The Mandatory Data Breach Notification scheme will commence by 23 February 2018. Background.
The OAIC has published draft resources on the Notifiable Data Breaches (NDB) scheme to assist organisations in understanding their compliance obligations under the scheme.
Under the scheme, organisations required to comply with the Privacy Act 1988 must notify individuals if their personal information is involved in an eligible data breach that is likely to result in serious harm. They must also notify the Australian Information Commissioner.
Currently, the Privacy Act does not impose an obligation on entities to notify the Commissioner or any individuals whose personal information has been compromised. However, APP 11 requires that agencies and organisations take reasonable steps to maintain the security of the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. Other provisions in the Privacy Act create equivalent obligations in relation to credit reporting information, credit eligibility information and tax file number information.
The draft resources that have been published cover:
• Entities covered by the NDB scheme
• Notifying individuals about an eligible data breach
• Identifying eligible data breaches
• The Australian Information Commissioner’s role in the NDB scheme.
Under the NDB scheme when the failure to make a notification of the eligible data breach amounts to a serious or repeated interference with privacy, the Privacy Commissioner has the power to seek civil penalty orders of up to $420,000 (for individuals) and up to $2.1 million (for companies).
As a key part of compliance with APP11 and the most likely cause of a data breach is cybersecurity it is worth looking at the Defence Department’s essential 8 practical actions organisations can take to make their computers more secure.