Is your business prepared for the Notifiable Data Breaches (NDB) scheme?

Is your business prepared for the Notifiable Data Breaches (NDB) scheme?


2018 is fast approaching and so is the commencement of the Notifiable Data Breaches (NDB) scheme.  

The Australian Government scheme will ensure that affected individuals are notified about serious data breaches. The scheme will commence on 22 February 2018.

The NDB scheme will apply to all businesses, government agencies and other organisations covered by the Australian Privacy Act 1988 (Privacy Act). 

What is a Notifiable Data Breach?

A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.

The NDB scheme requires organisations to notify any individuals affected by these serious data breaches.

This notice must include recommendations about the steps that individuals should take in response to a serious data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.

Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.

What is a data breach?

A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.

Examples of a data breach include:

  • when customers personal information is lost or stolen
  • unauthorised access to a database (or backup of a database) containing personal information
  • when personal information is mistakenly provided to the wrong person.

Who does this apply to?

All organisations bound by the Privacy Act and APP are affected by this new legislation, which includes:

  • Most Australian Government agencies
  • Businesses and not-for-profit organisations with an annual turnover of over $3 million

However, the Privacy Act and APP applies to some types of smaller organisations that deal with sensitive personal information and as such, the mandatory data breach notification applies to them as well. Here are some examples:

  • Child care centres
  • Private schools and private education institutions
  • Private sector health service providers
  • Any individuals/companies who primarily handle personal information such as tax file numbers, credit applications and other personal sensitive records.

What can you do to make sure you are compliant?

Australian Privacy Principle 11 (APP 11), requires an entity to take active measures to ensure the security of personal information it holds, and to actively consider whether it is permitted to retain personal information.

An entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Additionally, an entity must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs.

What are "reasonable steps"?

What qualifies as reasonable steps to ensure the security of personal information depends on the circumstances, including the following:

  • the nature of your entity
  • the amount and sensitivity of the personal information held
  • the possible adverse consequences for an individual in the case of a breach
  • the practical implications of implementing the security measure, including the time and cost involved
  • whether a security measure is itself privacy invasive.

As a guideline, the OAIC has provided some steps and strategies which may be reasonable to take. These cover the following 9 key areas:

  • Governance, culture and training
  • Internal practices, procedures and systems
  • ICT security
  • Access security
  • Third party providers (including cloud computing)
  • Data breaches
  • Physical security
  • Destruction and de-identification
  • Standards

How can FinTechnologies assist?

FinTechnologies is happy to provide a FREE NDB Risk Assessment to go through the 9 areas outlined in the OAIC Steps and Strategies and provide you with a gap analysis detailing focus areas for your company and a roadmap to make sure you're covered by the time that the NDB Scheme takes effect.

Contact us today on 1300 778 078 to book your FREE NBD Risk Assessment