In February 2017, the Australian Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017 with bipartisan support, moving data breach notification from a voluntary to a mandatory requirement for organisations already covered by the Privacy Act.The Notifiable Data Breaches (NDB) scheme has a broad application. Australian Government agencies and businesses that are required to take steps to secure personal information under the Privacy Act 1988 (Privacy Act) must comply with the scheme. This includes all organisations with an annual turnover of more than $3 million, all health service providers, credit reporting bodies, all credit providers in relation to credit eligibility information, and tax file number (TFN) recipients.
In short, the NDB scheme requires these organisations to notify individuals whose personal information is involved in a data breach, if the breach is likely to result in serious harm to them. The Australian Information Commissioner, who regulates the Privacy Act, must also be notified. Failure to notify either the individuals concerned or the Commissioner of an eligible data breach is a breach of the Privacy Act, and may result in the Commissioner taking enforcement action.
The concept of mandatory data breach notification may be familiar to many readers. This privacy reform has been considered by the Australian Parliament on a number of occasions since the Australian Law Reform Commission recommended mandatory reporting in 2008.
Even before the NDB scheme was passed into law, voluntarily notifying individuals about serious data breaches had become a part of privacy best practice. The Office of the Australian Information Commissioner (OAIC) has observed an upward trend over the past few years in businesses and Australian Government agencies voluntarily notifying the office.
A practical benefit to data breach notification is that it allows individuals to be aware of the issue and take steps to protect their personal information, and thereby reduce their risk of harm. An individual might change their passwords, cancel credit cards, or take other steps depending on how a data breach may affect them.
Another benefit is that notifying individuals affected by a data breach is increasingly a community expectation. In the OAIC’s 2017 Australian Community Attitudes to Privacy Survey, 94 per cent of people said they should be told if their information is lost by a business — which shows close to unanimous support for breach notification.
Today, privacy is increasingly about transparency — transparency in how data is collected and safeguarded, how it is used, the reasons it is collected, and how it has been compromised if a data breach occurs.
The NDB scheme commences on 22 February 2018. Now is the time to start preparing.
For further resources, visit www.oaic.gov.au/ndb. This article provides a summary of the scheme, but is not tailored to your organisations individual circumstances, and should not replace professional advice.