Part 1: Australia & the National Data Breach Scheme
There has been little media attention on the Privacy Act amendments which came into effect on February 22nd. Inspired by the proliferation of information stored in e-format, the Australian Government has introduced new data breach regulations governed by the Office of the Australian Information Commissioner (OAIC). The Privacy Amendment (Notifiable Data Breaches) Act establishes new requirements for businesses responding to data breaches – introducing reporting and data breach investigation obligations for many Australian businesses when a breach is suspected.
Do you need to comply?
You will be obligated to comply with the National Nata Breach Scheme (NDBS) if you are:
- an Australian Government Agency, Business or Non-Profit with annual turnover greater than AU$3 Million; or
- a private sector health provider; or
- a childcare centre or private education institution; or
- a credit provider, or if your business handles consumer credit, or tax file numbers
Ultimately, the government has cast a wide web, and many Australian businesses will be obligated to comply.
What are your obligations if you suspect a breach?
When you suspect that a breach has occurred, you are obligated to take all reasonable steps to perform a comprehensive investigation of the breach within 30-calendar days of the breach being identified to determine its extent and severity. Should you determine that the breach could result in serious harm to the individuals, then you are obligated to notify the affected persons and the OAIC. Where you suspect that the breach is likely to result in serious harm, when it is first identified, you are obligated to immediately notify the OAIC.
How do you meet these expectations?
Mandatory Data Breach laws require your businesses to have the right mix of technical and administrative controls in place. It is crucial that you assess the policies and procedures that you have in place, undertake an audit of the information that you store, and implement policies that will protect this information
What are the ramifications for failing to comply?
The Australian Government views a failure to comply with the NDBS as “…an interference with the privacy of an individual”, and accordingly attaches sever pecuniary penalties. The financial penalty on individuals is up to AU$360,000 while the penalty for businesses is up to $1.8 million.
There is no silver bullet to complying with the regulations. Compliance requires a combination of people management, administrative processes and technological controls – working together to keep data secure. Using Snare can help you implement the requisite technical controls, if you need help with one or more of the other areas, then seek advice from a trusted advisor.
For more information on how Snare can support your Privacy Act Compliance, refer to our whitepaper: Mandatory Data Breach Disclosure: Equipping your business for Privacy Act Compliance with Snare
For more information specifically on the NDBS refer to these useful links:
https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
https://www.oaic.gov.au/resources/agencies-and-organisations/guides/data-breach-preparation-and-response.pdf
