Notifiable Data Breach Scheme
With the Australian Government estimating a $1billion annual cost from cybercrime in this country, a new regulatory regime will be coming into force on February 22nd to help combat the issue.
The Notifiable Data Breach Scheme will effect any company or organisation whose annual turnover is greater than AUD$3million, which handles people’s personal information. Under the scheme, such companies must inform the Office Of The Australian Information Commissioner if they suffer a data breach. People whose data is exposed must also be informed.
Data breaches are defined for the purpose of the scheme by the OAIC as follows:
“Unauthorised access (of data) by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party... For example; a computer network is compromised by an external attacker resulting in personal information being accessed without authority...”
These broad criteria leave some scope for interpretation. The scheme requires a likelihood of “serious harm” as a result of the breach for it to require reporting. While this vague term is open to interpretation, the OAIC states it may include psychological, reputational, or financial impacts.
The OAIC details some types of data as more likely to cause “serious harm” as follows:
‘sensitive information’ such as information about an individual’s health
documents commonly used for identity fraud (including Medicare card, driver licence, and passport details)
a combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals the information is about.
There are a range of steps you can take to secure your data, and also a range of steps necessary to ensure compliance with the scheme, should your business fall under it’s requirements. The OAIC website contains a large selection of resources designed to assist you in preparing for this, including an informative webinar which takes you through the scheme, the process, and the requirements, so if you are unsure of what you need to do, it is worth setting aside some time to go through the material, so that should the worst case occur, you are ready.
Extensive information about the scheme may be found on the OAIC site here:
This flowchart from OAIC website is provided by the OAIC and details how to handle an instance of data breach, in relation to the NDBS.