fbpx
Topics

What is the Notifiable Data Breach scheme and how will it affect your startup?

- February 21, 2018 3 MIN READ
data breach

The Notifiable Data Breach Scheme (NDB) will come into effect on February 22. The legislation imposes changes to the existing Privacy Act to ensure businesses and organisations are obliged to notify all affected persons and the Office of the Australian Information Commissioner (OAIC) if an eligible data breach has occurred.

But what exactly is an ‘eligible data’ breach…if one of your staff accidentally cops a glimpse of a client’s file, is that a data breach? Do you really have to notify the OAIC? Or is it reserved for a more serious breach of privacy?

According to the OAIC an ‘eligible data breach’, which triggers notification obligations, is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.

This usually occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

Some examples of a data breach include:

  • A database containing personal information being hacked
  • A customer’s personal information being mistakenly provided to the wrong person
  • Or when a device containing customers’ personal information is lost or stolen.

There are some exceptions to this, but unless you’re working in the field of law enforcement they’re unlikely to apply to you. But are these breaches significant enough to be considered an ‘eligible data breach’?

Some things to consider:

Serious harm’ is not defined, by the Privacy Act, but the Act lists a number of relevant matters to assess whether serious harm is likely, including:

  • the kind of information (eg: financial);
  • the sensitivity of the information (eg: health information);
  • the security protections in place;
  • the type of person or people who obtained the information and the nature of the harm.

For most small business owners, the likelihood of committing a serious eligible data breach is slim.

In fact, small business owners should check Privacy business resource 10: Does my small business need to comply with the Privacy Act?.[16] to see whether they will be affected. Generally, SBOs do not have obligations under the APPs unless an exception applies.

Businesses that must comply with the NDB scheme include those that:

  • hold health information or provide a health service
  • is related to an APP entity
  • trade in personal information. That is, the SBO discloses personal information about individuals to anyone else for a benefit, service or advantage; or provides a benefit, service or advantage through the collection of personal information about another individual from anyone else – eg a market research agency, or an accountant.
  • is a credit reporting body
  • is an employee association registered under the Fair Work (Registered Organisations) Act 2009
  • has ‘opted-in’ to APP coverage under s 6EA of the Privacy Act.

If your business falls outside these realms you most likely won’t need to worry too much about the NDB scheme.

Nonetheless, SBOs should put an action plan in place to safeguard their customers’ data and plan to minimise impact should a breach take place.

Should a data breach occur, organisations should take action immediately to attempt to lessen the impact of a breach.

For example, stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, then revoke or change computer access privileges or address weaknesses in physical or electronic security.

Data breach action plan

Step 1: Contain the data breach to prevent any further compromise of personal information.

Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.

Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.

Step 4: Review the incident and consider what actions can be taken to prevent future breaches.

You can find out more about the NDB scheme here.

Previous article
Next article
Via Topics
Cec Busby

Cec Busby is a digital media professional with over twenty years experience. She is the editor of Kochies Business Builders and a fan of startups and small business.

Latest News

Business Unicorn dehorned: Nasdaq-listed Brisbane EV charging venture Tritium collapses into receivership
- April 19, 2024
Uber, crash Opinion The lessons from Uber, Ola and rideshare’s disruption is that in the end, the consumer still pays
- April 19, 2024
Samantha Wong People Phoebe Harrop steps up to Blackbird’s Kiwi boss as Samantha Wong returns to Aus
- April 19, 2024
Accelerator Build Club is launching an accelerator for AI founders to take on the US
- April 19, 2024
Events 3 panel sessions to vote for at SXSW Sydney
- April 18, 2024
Prep, Sean Miller and Mathieu Jamet Funding B2B food distribution marketplace Prep serves up $200,000 pre-Seed round
- April 18, 2024
Adelaide Accelerator _SOUTHSTART teamed up with the Adelaide Economic Development Agency to launch an accelerator for the SA capital’s startups
- April 18, 2024
Fiona Triaca and Kate O’Keeffe   Business Heatseeker is the startup you need to be a better founder and build faster
- April 18, 2024