In the first month under new Notifiable Data Breach legislation, which came into effect on February 22, 2018, the Office of the Australian Information Commissioner (OAIC) has received over 31 notifications of eligible breaches. That's over thirty breaches in thirty days. Under the new scheme, agencies and organisations in Australia must notify individuals whose personal information has been compromised by a data breach where this breach is likely to cause serious harm. This applies to all agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses, and not-for-profit organisations whose annual turnover is $3million or more, credit reporting bodies, health service providers, and TFN recipients. Failure to comply with the new scheme could result in a fine of up to $2.1million.
Eligible data breaches refer to breaches that involve unauthorised access, loss, or disclosure of personal information that may cause harm to the individual whose information has been compromised. Examples of the eligible violations include:
- The loss or theft of a device, such as a smartphone, containing an individual’s personal information
- If a database is hacked where that database includes the personal information of users
- When personal information is mistakenly given to the wrong person or party.
The breach also includes cases where employees are browsing sensitive records without authorisation or any legitimate purpose. If there are reasonable grounds to assume that an eligible data breach has occurred, companies are obligated to notify the individual at risk, as well as OAIC, as quickly as they are able. The notification must include:
- Information relating to the identity and contact details of the organisation
- A description of the breach and the information concerned
- Recommendations about the steps an individual can take to respond to the breach.
If you are concerned about whether or not you fall under the new Notifiable Data Breach Scheme or are worried about what to do in the event of a breach, contact a MOQdigital consultant today. We can assist you with your assessment and preparation, and help ensure that you are compliant under new Australian regulations.