At Quantum Partners we consider the protection of your client data and your personal information, including your TFN as a paramount responsibility.
We constantly monitor our computer and internal systems and our electronic communication with you to minimise any chances or your data being exposed either deliberately by an outsider or accidentally by us.
Recent legislation which applies to us and adds additional compliance obligations, response requirements and hefty penalties in the event of your data being compromised and not adequately dealt with has led us to conduct another full review.
However these new compliance measures may also apply to your business and we encourage you to familiarise yourself with the Notifiable Data Breaches (NDB) scheme, especially those businesses with turnover above $3 million annually and/or have existing obligations under the Privacy Act 1988 (Act), including the Australian Privacy Principles (APPs) to protect personal information.
What is the NDB scheme?
The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.
The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.
Agencies and organisations can lodge their statement about an eligible data breach to the Commissioner through the Notifiable Data Breach statement — Form.
Agencies and organisations must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result require notification.
Who must comply with the NDB scheme
The NDB scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.
Which data breaches require notification
The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’. There are a few exceptions which may mean notification is not required for certain eligible data breaches.
Assessing suspected data breaches
Agencies and organisations that suspect an eligible data breach may have occurred must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected.
How to notify
When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.
The notification to affected individuals and the Commissioner must include the following information:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned and;
- recommendations about the steps individuals should take in response to the data breach.
Securing personal information
The OAIC has a comprehensive Guide to securing personal information to assist you in implementing practices, processes, and systems to secure personal information. Regularly reviewing and updating your personal information security can reduce the risk of a data breach occurring.
Data breach response summary
The following diagram provides an overview of a typical data breach response, including the requirements of the NDB scheme. This diagram is a summary and for illustrative purposes only and should not be read as action required in all instances of a data breach.
What happens if you fail to act?
If you fail to notify, you face sanctions like public apologies and compensation payments up to $360,000 for individuals and $1.8 million for organisations. There is also the risk of reputational and associated commercial damage.
Importantly, the law seeks to protect businesses who are proactive and effective when dealing with data breaches.
What should you do?
APP Entities must be prepared for the mandatory data breach notification scheme. Whilst you can never eliminate risks completely, you should implement proper policies and procedures that will reduce the risk, such as:
- audit your current information security processes and procedures to ensure they are adequate;
- prepare a data breach response plan to enable you to respond quickly, efficiently and lawfully to an actual or suspected data breach;
- appoint a manager that is responsible for your security processes and procedures;
- organise your data depending on how valuable it is;
- encrypt your data;
- use strong passwords;
- implement a policy covering devices brought in by staff and visitors;
- keep an updated record of all the people and devices that have access to your network;
- audit all third-party vendors that have access to your network;
- have a working (and regularly tested) backup system;
- make sure your office and devices are physically secure;
- provide regular and meaningful education to staff on security; and
- conduct regular audit checks and test your security practices.
In Summary
The Act has made data breach reporting mandatory. Whilst the notification obligations do not appear to be unduly onerous, frequent notification of data breaches by an APP Entity may harm its reputation. Hence, it is extremely important you have proper policies and procedures in place to reduce the risk, and quickly respond to any breaches.
