It is 2024 – the majority of our contact with stakeholders, or even staff, increasingly shifts online, and the importance of protecting personal information has come to light by what has recently happened at MEDICARE or OPTUS. “Data Privacy” and “Breaches” are words that are new to our vocabulary – should we really care? And what is the whole deal with notification requirements?

Well, the Notifiable Data Breach (NDB) scheme is a part of the Privacy Act 1988 (Cth) which requires businesses to report data breaches that are likely to result in ‘serious harm’. While the legal jargon can get a bit confusing (even for us!), here is a simple guide to understand your legal obligations when it comes to data breaches. As a special addition to this post, we have included steps your business can take towards compliance in this area.

Legal Obligations

Under this scheme, anyone covered by the Privacy Act has obligations to promptly notify “affected individuals” and the Office of the Australian Information Commissioner (OAIC) when a data breach occurs. [A data breach is defined as: “unauthorized access, disclosure, or loss of personal information”.]

Your business may be required, by law, to do as follows:

  1. Assessment: Within 30 days, businesses must assess whether a breach is likely to result in “serious harm” to any individual affected.
  2. Notification: If it is determined that the breach is indeed likely to cause serious harm, the business must promptly notify both the affected individual and the OAIC, including:
    • The identity and contact details of the entity;
    • A description of the breach;
    •  The kind of information involved;
    • Recommended steps to mitigate harm.

 

Steps for Compliance

Ensuring compliance with the NDB scheme can be quite tricky and involved:

  1. Develop a Data Breach Response Plan: Having a detailed plan in place allows your business to respond promptly and efficiently to a data breach. Arro can assist you with identifying your staff’s roles and responsibilities, your business’s procedures for containment and assessment, and notification processes.
  2. Implement Cyber Security Measures: Cyber Security and Privacy go hand-in-hand. Take measures to protect personal information by implementing strong security measures- use encryption, multi factor authentication, and monitor systems for currency and updates.
  3. Ongoing Training: It is vital to ensure that your staff know about the importance of data privacy and the business’s procedures to follow in case of an unfortunate breach – regular refresher training can help keep everyone up to date in this fast-moving area.
  4. Conduct Audit: Arro can assist conduct a “Privacy Health Check-Up” which is a bi-annual audit of your data protection practices to ensure they comply with the latest requirements of the ever-changing Privacy Act. We will identify any vulnerabilities and suggest actions to mitigate the same.

The NDB scheme may be a minefield to navigate, but it is an essential part of ensuring data privacy and security for your business. By helping you understand your obligations under the law and enacting robust compliance solutions, Arro can assist your business proactively manage any potential data breaches and protect personal information.

83% of Australians have expressed that they would like the government to “do more” to ensure their data is kept private. It is no secret that public perception is vital to a business. Look at the case of Optus – it is clear that a business’s privacy practices impact the public’s level of trust in the brand itself – are you willing to take the risk?