In case you missed it, last week marked the day Australia’s new Notifiable Data Breaches scheme comes into effect. Many small businesses may have missed it due to thinking that it doesn’t apply to them but it could; if you hold certain pieces of information regarding your customers.
Who needs to comply with Australia’s New Mandatory Notifiable Data Breaches (NDB) scheme?
If you fall into the category of organisations that needs to comply with the Privacy Act, then the Notifiable Data Breaches (NDB) applies to you.
The following categories will need to comply with the NDB Scheme:
- Australian Government agency;
- Business or not-for-profit organisation with an annual turnover of $3 million or more;
- credit reporting body;
- health service provider; or
- TFN recipient (someone holding a Tax File Number in your systems)
- all accounting firms fall into this category so make sure that they are aware of their obligations to protect your personal information and informing you of any breaches.
What sorts of breaches must be reported?
If you’re covered under the NDB scheme, you must report any breach of personal information that is “likely to result in serious harm”.
If you think “serious harm” is a bit vague, serious harm could includes:
- physical harm
- financial/economic harm
- emotional harm (e.g. embarrassment and humiliation)
- psychological harm (e.g. marginalisation and bullying)
- reputation harm
Remember, this is about the leak of personal information. And even if someone’s name is not specifically associated with the data that is leaked, if the leaked data can be used to identify and seriously harm someone then it needs to be reported.
Who do you report them to and what do you tell them?
Breaches need to be reported to the Office of the Australian Information Commissioner (OAIC).
OAIC has a wealth of information regarding how to report and what you tell them https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
As well as identifying your company, you need to provide details about the definable breach and specifically detail what data was released in the incident. They even have a few checkboxes to make that job easier.
What timelines do I need to followThe OAIC’s advice is that once a breach that is covered under the NDB scheme is detected, that the assessment is carried out in a “reasonable and expeditious” timeframe. The expected timing is no more than 30 days. If you need more time to investigate, you can notify the OAIC to let them know you think there’s been a breach and ask for more time to investigate.
It is important that any affected parties are notified as soon as possible. But you’ll only need to notify those that have been affected, not all your customer base for example.
What if I don’t tell about a privacy breach?
Penalties for not notifying affected parties and the OAIC of a notifiable breach include fines of $360,000 for individuals and $1.8 million for organisations.
It’s also important to note that companies that are repeatedly breached don’t take steps to remedy issues and harden their security can be penalised even if they do notify as per the obligations.
What should I do now to ensure I meet my obligations?
If you’re not already prepared for the NDB scheme, the best place to start is understanding what data you have that could be covered by the NDB scheme in the event of a breach.
Then ensure you have procedures in place for contacting all those potentially affected parties.
Review OIAC’s website >
Call SBA Fremantle, we’ll be able to assist with any additional information and advice.