Australia passed its first Privacy Act in 1989 with the objectives to protect personal information and also safeguarding the collection of information. Coverage of the Act subsequently spread and in 2014, saw the commencement of the Privacy Amendment (Enhancing Privacy Protection) Act 012 enacting changes including Australian Privacy Principles (APP).

2018 will see further coverage of the Act with the Notifiable Data Breach (NDB) scheme that mandates the obligations of entities to notify the authority and also affected individuals in cases where personal information could be involved in the breach.

With NDB scheme kicking in on 22 February, there will be more at stake for many businesses than ever. Here’s a summary of what it is.

What is the NDB scheme?
Notifiable Data Breaches (NDB) scheme requires eligible entities to notify the authority of a likely breach or the individuals whose personal information may likely be resulted in serious harm in the course of a breach. The amendment aims to provide affected individuals with notice after a breach so that they can take protective action against any harms possible related.

Who are impacted by the scheme?
Private sector organisations (individuals, bodies corporate, partnerships, unincorporated associations or trusts) formed in Australia who conduct business in the country or collecting personal information from individuals located in Australia that have, or are related bodies of an entity that has, an annual turnover of more than A$3 million. It also includes Australian government agencies; and credit providers (eg, those who issue credit cards).

Which data breach will need notification?
“Eligible data breaches” refer to personal information that are leaked out that will likely result in serious harm to the individual affected. There are also a few exceptions to note. For example, data breaches that are notified under s 75 of the My Health Records Act 2012 (My Health Records Act), do not need to be notified under the NDB scheme.

When are entities required to notify the breach?
Entities will have to consider if the data breach will likely result in serious harm to the affected individuals and if so, the entity will need to notify the data breach.

Key takeaways

  1. Entities will be required to notify the Information Commissioner and affected individuals of data breaches that are likely to result in “serious harm”.
  2. If an entity suspects there has been a breach but is not certain that it is an “eligible data breach”, it must carry out an assessment to make that determination within 30 days.
  3. Consistent with other jurisdictions, there is a real potential for increased litigation concerning significant publicised breaches. This includes actions for failing o report a breach and class action litigation from a class of individuals who were affected by the data breach. Early notification of breaches will help claimants in identifying the type of claim to be made and the affected class of individuals.

For more updated information, be sure to access OIAC website.