The Notifiable Data Breaches (NDB) scheme, which applies to eligible data breaches that occur on or after 22 February 2018, is an amendment to the Privacy Act 1988 (the Act). It incorporates a mandatory data breach notification regime and establishes requirements for entities in responding to data breaches that are likely to result in serious harm to any individuals whose personal information is involved in the breach.
How does it work?
The regime is intended to:
- Create more transparency regarding the way in which entities address and remedy serious data breaches;
- Highlight Australia’s increasing focus on the importance of data protection;
- Improve individual and community confidence in organisational data protection practices; and
- Provide individuals the opportunity to take steps to minimise the damage or harm that can result from the unauthorised access, disclosure, use or loss of their personal information held by entities.
The entities required to respond to eligible data breaches under the regime include:
- Commonwealth government agencies;
- Private sector entities which have a turnover of at least $3 million; and
- Entities which provide health services and hold health information (other than in employee records);
- Regulated credit reporting bodies;
- Regulated credit providers; and
- Regulated file number recipients (entities that hold tax file number information).
Examples of an eligible data breach may include:
- Data or records containing personal information that are lost or stolen;
- A database containing personal information is hacked;
- Sending a data file containing sensitive information to the wrong recipient, without taking prompt remedial action;
- Leaving a non-password protected phone containing sensitive personal information on a train; or
- Accidental online publication by a debt collector of a person’s name.
In addition, in order for there to be an eligible data breach it is necessary to establish that the disclosure is likely to result in serious harm to an individual, and that the entity has not been able to prevent the likely risk of serious harm with remedial action.
If an entity fails to comply with its obligations under the NDB scheme, then the maximum penalty for such contravention of the Act is currently $1.7 million.
If you wish to obtain more information on the Notifiable Data Breaches scheme, contact Steven Dangerfield, Angela Catanzariti, Bojana Balen or Lynda Lim of Dangerfield Exley Lawyers for a frank discussion on your legal rights and options available.
Share on facebook
Share on twitter