Mandatory Data Breach Notification Scheme

Mandatory Data Breach Notification Scheme

MANDATORY DATA BREACH NOTIFICATION SCHEME

How it affects you

Introduction

It’s official! The Notifiable Data Breaches scheme, established by the Privacy Amendment (Notifiable Data Breaches) Act 2017, will be officially enforced from the 22^nd of February 2018.

What is it?

It is a legal obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.

Does my organisation need to comply? When do I need to report a data breach and how?

       IF

1. your organisation is described in “Entities covered by the NDB scheme”

       AND

       2. Your organisation collects, retains, handles and transmits ‘personal information’

       AND

       3. Your organisation has been subjected to an eligible data breach [4], and there are no applicable exceptions to notification obligations

      THEN

1. You need to complete assessing the suspected data breach

2. within 30 calendar days of becoming aware of the suspected breach.

3. A suggested three-step assessment procedure contains the following stages:

          a. Initiate: decide whether an assessment is necessary and identify which person or group will be responsible for completing it

          b. Investigate: quickly gather relevant information about the suspected breach including, for example, what personal information is affected, who may have had access to the information and the likely impacts, and

          c. Evaluate: make a decision, based on the investigation, about whether the identified breach is an eligible data breach (see Identifying eligible data breaches).

       IF

          reasonable evidence exists to believe an eligible data breach has occurred,

       THEN

1. You need to notify:

   a. Affected individuals

   b. The Australian Information Commissioner, by submitting a Notifiable Data Breach statement – Form available at https://www.oaic.gov.au/NDBform/.

      2. The following information must be included in an eligible data breach statement:

          a. the identity and contact details of the organisation

          b. a description of the data breach

          c. the kinds of information concerned and;

          d. recommendations about the steps individuals should take in response to the data breach.

     3. Special conditions for notification exist where the breached data is in the custody of more than one party. 

An excellent resource covering this topic is available here.

Additional Resources

1. https://www.youtube.com/watch?v=BZXzNLlW2vA

Legal

AusCERT has made every effort to ensure that the information contained on this web site is accurate. However, the decision to use or follow any information or advice referenced here is the responsibility of each user or organisation. The appropriateness of any information or advice for an organisation or individual system should be considered before application in conjunction with the organisation’s local policies and procedures.

AusCERT takes no responsibility for the consequences of applying or following the information or advice on this web site.