New data breach resources released
The Office of the Australian Information Commissioner has released new online resources ahead of the commencement of the Notifiable Data Breaches (NDB) scheme this week.
The NDB scheme will commence on 22 February 2018, and will require agencies, organisations and certain other entities to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of a data breach.
One of the new resources published by the OAIC, titled “Receiving data breach notifications”, provides guidance on what to expect when you receive a data breach notification, including how organisations might deliver notifications and when a privacy complaint can be made to the OAIC.
The other new resource, “What to do after a data breach notification”, provides a wide range of actions you can take to reduce the risk of experiencing harm after a data breach.
Institute of Public Accountants executive general manager Vicki Stylianou said she has seen some confusion over who needed to comply with the scheme.
According to the OAIC, Australian government agencies, businesses and not-for profit organisations that have an annual turnover of more than $3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients, are covered by the scheme.
Small businesses that have an annual turnover of less than $3 million but have obligations under the Privacy Act, or are an entity that trades in personal information – that is, entities that disclose personal information about individuals to anyone else for a benefit, service or advantage; or entities that provide a benefit, service or advantage to collect personal information about another individual from anyone else, will need to comply with the NDB scheme.
Further, the scheme applies to anyone who handles TFN information, all credit providers, and any credit reporting body.
“The objective of the legislation is to try and get people to be more proactive about their security and to take their data security more seriously so the IPA is looking from the three perspectives of raising awareness, what your obligations are, and then actually being proactive and doing something about it if you haven't already,” said Ms Stylianou.
The Australian Information Commissioner, Timothy Pilgrim said the NDB scheme formalises a long-standing community expectation to be told when a data breach that is likely to cause serious harm occurs.
“The practical benefit of the scheme is that it gives individuals the chance to reduce their risk of harm, such as by re-securing compromised online accounts. The scheme also has a broader beneficial impact — it reinforces organisations’ accountability for personal information protection and encourages a higher standard of personal information security across the public and private sectors,” said Mr Pilgrim.
“By reinforcing accountability for personal information protection, the NDB scheme supports greater consumer and community trust in data management. This trust is key to realising the potential of data to benefit the community, for example, by informing better policy-making and the development of products and services.”