Notifiable Data Breaches under the Privacy Act

The Commonwealth Government recently passed some laws that made it mandatory to own up if you disclose someone’s data when you’re not meant to.

Notifiable Data Breach under the Privacy Act.

the legislation

The Privacy Act 1988 was recently amended by the Privacy Amendment (Notifiable Data Breaches) Act 2017 . It created the notifiable data breach scheme, which started on 22 February 2018.

A data breach happens when personal information held by an organisation is lost or subjected to unauthorised access / disclosure. For example, if a device with your customer information is lost or stolen; if your system is hacked; or if you give out personal information to the wrong person by mistake.

A data breach will be a notifiable data breach if the data breach is likely to result in serious harm to any individual. To determine whether serious harm is likely, consider: is there any security on the data (password protection / encryption); is the information sensitive (eg, medical records); is there potential for the data to be exploited (eg credit card numbers or bank details).

If this happens (or you suspect this has happened) your organisation needs to notify the person or people that are at risk from the breach and also notify the Australian Information Commissioner as soon as possible. There are particular requirements about the content of the notifications too.

Failure to comply with the NDB scheme puts your organisation at risk of consequences under the Privacy Act which include being subject to an investigation and civil penalties.

Remember though, the Privacy Act and the NDB scheme may not apply to your small business. But if your revenue is more than $3m, or if your organisation is involved in health, gyms, child care, buying or selling personal information or credit reporting you are on the hook.

If the NDB scheme does apply to you, review your privacy policy, compliance with privacy law generally and consider preparing plan for dealing with data breaches.