On February 22, the Notifiable Data Breaches scheme (NDB) came into effect in Australia. This amendment to the Privacy Act 1988 requires relevant organisations to adequately investigate suspected data breaches and disclose these to the connected parties.
Whether you're renting or selling a mailing list, you'll be accessing or controlling a significant amount of personal data about a range of Australians. Should this information somehow end up in unauthorised hands, a privacy breach is created which may need to be reported to authorities.
Here, we break down all you need to know about the NDB.
Who does the NDB apply to?
As a part of the Privacy Act, the NDB applies to all organisations who are covered by the Act. This includes:
- Australian government agencies,
- Business or NGOs with an annual turnover greater than $3 million,
- Private sector health service providers,
- Small businesses trading personal information,
- Tax file number (TFN) recipients, only with regards to TFN information,
- Those holding personal information related to contractual work.
A huge range of companies in Australia are covered by these qualifiers, from enterprises to small businesses.
What kind of data breach is eligible under the NDB?
Not all data breaches are covered by the NDB. The following three criteria must be met for NDB action to be required:
- Unauthorised access to or disclosure of personal information, or loss of such, that is held by an eligible entity has occurred,
- The breach has the potential to cause serious harm to one or more individuals and,
- Remedial action taken to reduce the risk of harm has been unsuccessful.
Serious harm can be psychological, financial, reputational, emotional, physical or otherwise and requires an assessment of the context of the breach to be determined.
Remedial action could mean, for example, remotely wiping a smart phone with sensitive information on it when the phone has been lost.
What do I need to do if an eligible breach has occurred?
If a breach is believed to exist, the relevant data protection officer in your company is required to conduct an assessment within 30 days of the suspicion arising. This assessment should determine what personal information is affect, who may have had access to it and what the potential impacts are. If the breach is determined to be eligible, it must be reported as soon as practicable.
All people likely to be put at risk by the data breach must be notified. This may be direct notice given to those whose data has been accessed or only those believed to be at risk of serious harm, or a public notice of the breach aimed at bringing it to the attention of the relevant people.
You must also complete the Office of the Australian Information Commissioner's NDB form to notify authorities.
Most importantly, understand that this information should not be considered legal advice. If you suspect a breach in your company, you must turn to expert legal counsel for guidance.
When trading contact details, it's important that privacy and security are well-respected. For professional handling of your mailing lists, talk to the Prospect Shop today.