if a crime is suspected.

Next steps to take

Strengthening data protection benefits everyone, including your organisation. It helps to reduce the risk of insurance claims, financial losses, damaged reputation, and loss of trust.

A proactive approach is required when it comes to managing personal information. Organisations may need to:

  • Develop a culture of privacy. This includes ensuring that any personal information collected is treated as an asset to be protected and managed.
  • Strengthen internal procedures and systems regarding the handling of personal information.
  • Make effective use of technology to increase data security – e.g. encryption, backups, restricted access, and passwords.
  • Appoint staff members to oversee information management and to investigate breaches.

More information on the legislation can be found at the OAIC Notifiable Data Breaches web page.

Also check our previous CCI article on privacy law reform in Australia.

Written by Tess Oliver





Tags: ,