It is difficult to escape news relating to data breaches and company databases being hacked, as it seems like every other week there is another which takes place. Whilst consumer law is in place to ensure that companies comply with data and privacy protection matters, in practice the law is not capable of stopping a determined hacker on the other side of the world from hacking in and stealing the personal data of a business’s customers.
For that, rigorous data protection and security are required and if your business does not yet have this in place, then our advice is that it needs to as soon as possible so that you are complying with current privacy laws especially the Privacy Act of 1998.
Notifiable Data Breaches Scheme
Many of the rules and regulations relating to data and privacy are overseen by the OAIC, which stands for Office of the Australian Information Commissioner. Amongst its many duties is to publish reports relating to data breaches. This not only identifies companies that have suffered data breaches but helps to show trends relating to data breaches, be they positive or negative.
One of the OAIC most significant publications is the Notifiable Data Breaches Report which is a key component of the Notifiable Data Breaches Scheme (NDB). The NDB came into being in early 2018 and its primary function is to improve standards in relation to data and privacy protection so that consumers’ data is better protected.
A key component of the NDB is reporting, and in particular, under the scheme, a company or organisation has a duty to inform the OAIC and any individual who may be affected, if it suffers a data breach or has grounds to suspect that one has occurred.
Who Does The NDB scheme apply To
There are several sectors within which the NDB applies, and it applies to specific entities as follows:
- Any Organisation Which Has An Annual Turnover Which Exceeds $3 Million
- Health Providers In The Private Sector
- Credit Reporting Organisations
- Credit Providers
- Any Organisation Which Legitimately Trades In Personal Information
- Any Organisation Which Is In Receipt Of Individual Tac File Number
- All Australian Government Agencies
What Constitutes A Data And Breach Under The NDB Scheme?
For an eligible data breach to have been deemed to have occurred, the following three criteria must be met:
- Unauthorised access to data has occurred, or personal data held by the organisation/company has been lost.
- From a reasonable perspective, it is deemed likely that serious harm may occur to the individual(s) as a result. Note: ‘Serious harm’ is defined as harm under these categories: financial, emotional, reputational, physical, or psychological.
- Remedial action by the organisation/company has been unable to prevent the risk of harm being created.
Any affected organisation has a period of up to 30 days after any suspected data breach to assess whether it constitutes an eligible breach. If it does, then they must contact both the information commissioner and every individual who may be affected by the breach.
OAIC Recommendations To Entities Covered By The NDB Scheme
One of the most concerning aspects of the research that the OAIC has done relating to data breaches is the increasing number that has occurred due to human error by those working within the entities covered by the scheme. As such it has made several recommendations to reverse this trend.
- Prioritising training for staff in handling private data.
- Ensuring that password protection is robust by requiring longer and more complex passwords.
- Increased staff awareness of private information being protected.
- Improve staff knowledge relating to security and data protection software and tools.
- Increasing the use of multi-factor authentication when logging onto systems from remote locations.
The OAIC also states that all organisations and companies covered by the NDB scheme should have response plans ready for use should a data breach be suspected.