Australia finally has mandatory data breach notification

Comments are off
Like
Marcelo Orlandi
Australia finally has mandatory data breach notification

Are you aware of the new Notifiable Data Breaches (NDB) scheme that comes into effect on 22nd February 2018?  This scheme reinforces organizational accountability for the value of personal information organizations hold, ensuring individuals know when their personal information may have been disclosed, and where this disclosure poses a risk to them.

 

Who is affected by this law? The amendment clearly states that any businesses with an annual turnover of more than $3 million, all health service providers and a limited range of small business are affected by this law. Small businesses are affected if they sell or purchase personal information as part of their operating processes.

 

What does it mean? This means that you will have to alert authorities and all affected individuals about any ‘eligible data breach’ which takes place in your organization.

 

What do I need to do? The new scheme will require you to notify the Office of the Australian Information Commissioner (OAIC) and all affected individuals as soon as practicable in the event of a data breach.

 

Are there any exceptions? If your organization takes remedial action to ensure no serious harm to any individual is likely to occur before said serious harm is actually caused to any individual by the data breach, then there is no requirement to notify. This can be demonstrated by implementing policies and procedures and preparing for any potential compromise of your organization’s systems, implementing monitoring and control system to prevent or minimize the likelihood of this event to happen.

 

Are there any penalties? This will depend on the seriousness of the breach. If you fail to notify as described by the law, the Commissioner has a range of enforcement powers, including the power to seek civil penalties of up to or apply for civil penalty orders of up to $340,000 for individuals and up to $1.7 million for companies.

 

What do I need to do to comply?

  • Do you hold personal information?
  • Are you an organization with turnover more than $3 Million?

If you don’t know how the information flows through your systems, or don’t have any policies or procedures to manage them please reach us to find out how we can help you.