On the 22nd of February 2019 the Notifiable Data Breaches (NDB) scheme was introduced, making it necessary for all agencies and organisations to notify individuals when their personal information is involved in a data breach likely to cause serious harm. Any notification that you make has to include recommendations that people need to take in response to the breach.
This is a short guide to what you need to do to ensure that you are up to date with legislation on the data breach laws and how your business can ensure that you are prepared and ready for any potential breaches.
Who has to comply with the NDB Scheme?
The changes in the NDB Scheme applies to any Commonwealth government agencies and any private organisations (business owners) who are currently subject to the Privacy Act. This includes any private sector organisation with an annual group turnover of more than $3 million. The groups affected also include small businesses providing health services where turnover is less than $3 million.
For example, the changes apply to private schools or companies with turnover of more than $3 million per year, but the changes do not apply to local councils or state government agencies because these bodies are already exempt from the changes.
What kind of breach could affect my customers or users?
A data breach occurs when information that you hold is lost or is subject to unauthorised access or disclosure. But the NDB scheme only applies to data breaches of personal information that is likely to result in serious harm. Serious harm could include:
- A device containing personal information of customers is lost or stolen – this might be something like a laptop or a device used in-house
- A database with customers’ personal information is hacked or stolen
- Personal information about a customer is mistakenly provided to the wrong person
You can read more about identifying eligible data breaches here and find out what you need to know about notifying your customers.
If you do suspect that a data breach has taken place, it’s important to perform a reasonable and fast assessment to figure out if the breach is likely to result in serious harm.
What to do if there has been a breach
If you have found that there has been a breach of customer data, then you are obligated to promptly inform any individuals who are at likely risk of serious harm.
You are also obligated to inform the commissioner with a statement. You must include the following information in your notification:
- The identity and the contact details of the (your) organisation
- A description of what happened
- The information that has been breached
- A recommendation about the steps that individuals need to take in response to the data breach
You can make a notification through the Notifiable Data Breach form and can find more information about notifying individuals about an eligible data breach here.
You can download a copy of the data breach response summary prepared by the Office of the Australian Information Commissioner here.
How Managed IT Services can help
As a business owner, it is important to be vigilant with your customer information and data – but even more so given these new guidelines and legislation. At Connected Platforms we prize security and reputation alongside our dedication to ensuring that your business performs as it should every day of the year. If a data breach occurred and you had to make it publicly known to your clients, how much of an impact would this have on your reputation?
Managed IT Services and working with a data and IT specialise like Connected Platforms can go a long way towards keeping your business and your data safe online.
If you would like to know more about any of these data breach areas or to talk to one of our team, please contact us on (07) 3062 6931 to discuss your business’ requirements.