With the Notifiable Data Breach (NDB) scheme under the Privacy Act 1998 in full force, the threat of financial and reputational impacts to organisations often overshadows the human element of the data breaches; in essence, we tend to forget what it means to be an individual impacted by a data breach. In this article, we seek to examine not only the financial hardships and lost opportunity in terms of time that individuals may suffer, but also the potential psychological impact they may endure from a breach. We also analyse the need for more informed decisions from organisations in notifying an individual impacted by a breach, as sometimes the act of notifying an individual can cause more harm than the breach itself.
Back to basics: Why the Notifiable Data Breach scheme was created
When the Notifiable Data Breach (NDB) scheme was first introduced in February 2018, there was a huge level of anticipation and trepidation for Australian organisations. While not the first of its kind conceptually (with similar data breach regulations in force worldwide), the NDB scheme was definitely a modernised concept and generally welcomed by privacy advocates in Australia. Organisations took action to bolster their own data security and breach response procedures in an effort to comply with the newly introduced NDB scheme.
Under the NDB Scheme, organisations are required to notify only ‘eligible data breaches’ to the Office of the Australian Information Commissioner (OAIC) and impacted individuals. An eligible data breach is an unauthorised access or disclosure (or loss likely to result in same) that is likely to result in serious harm to the individuals impacted. Part of the reasoning behind notifying only eligible data breaches is so that individuals may take steps to remediate the risk of harm to themselves.