Things You Need to Know About The New Mandatory Data Breach Laws

According to the Federal Attorney General’s Department, identity crime is Australia’s one of the most pervalent types of crime, costing the country nearly $@.2 billion every year.

Apart from financial damage, identity crime can also cause serious reputational damage. In light of this, the Government of Australia has taken steps to tighten the protection of personal information through its new mandatory data breach laws.

The legislation in a nutshell

The NDB or Notifiable Data Breaches scheme will be coming into affect on February 22, 2018. It will apply to all organisations responsible for keeping personal information secure under the Privacy Act.

Organisations affected include businesses as well as not-for-profits with an annual turnover of $3 million, & Australian Government agencies. Also, the legislation may apply to some businesses (such as educational institutions, private sector health service providers & businesses that buy or sell personal information) with a turnover under $3 million.

Non-compliance will result in penalty orders of up to $340,000 for individuals & $1.7 Million for organisations.

What is the aim of this scheme?

The main aim of this scheme is to further strengthen privacy protections as well as improve transparency with regard to data breaches. Organisations will no longer be able to keep silent about serious data breaches. They will have to report notifiable data breaches to the affected individuals as well as to the OAIC or Office of the Australian Information Commissioner.

What types of breaches are  ‘notifiable’?

Many Australian organizations collect personal as well as sensitive information such as names, genders, addresses, credit card details, tax file numbers, financial information, medical history & so on. The Privacy Act already stipulates that these personal as well as sensitive information must be kept secure.

When this kind of highly sensitive information is lost, disclosed or accesses without authorisation, a breach is deemed to have occured. Breaches are considered ‘notifiable’ when they are likely to cause serious harm to the affected organization or individual.

If a notifiable breach has occurred, the organisation needs to report details of it to the affected individual, as well as to the Office of the Australian Information Commissioner.

What is meant by ‘serious harm’?

Serious harm is considered to have occurred if an individual suffers financial loss, personal loss, reputational damage, risk to personal safety, or other kind of harm whether psychological or physical.

The organisation is expected to investigate breaches for determining the level of harm, for reporting any notifiable breaches, as well as for taking steps to prevent further damage occurring & this must be done within 30 days of the data breach.

Why is this needed?

  • Identity crime costs Australia around $2.2 billion each year.
  • Due to lack of reporting requirements for data breaches, some organisations have been hiding instances of privacy breaches.

Next steps to take

Strengthening protection of sensitive information will benefit everyone, including your organisation. It will help reduce the risk of financial losses, insurance claims, damaged reputation, as well as loss of trust.

Therefore, a proactive approach is highly important when it comes to managing personal information.

  • Organisations should develop a culture of privacy. Collected personal information must be treated as an asset to be protected as well as managed.
  • It is important to make effective use of technology for increasing data security – e.g. backups, encryption, restricted access, as well as passwords.
  • Also, it is important to strengthen internal procedures as well as systems regarding the handling of personal information.
  • Organizations should appoint staffs to oversee information management as well as to investigate breaches.

Our Work

Portfolio