Business Cyber Security delivered via Cloud
Free Call:
Email:
Company Address:
116 Gawler Place
Adelaide SA 5000
Postal Address:
PO Box 1235,
Glenelg South SA 5044
Copyright © 2024 | Magnetic Alliance Cyber Pty Ltd | Designed by Magnetic Alliance
What is a notifiable data breach?
In today’s digitally connected world, cyber security is more critical than ever. One vital aspect of cyber security that has garnered attention in Australia is the Notifiable Data Breach (NDB) scheme. Under the Privacy Act 1988, certain Australian agencies and organisations are required to notify affected individuals and the Australian Information Commissioner if a data breach likely to result in serious harm occurs. This provision aims to bolster cyber security by ensuring individuals are informed and can take protective measures, such as changing passwords or monitoring financial accounts. In this blog, we’ll delve into the nuances of the NDB scheme and explore its vital role in strengthening the cyber security landscape in Australia.
Table of Contents
What does the Australian Government classify as a data breach?
A data breach, as defined under the Notifiable Data Breach (NDB) scheme in Australia, occurs when unauthorised access to or disclosure of personal information is made, or when there is a loss of personal information that an entity holds. A breach becomes eligible for notification if it is likely to result in serious harm to the individuals affected, considering factors like the sensitivity of the information, the nature of the harm, the kind of information, and the security measures in place. Serious harm can encompass a broad range of consequences, including physical, psychological, emotional, financial, or reputational harm, and not all data breaches require notification, such as when quick remediation prevents the likelihood of serious harm. Examples include:
Does my business need to legally report a data breach?
Jam Cyber highly recommends business owners seek legal
advice to determine their full obligations in the event of a cyber attack.
Under the Notifiable Data Breaches (NDB) scheme, various
Australian entities must report eligible data breaches. These entities include:
Small business operators generally don’t have legal obligations unless they meet specific criteria, such as holding health information or trading in personal information. Certain activities can also require smaller businesses to be compliance with the NDB scheme.
Entities with Privacy Act security obligations only must notify breaches affecting the information within their obligations’ scope. APP entities, including businesses over $3 million turnover, and specific smaller businesses, are also subject.
Credit providers, credit reporting bodies, and TFN recipients are also obliged under the scheme. Some private sector employers are exempt, but it’s advised to notify affected individuals if a breach is likely to result in serious harm. Further details and exemptions can be found in Australian Privacy Principles and legal documents governing specific cases.
Even if your business is not legally required to notify of a data breach, you should consider ethical requirements and how the breach may impact your customers or employees.
My business is an ‘eligible entity’ what do I need to do?
It is now vital for all Australian businesses to protect themselves against cyber attacks. This requirement is heightened for entities which have legal obligations under the NDB Act. The best way to protect your business is by implementing a cyber security framework.
A robust defence against cyber attacks necessitates more than just technology; it requires comprehensive policies, procedures, employee training, and a cohesive cyber security framework. These elements work together to create an informed and vigilant environment where potential threats are understood and properly managed, strengthening the overall resilience of the system.
Should your business experience an attack, and you are eligible under the NDB scheme, you will be required to notify the individuals at risk of serious harm as well as the Commissioner. The notification to the Commissioner must include a statement with details of the breach such as identity and contact details of the notifying entity, description of the data breach, the kind of information concerned, and recommendations for individuals to minimise the impact. Voluntary additional information can be provided to the Commissioner to further explain the circumstances of the breach.
Notifying the Commissioner
Businesses can notify the Commissioner online. Go to: https://www.oaic.gov.au/privacy/notifiable-data-breaches/report-a-data-breach and follow the instructions.
Notifying individuals:
When notifying individuals about an eligible data breach, entities have three options depending on what’s practicable:
Entities must decide which option to follow as soon as practicable after forming the belief that there has been a data breach, and must consider factors like cost, time, effort, and the likelihood of serious harm. The notification must include specific details about the breach and recommendations for individuals to respond.
How do I write a data breach notification?
The Jam Cyber Security Framework provides specialised tools for organisations, including a specific template for notifiable data breaches. This template is designed to assist in the clear and compliant notification process, ensuring that both individuals at risk and relevant authorities are informed according to the act’s requirements.
Alternatively, organisations can review the information on the Australian Government website here: Data breach preparation and response | OAIC
// Need more help?
Contact our team today.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Recent Posts
Categories