Data breach reporting- what exactly is it?
Effective as of 22 February 2018, Notifiable Data Breaches (NDB) scheme applies to all agencies and organisations with existing personal information security obligations under the Privacy Act. This means you must report a ‘notifiable data breach’ to the Office of the Australian Information Commissioner (OAIC) and affected individuals in an event of a privacy data breach.
What is a notifiable data breach?
In simple words, in an event which results in unauthorised access to or disclosure of personal information that is likely to result in ‘serious harm’ to an affected individual, the breach will be notifiable. So, if a privacy breach occurs, you need to identify affected individuals and assess whether they are likely to suffer serious harm. This would include consequences such as identity theft or serious physical, emotional, financial or reputational harm.
When do you need to report?
You have 30 days to investigate and assess if the identified privacy breach is notifiable. Once you identified it as notifiable – you must report the breach to the OAIC as soon as possible and of course to affected individuals.
If not notifiable – no need to report a breach. You can deal with it in accordance with your standard Breach Management Procedures.
What to do to prepare for this
To ensure you are ready for this new regime;
- Update your Privacy Procedures to include information on identifying and reporting privacy breaches and
- Develop and implement Data Breach Response Plan – document the action you will take in response to a privacy breach and the timeframes that apply to this.
Source; The fold legal & oaic.gov.au