Data Breach Legislation
The Notifiable Data Breaches Scheme (NDB) provides additional legislation to the privacy management framework, setting out the process that requires organisations covered by the Australian Privacy Act 1988 to notify individuals at risk of serious harm by a data breach. Penalties, rectification and restitution can be levied against an organisation over a data breach event occurrence. Not all data breaches are notifiable, the legislation only requires organisations to report breaches when it is determined that a data breach would most likely results in serious harm to individual(s) whom the information relates. The Office of the Australian
Information Commissioner (OAIC) opened comments, which ended August 2017, to engage the public in providing feedback for the draft legislation.
It is highly recommended that all organisations, who come under the Privacy Act, prepare for the NDB Scheme which is set to commence 22 February 2018. The OAIC website has drafts of the scheme, highlighting who must comply, how to identify data breaches and other resources to help prepare for the commencement of the scheme. Review the scheme, assess and shore up any weak points in your organisation in relation to handling and storage of information, train staff to take appropriate steps to handle information in a secure manner, monitor and audit all information transactions and have a policy in place to deal with data breaches.