The new Notifiable Data Breaches (NDB) scheme kicks in on the 22nd February 2018 which places new reporting obligations for when a data breach is likely to result in serious harm to any individual whose personal information is involved in a breach.
So you might not be Ashley Madison and holding the sensitive information of 36 million people looking to have an affair, but travel agents and tour operators may hold sensitive personal information such as passport information, financial information or medical/health information.
Generally, businesses with an annual turnover of $3 million or more. Small business operators with an annual turnover of less than $3 million generally do not have obligations unless an exception applies. AFTA recommends however that it is best practice for all businesses to comply with the Australian Privacy Principles (APP) and the NDB scheme.
An eligible data breach arises when the following three criteria are satisfied:
‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
STEPS to take:
The Office of the Australian Information Commissioner conducted a webinar that is available for viewing on their website or download their flowchart for a great summary of what to do if a breach occurs and when below.
Want to know more? Contact Naomi Menon – AFTA Head of Compliance and Operations via email at naomi@afta.com.au