Recent changes to Australia’s privacy laws now require businesses to report data breaches or risk a heavy fine. A data breach occurs when personal information held by a business is lost or subject to unauthorised access or disclosure.
The new “Notifiable Data Breaches” scheme (NDB) of the Privacy Act will apply to all organisations (including small businesses) covered by the Australian Privacy Act 1988. It establishes new reporting requirements of eligible data breaches to authorities and also members of the public. This means that if an organisation believes or is aware that data has been compromised, they must notify the Office of the Australian Information Commissioner (OAIC) and to those people whose public information has been exposed.
If a data breach occurs, the obligation to notify will generally involve preparing a statement containing required information about the breach, providing this statement to the OAIC and notifying the affected individuals. If the business only suspects that a data breach has occurred, notification is not immediately required, however an investigation into the relevant circumstances should be completed within 30 days.
So, what should your business do now?
- Review the useful guide prepared by the OAIC explaining the requirements of the new scheme. This will help to ensure you are aware of the new scheme and what it means for your business.
- Prepare a Data Breach Response Plan (or update an existing plan) to ensure that your business is ready and able to respond to any future data breaches whilst complying with the new scheme.
- Review your current information security arrangements. Are they up to date and sufficient to protect any personal information your business is holding?
The NDB scheme began on February 22 and only applies to eligible data breaches that occurred on or after that date.
For advice regarding the new Notifiable Data Breaches scheme, please contact us on (08) 9316 9896 or firstname.lastname@example.org.