Governments the world over have been busy releasing data privacy legislation. European Union has the GPDR, UK has its own GDPR, California has CCPA and CCRA, and now Australia has the Notifiable Data Breaches Scheme (NDB).
What is The NDB Scheme?
So, what’s the NDB legislation and what does it mean?
In short, the NDB means that you have to notify of an eligible data breach.
Who gets notified with NDB Privacy Act?
The individuals affected, and the Office of the Australian Information Commissioner (OAIC).
Does the NDB Privacy Act apply to me?
The short answer: Most likely.
The NDB generally applies to every business, with some exceptions for small businesses. The OAIC provides further information on rights and responsibilities, and which acts and practices are covered by the privacy act.
What’s a data breach?
A data breach is when personal information held is leaked, lost, or accessed without permission.
Losing a laptop with personal information, accidentally emailing personal information to the wrong recipient, or having a computer system with personal information on it get hacked are all examples.
Personal information is any information that could reasonably identify an individual in the circumstances (this includes facts and opinions).
The more clear examples are client, prospect, and employee records, photographs, and media. Other examples are location data, biometrics, and IP addresses.
What makes an NDB eligible data breach?
An eligible data breach happens if a data breach occurs that is likely to result in serious harm to one or more individuals, and the likely risk of serious harm has not been prevented with remedial action.
Eligible data breaches have to be reported to the OAIC through their site.
2021 Developments and Managed Service Implications
The OAIC published a report at the end of January 2021, covering data breaches for the second half of 2020.
Notably, it reveals OAIC considers a breach of a customer of an MSP to be a breach of the MSP and vice-versa.
With this, the OAIC considers it sufficient for one party to meet the reporting requirements, but it will consider all parties to have failed the reporting requirements if no-one reports the breach.
The OAIC suggested steps include provisions for the reporting requirements in the provider agreements.
Additionally, the general suggestion is that notification to individuals should come from the organisation with the most direct relationship with the individuals affected.
Preventing serious harm from a data breach
So far we’ve outlined the reporting requirements in the event of a breach.
However, the OAIC has relaxed reporting requirements if you take remedial action to prevent the risk of serious harm.
If you have taken steps to prevent harm from a data breach, then you can avoid the need to notify.
For example, while losing a mobile device could be a notifiable breach event, you could take steps to address this by ensuring the device is fully encrypted and remotely deleting the data if it’s lost.
The OAIC provides additional details and examples on their website.
How to keep your database safe
We put together these 5 Cyber Security Tips to help you keep your company and your customer’s data safe. At the end of the day, it all comes down to preparation ahead of time to ensure that your systems are secure. You don’t want to be breached, so take all the safety measurements beforehand. Don’t be one of those companies that has to learn the hard way. Most breaches are avoidable, you just have to do the work and keep security top of mind. Even if you get breached, if you have taken the actions to prevent the risk of harm, then your customers’ data is safe and your NDB obligations are relaxed.
DISCLAIMER: nothing presented above should be taken as legal advice. This article is written based upon the public advice of the Office of the Australian Information Commissioner.