NDB: How ready are you?

The Notifiable Data Breach Act is in effect now in Australia. Are you affected?


Many small businesses will be, and the repercussions of non-compliance could be devastating!

 
WHAT IS THE NDB?

 

The Australian Privacy Act was recently amended to include mandatory data breach notification requirements. This means certain organisations must notify the Office of the Australian Information Commission (OAIC) of an "eligible data breach".

 

You must also notify affected individuals that might be at risk of "serious harm" due to the breach.

 

Your organisation needs to be capable of identifying and assessing the level or harm that might occur due to an actual or suspected eligible data breach.

WHAT IS AN "ELIGIBLE BREACH"?

 

Firstly, it's not just about "hacking" or theft. An Eligible Data Breach arises when the following criteria are met:

  1. there is unauthorised ACCESS or DISCLOSURE or LOSS of personal information - accidental or deliberate

  2. there is a likelihood of SERIOUS HARM as a result

  3. the harm has not been able to be fixed

You must also notify affected individuals that might be at risk of "serious harm" due to the breach.

 

Your organisation needs to be capable of identifying and assessing the level or harm that might occur due to an actual or suspected eligible data breach.

WHO IS AFFECTED?

The NDB scheme applies to businesses, Australian Government entities, and other organisations that are already required by the Privacy Act to keep information secure.

Generally, if your organisation has an annual turnover of $3 million or more you will need to meet the requirements of the NDB scheme. But there are also many other entities affected if you already have "special requirements" under the Privacy Act.

HOW DO YOU REPORT?

If you believe an eligible data breach may have ocurred, you must alert individuals at risk of serious harm as soon as practicable.

The OAIC must also be promptly notified through a statement about the eligible data breach. If you are unsure about the breach eligibility then you have THIRTY DAYS to conduct an assessment. 

WHAT IS THE IMPACT?

The NDB scheme places a greater onus on directors and business owners to oversee cybersecurity. Organisations should have a robust cybersecurity framework in place to identify and protect sensitive information and ensure the it is able to detect, respond and recover from a data breach.

Directors and business owners MUST have a thorough understanding of cybersecurity systems and take responsibility to ensure that those systems operate effectively.

When notifying the affected individuals and the Commissioner, the following information must be included:

  1. the identity and contact details of the organisation;

  2. a description of the data breach;

  3. the kinds of information concerned; and

  4. steps outlining how individuals should respond to the data breach.

Help me become cyber-secure!
Help me report a breach!