The Notifiable Data Breaches Scheme – What is it?

The Notifiable Data Breaches Scheme is fast approaching, and businesses who aren’t informed can see themselves paying fines up to $1.8m. Here’s what you need to know.

What is it?

The Notifiable Data Breaches (NDB) scheme applied to all organisations under the Australian Privacy Act 1988 and outlines an obligation to notify individuals affected by a data breach. Not only do they have to be notified, but the organisation has to include recommended steps the affected parties should take to respond to it and best protect their data.

The Australian Information Commissioner also has to be notified of a breach, and if an organisation fails to do so, they can be fined upwards of $1.8m.

What needs to be reported?

There are three indicators that can tell you whether an incident needs to be reported to the commissioner and to affected parties.

1. Unauthorised access, such as personal information or data. This includes company employees accessing data, as well as external parties/hacks. This also includes accidental access as well as intentional.

2. Unauthorised disclosure, such as when personal information is exposed to the public. This again can be intentional or accidental.

3. Loss, which can often be reported as a pre-cursor to unauthorised access and/or disclosure. It can involve instances such as employees unintentionally leaving hard drives or information on public transport.

It is not necessary to report loss every time, such as when information is deliberately deleted before a third party can access it, or lost information is highly encrypted. For more information on the Notifiable Data Breach scheme and what to do, visit the Office of the Australian Information Commissioner website.