The Notifiable Data Breaches Scheme is a new piece of governmental legislation that forms part of the Privacy Act, and has only just come into effect on February 22, 2018. However, governmental legislation and documents are always sprinkled with stilted and technical wording that is a bit difficult to decipher, so we’ll go through it bit by bit to see if we can make some sense out of it all.
Notifiable Data Breaches Scheme in a Nutshell…
Prior to the Notifiable Data Breaches Scheme coming into effect, there was not so much protection for individuals who were trusting their information to organisations. This new scheme provides added protection and security to individuals by applying a set of rules and protocols surrounding data breaches, forcing organisations to be more transparent with clients, and more proactive with their security.
Notifiable Data Breaches Scheme Essentials…
The official wording is: If an organisation falls under the authority of the new Notifiable Data Breaches Scheme, they are now obligated to notify both the Australian Information Commissioner, and individuals whose personal information has been involved in a data breach that is likely to result in serious harm.
So, if your organisation suffered a serious data breach, you cannot just quietly make it all go away. You must inform the Information Commissioner (OAIC) and the affected individuals. This is all pretty fair, but there have been many cases where companies did just the opposite and tried to sweep it under the rug, leaving individuals exposed and unaware.
When notifying the OAIC and individuals, the affected organisation must include the following information;
– the identity and contact details of the organisation
– a description of the data breach
– the kinds of information concerned
– recommendations about the steps that an individual can take in response to the data breach.
With regards to notifying individuals, the organisation has a choice to either notify all individuals, notify only those at risk of serious harm, or alternatively, the organisation can simply publish their statement on the company website and publicise it. Such a statement could also include an apology, and further explanation of the actions being taken to resolve the breach.
Notifiable Data Breaches Scheme Terms
If you’re finding the term ‘serious harm’ to be a little vague and subjective, here are some concrete examples of what can constitute ‘serious harm’ under the auspices of the Notifiable Data Breaches Scheme:
– physical harm
– financial/economic harm
– emotional harm (e.g. embarassment, humiliation)
– psychological harm (e.g. marginalisation, bullying)
– reputation harm
So realistically, most instances of a data breach would fall under this jurisdiction. It’s not only applicable if passwords or financial information was stolen, even just an exposed name can cause reputation harm or embarrassment (consider the Ashley Madison case) hyperlink: https://www.independent.co.uk/life-style/love-sex/ashley-madison-hacking-accounts-married-man-exposes-cheating-website-infidelity-rick-thomas-a7529356.html
Who falls under the authority of the Notifiable Data Breaches Scheme? A quick way to determine if you are subject to the Notifiable Data Breaches scheme is to ask yourself the following questions. Are you a:
– Australian government agency?
– Business or not-for-profit organisation with an annual turnover of at least $3m?
– Credit reporting body?
– Health service provider?
– TFN recipient?
If you said yes to any of these, then unfortunately, the Notifiable Data Breaches Scheme applies to you! If you’re still not sure, you can review this in more detail at OAIC.
Notifiable Data Breaches Scheme Timeline
If you are subjected to a data breach, and you fall under the great Notifiable Data Breaches Scheme umbrella, then you have a maximum of 30 days to assess and investigate in order to determine if it constitutes an ‘eligible breach’. That is, is it likely to cause serious harm to the affected individuals? If you’ve determined it to be eligible, then you follow through with notifying the OAIC and the affected individuals (and/or post it directly to your website).
All in all, it’s pretty a straight forward process, just wrapped up in bureaucratic terminology designed to put you to sleep. The OAIC has all the information you need on how to notify them, and what to include, so if you feel this is something relevant for you right now, jump over to the OAIC website for more detail.
Get in touch with the Stanfield IT team if you need assistance implementing any of the essential preventative measures for your cyber security.