Why is the law changing?
From 22 February 2018 amendments to the Privacy Act 1988 will take effect and introduce a mandatory notification procedure for data breaches. Currently, there are no requirements to notify individuals affected by a data breach. There is a rising threat to the safety and privacy of personal information.
What are the changes?
The Act requires entities to notify individuals whose personal information is breached and the Australian Information Commissioner when an ‘Eligible Data Breach’ (EDB) occurs.
Who do the changes apply to?
The Notifiable Data Breach (NDB) scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients.
What is an Eligible Data Breach?
The first step in deciding whether an eligible data breach has occurred involves considering whether there has been a data breach; that is, unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information.
Data breach response plan quick checklist
| Information to be included | Yes/No | Comments |
|---|---|---|
| What a data breach is and how staff can identify one | ||
| Clear escalation procedures and reporting lines for suspected data breaches | ||
| Members of the data breach response team, including roles, reporting lines and responsibilities | ||
| Details of any external expertise that should be engaged in particular circumstances | ||
| How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions | ||
| An approach for conducting assessments | ||
| Processes that outline when and how individuals are notified | ||
| Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted | ||
| Processes for responding to incidents that involve another entity | ||
| A record-keeping policy to ensure that breaches are documented | ||
| Requirements under agreements with third parties such as insurance policies or service agreements | ||
| A strategy identifying and addressing any weaknesses in data handling that contributed to the breach | ||
| Regular reviewing and testing of the plan | ||
| A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan |
Recent Comments