Notifiable Data Breaches scheme applies to businesses with an annual turnover of $3 million or more

On February 22, businesses and government agencies in Australia will be obliged to notify individuals whose personal information is involved in a data breach, following the introduction of the Notifiable Data Breaches (NDB) scheme.

The new legislation will make it mandatory for organizations to warn consumers and the Australian Information Commissioner of any breach likely to result in “serious harm” to those whose information has been compromised.

It will apply to Australian government agencies, businesses, and non-profit organizations with an annual turnover of A$3 million or more. Credit reporting bodies, health service providers, and private schools will also be subject to the new regulations.

Though largely exempt from the legislation, startups and small businesses will have to comply with the scheme if they fall into certain categories, such as those which provide health services or trade in personal information.

According to the Office of the Australian Information Commissioner (OAIC), an eligible data breach arises when there is unauthorized access to or unauthorized disclosure of personal information, and that the entity has “not been able to prevent the likely risk of serious harm with remedial action”.

Providing an outline of the notification process, the OAIC said: “Once an entity has reasonable grounds to believe there has been an eligible data breach, the entity must, as soon as practicable, make a decision about which individuals to notify, prepare a statement for the commissioner and notify individuals of the contents of this statement.”

The introduction of the NDB scheme follows the OAIC’s announcement that voluntary data breach disclosures were up 7% in fiscal 2017.

Of course, ‘voluntary’ is the key word here. Recent high-profile data breaches involving clients of Australian broadcaster ABC and more than 50,000 public sector employees have highlighted the ongoing threats presented by hackers and sloppy corporate practices.

While the number of breach notifications seen in 2016-17 will no doubt increase following the introduction of the mandatory disclosure laws, it is hoped that the NDB scheme will compel organizations that have been trusted with consumer data to tighten their own cybersecurity policies, while helping reduce the damage that can be caused by leaving impacted individuals in the dark.

In an increasingly connected world, Australia’s Information and Privacy Commissioner, Timothy Pilgrim, said online transparency is key to building trust among consumers.

“We learned that 83% of Australians think that online environments are inherently more risky than offline, and 69% of Australians said they are more concerned about their online privacy than they were five years ago,” Pilgrim said in OAIC’s 2016-17 Annual Report.

“These findings reinforce the view that a successful data-driven economy needs a strong foundation in privacy. That message is now as vital to the public sector as to private, as the Commonwealth seeks to build community trust for the future success of data, cyber, and innovation agendas.”