Diamond IT Blog

Mandatory Notifiable Data Breaches scheme

Written by Martin Thurgate | March 1, 2018

On the 22nd February the Australian Notifiable Data Breaches (NDB) scheme came into effect, which means you are now legally required to report any data breaches that occur within your business. To avoid your reputation being on the line, it is important to ensure your organisation is not open to a potential data breach that you may need to publicly announce...

Take steps now to ensure your business is not vulnerable to data breaches.

Revisit our tips on how to avoid data breaches in the first place and take the time to read more about the NDB Scheme and what will be required in the event of a data breach.

What is the mandatory Notifiable Data Breaches (NDB) scheme?

Australian Notifiable Data Breach (NDB) scheme makes it compulsory for businesses and government agencies to notify the Privacy Commissioner and customers if they have experienced a data breach.

Why has this passed now?

With advances in technology, businesses are increasingly holding larger amounts of personal information online, raising the risk of security breaches around personal customer information that could be “hacked” and used for identity theft and identity fraud.

An immediate notification to customers by an organisation that suffer data breaches, will allow individuals whose personal information has been compromised to take immediate steps to lessen the impact from the breach. For example, the individual may wish to change passwords or take other steps to protect his or her personal information.

How to avoid data breaches in the first place...

Security is a fundamental part of Diamond’s unique and effective Managed IT Services. Our Technology Optimisation process was created with the purpose of aligning our customers technical environment to industry best practice on an ongoing, proactive basis.

Within the IT industry, best practice is fluid and constantly changing – new operating systems, new technologies and new threats all impact these standards. Better technical alignment to industry best practice can reduce the impact and risks from growing threats such as Ransomware and data breaches.

Take our quick Online Security Assessment to see how vulnerable your business may be…

When does the NDB scheme start?

The scheme came into effect - 22nd February 2018.

What do I need to do?

Start taking steps now to ensure your business is not vulnerable to data breaches. This is an important time to assess your choice of IT provider and ensure they are providing the right service to protect your organisation. Alternatively, you can contact us for more information on our unique and proactive Managed IT Service, Technology Optimisation, to see if our businesses would be a good fit.

What is considered a data breach?

According to the Australian Notifiable Data Breaches (NDB) scheme, in some jurisdictions, notification is also only required if the data breach meets a specified harm threshold.

Examples of when data breach notification may be required could include:

  • a malicious breach of the secure storage and handling of information (e.g. in a cyber security incident),
  • an accidental loss (most commonly of IT equipment or hard copy documents),
  • a negligent or improper disclosure of information, or otherwise,
  • where the incident satisfies the applicable harm threshold (if any).

What does this mean for your business?

The scheme applies only to government agencies and organisations governed by the Privacy Act, meaning state government organisations and local councils, plus organisations with a turnover less than $3 million a year, fall outside the legislation.

However, some exceptions apply to organisations that fall outside this range, including Child Care Centres, Private Schools and Private Sector Health Service Provider. The legislation also applies to individuals who handle and store customer’s personal information online.

What do I report if my business is breached?

In the event of an eligible data breach, an organisation entity is required to notify the Commissioner and affected individuals as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (unless an exception applies).

The notification must include:

  • the identity and contact details of the entity
  • a description of the serious data breach
  • the kinds of information concerned, and
  • recommendations about the steps that individuals should take in response to the serious data breach

What if there is a breach on my service provider that holds my data?

According to the Bill, if more than one entity jointly and simultaneously holds the same particular record of personal information, an eligible data breach of one entity may also be an eligible data breach of each of the other entities.

This situation could potentially arise in cases involving outsourcing, joint ventures or shared services arrangements. For example, if one entity stores personal information in an online platform provided by another entity, and both entities ‘hold’ the information, an eligible data breach involving the information could potentially be an eligible data breach of both entities.

What is the flow for the NDB scheme?

 

How can Diamond help?

Contact us today for more information on how we can work together with you to avoid data breaches through our industry recognised and award winning Managed IT Servicescall now on 1300 307 907 or via our online contact form below.