What is the Notifiable Data Breaches (NDB) Scheme?
The Notifiable data Breach Scheme (NDB) scheme requires organisations covered by the Australian Privacy Act 1988 (Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach. This notice includes recommendations about the steps that individuals should take in response to the data breach. The Australian Information Commissioner (Commissioner) must also be notified. Organisations need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
What is a Notifiable Data Breach?
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates. A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.
Examples of a data breach include when:
- a device containing customers’ personal information is lost or stolen
- a database containing personal information is hacked
- personal information is mistakenly provided to the wrong person.
When will it take effect?
The NDB scheme will commence on 22 February 2018. It only applies to eligible data breaches that occur on, or after, that date,
Who does the NDB apply to?
The Australian Government recommends that all organisations review their practices, procedures and systems for securing personal information in preparation for the scheme. The OAIC has a comprehensive Guide to securing personal information to assist you with this.
Organisations should also prepare or update their data breach response plan to ensure that they are able to respond quickly to suspected data breaches. The OAIC’s Data breach notification – A guide to handling personal information security breaches and Guide to developing a data breach response plan provide a best practice model, and will be updated in consultation with stakeholders ahead of the commencement of the NDB scheme.
The privacy management framework sets out the steps that the OAIC expects organisations to take to ensure good privacy governance and compliance with the Privacy Act.
Who must comply with the NDB Scheme?
The NDB scheme will apply to businesses, Australian Government agencies, and other organisations that are already required by the Privacy Act to keep information secure.
Not all data breaches are notifiable – the NDB scheme only requires organisations to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates. Exceptions to the NDB scheme will apply for some data breaches, meaning that notification to individuals or to the Commissioner may not be required.
Which data breaches are notifiable?
Where an organisation becomes aware that there are reasonable grounds to believe an eligible data breach has occurred, they are obligated to notify individuals at likely risk of serious harm and the Commissioner as soon as practicable. This notification must set out:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned and;
- recommendations about the steps individuals should take in response to the data breach.