In a digital age, the passing of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia.

The NDB scheme requires organisations covered by the Australian Privacy Act 1988 (Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach.

This notice must include recommendations about the steps that individuals should take in response to the data breach. The Australian Information Commissioner (Commissioner) must also be notified.

Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.

What is a Notifiable Data Breach?

A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.

A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

Examples of a data breach include when:

• a device containing customers’ personal information is lost or stolen
• a database containing personal information is hacked
• personal information is mistakenly provided to the wrong person.

When does it take effect?

The NDB scheme will commence on 22 February 2018. It only applies to eligible data breaches that occur on, or after, that date.

How can Australian businesses prepare?

The Australian Information Commissioner has recommended conducting an internal risk management audit for small businesses in Australia to identify any threats to privacy, client data, or personal/sensitive information. 

Additionally, underwriters are providing insurance policies to further mitigate against business risk that occurs as a result of a data breach or social engineering fraud.

If you would like further information on how you could assess or mitigate your clients information contact your GMD team member.