The Notifiable Data Breach (NDB) scheme, part of the Australian Privacy Act came in to effect on 22 February 2018.
As we know, the scheme applies to Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.
The scheme places an obligation on an entity to formally notify Government authorities and individuals affected when a serious breach of data (personal information) occurs in the workplace that is likely to result in serious harm to any individual affected – referred to as ‘eligible data breaches’.
An Quick Snapshot
A serious breach, as referred to by OAIC, is any that is ‘likely to result in serious harm to any of the individuals to whom the information relates’. That includes physical, psychological, emotional, financial or reputational harm.
If a serious data breach does occur, a business must:
1. Notify the individuals who it may affect, including recommendations about the steps they can take in response to the breach (and avoid harm), and
2. Notify the Australian Information Commissioner of the breach. You can now do that here.
Both of these must take place within 30 days of the breach occurring.
This means businesses need to ensure their systems, policies, processes are adjusted and training undertaken for key staff in order to ensure compliance and avoid penalties and fines if a data breach event occurs.
Any employer with staff that have access to large amounts of personal information (recruitment sector, for example) need to ensure they are prepared for the new laws and have the right systems in place to ensure it doesn’t affect their business.
Here’s what you need to know about the new NDS scheme and how to stay on top of the changes from today.
How To Protect Your Business
When it comes to privacy, it’s critical that systems are robustly maintained and staff trained correctly. A breach of personal information is one thing, but a team that aren’t aware of the privacy laws and processes such as this one is another.
Some data breaches do innocuously occur due to human error, lack of understanding and appreciation of what constitutes a privacy breach, and education about what to do when a problem arises are all common organisational challenges
Employers need to be aware of the new laws and update their processes accordingly and ensure that all staff are trained to understand the new scheme and how to systematically report a breach.
WorkPro can assist with the base education component.
WorkPro’s Privacy Module
WorkPro offers a Privacy Module as part of our extensive course library. Available as part of any induction/e-learning subscription, the Privacy Module includes a definition of personal information, obligations to protect an individual’s information as a business, a summary of the Australian Privacy Principles (2014), information about collecting, storing, disclosing, accessing, and how to deal with complaints.
Authored by privacy specialist company Service Excellence Consulting, naturally the module now includes an overview of notifiable data breaches.
If you are a WorkPro customer, you have unfettered access to module as part of your induction subscription so we invite you to use the opportunity to provide a privacy refresher and information about the scheme.
If you don’t already use WorkPro, you can try our privacy module yourself for free right here.
Online inductions and privacy training made simple.