Notifiable Data Breach Scheme (NDB)
The Notifiable Data Breaches Scheme came into play on February 22nd 2018.
The Notifiable Data Breaches (NDB) scheme applies to all organisations under the Australian Privacy Act 1988 and outlines an obligation to notify individuals affected by a data breach. Not only do they have to be notified, but the organisation has to include recommended steps the affected parties should take to respond to it and best protect their data.
The Australian Information Commissioner also has to be notified of a breach, and if an organisation fails to do so, they can be fined upwards of $1.8m.
The question now stands, what is classified as a data breach? An eligible data breach arises when the following three criteria are satisfied:
- There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity hold.
- This is likely to result in serious harm to one or more individuals.
- The entity has not been able to prevent the likely risk of serious harm with remedial action.
The point of serious harm is one of small confusion and most organisations are not fully aware of the concept as it only mostly applies to a data breach and isn’t covered within the Privacy Act. In the context of a data breach, serious harm to an individual may include serious:
- Physical harm
- Psychological harm
- Emotional harm
- Financial harm
- Reputational harm
Only once a breach is classified as one of serious harm does an organisation need to report it to not only the individual or individuals who have been affected but also the Australian Information Commissioner.
For more information around the scheme have a look at the presentation our GRC Practice Manager, Davis Pulikottil conducted via his NBD masterclasses.
The presentation slides can be accessed here Data Breach Compliance and Preparedness
For any information regarding the presentation or the scheme itself please contact Davis Pulikottil on [email protected] or on 0490 147 654.