The Office of the Australian Information Commissioner (OAIC) has released new resources on the Notifiable Data Breaches (NDB) Scheme.
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 earlier this year established the scheme. The scheme will commence in February 2018.
It requires businesses, Australian Government agencies, and other organisations covered by the Australian Privacy Act 1988 to notify any individuals likely to be at risk of serious harm by a data breach.
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure, for instance when a database containing personal information is hacked or personal information is mistakenly provided to the wrong person. Not all data breaches are notifiable. OAIC defines a Notifiable Data Breach as a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
Organisations that suspect a data breach may have occurred are required to undertake an expeditious assessment to determine if the data breach is likely to result in serious harm.
The notification must set out the identity and contact details of the organisation, a description of the data breach, the kinds of information concerned and; recommendations about the steps individuals should take in response to the data breach. OAIC must also be notified.
The Commissioner will have the responsibilities of receiving notifications of eligible data breaches encouraging compliance with the scheme, including by handling complaints; conducting investigations, and taking other regulatory action in response to instances of non-compliance; and
offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.
The OAIC’s Data breach notification — A guide to handling personal information security breaches and Guide to developing a data breach response plan provide a best practice model. They will be updated in consultation with stakeholders before the scheme starts next year.
OAIC is seeking public comments till July 14 on draft resources for all the aspects mentioned above, namely Entities covered by the NDB scheme, Notifying individuals about an eligible data breach, Identifying eligible data breaches and Australian Information Commissioner’s role in the NDB scheme.