Until now, notification of a data breach to the Australian Information Commissioner has not been mandatory under the Privacy Act 1988 (Cth).
From 22 February 2018, an entity bound by the Australian Privacy Principles, credit reporting bodies, credit providers and file number recipients will be required notify the Commissioner and affected individuals when a data breach is likely to result in serious harm to those affected individuals.
Failure to comply may attract a penalty of up to $420,000 for individuals and $2.1 million for corporations.
Recent data breaches affecting Equifax, eBay, Yahoo, Linkedin and Uber illustrate that data breaches can be costly with financial, legal and reputational consequences.
If your business must comply with the NDB Scheme you need to:
(a) review your current privacy and data security policies and procedures and breach response plans
(b) assess whether your policy and procedures provide a plan you can follow if you suffer a data breach
(c) train your staff in information security policies and procedures relevant to the NDB Scheme
(d) prepare a plan to follow if you must notify the Commissioner, affected individuals and others, such as your insurer, of a data breach
(e) review any contracts with suppliers that collect and handle personal information for you. Assess if they should be amended to include data breach response and notification obligations if your suppliers suffer a data breach that affects your personal information
This article was prepared by Margaret Miller of Bell Legal Group for general information only and it is not legal advice. For legal advice about the National Date Breach Scheme and how it affects you or your business contact us on 07 5597 3366 or send an email to firstname.lastname@example.org