The Notifiable Data Breaches (NDB) scheme
You’ve probably heard about the Notifiable Data Breaches (NDB) scheme, which commenced on 22 February 2018. The scheme requires affected individuals and the Australian Information Commissioner to be notified in the event of certain data breaches. The requirements fall out of obligations under the Privacy Act 1988 (Cth) and apply to Australian Privacy Principles (APP) entities’ which include Australian Government agencies and private sector and not-for-profit organisations with an annual turnover of more than $3 million.
Phew, I’m not an APP entity! Did you know that the NDB scheme may also apply to you when it comes to credit provision and tax file numbers? The following extracts are from the Australian Information Commissioner (OAIC) Data Breach Preparation and Response guide:
The NDB scheme applies to all credit providers whether or not they are APP entities. The section of the Privacy Act under which a credit provider is required to comply with the scheme will depend on what kind of information is involved in the data breach.
Tax File Number (TFN) recipients
The NDB scheme applies to TFN recipients in relation to their handling of TFN information. A TFN recipient is any person who is in possession or control of a record that contains TFN information … In certain circumstances, entities that are not otherwise covered by the Privacy Act, such as state and local government bodies, may also be authorised to receive TFN information and will be considered TFN recipients. The NDB scheme applies to TFN recipients to the extent that TFN information is involved in a data breach.
Remember you don’t have to report everything. The scheme applies to reporting data breaches involving personal information that are likely to result in serious harm to any individual affected.
Need to know more? The full guide https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response prepared to assist Australian Government agencies and private sector organisations (entities) steps you through preparing a data breach response plan, assessing and responding to a data breach and the notification process. The guide provides some practical advice and examples to help you proactively manage the personal information in your care, strengthen your data management and better mitigate against the risks of data breach.
Author Peta Sweeney | Councillor Queensland Branch