As of 22 February 2018, all organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Cth) (“Privacy Act“) will be required to comply with the new Notifiable Data Breach Scheme (“NDB Scheme“). This includes all businesses with an annual turnover of more than $3,000,000.
Under the NDB Scheme, where there has been:
then, an ‘eligible data breach‘ has occurred.
Various factors are to be taken into account as to whether a ‘reasonable person’ would conclude that access to, or a disclosure of information would be likely to result in serious harm. These include the kind, nature and sensitivity of the information and the persons or kinds of persons who have obtained or could obtain the information.
Even if you do not believe that the relevant circumstances amount to an eligible data breach, you must still carry out a reasonable and expeditious assessment of whether it is one and take all reasonable steps to ensure that this assessment is conducted within thirty (30) days after becoming aware of the reasonable grounds to suspect that there may have been a breach.
If you are aware of reasonable grounds to believe that there has been an eligible data breach you must:
A failure to comply with the NDB Scheme will be governed by the Privacy Act’s existing enforcement and civil penalty framework. Accordingly, an individual or company may be subject to anything from investigations to, in the event of serious or repeated non-compliance, substantial civil penalties (Up to $2,100,000.00 for companies and $420,000.00 for individuals).
This is a radical change to the existing law. We now recommend that if you will have NDB Scheme obligations, you put in place and adopt the following:
We note that this article is not an exhaustive summary of all the new privacy laws and requirements. If you want specific advice about the Notifiable Data Breach Scheme or the new privacy laws please don’t hesitate to contact us on 02 9262 4471 or firstname.lastname@example.org.
Authored by Gavin Parsons and Dan Rappoport of Gavin Parsons and Associates