Mandatory notifiable data breach laws – what do they mean for you?
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia.
This new law will apply to all entities that are currently subject to the Australian Privacy Principles under the Privacy Act 1988 (Cth) (e.g. many Australian Government agencies and private sector organisations with an annual turnover of more than $3 million). It will also apply to certain credit providers, credit reporting bodies, and holders of tax file number information. Therefore, it will apply to Queensland government agencies and small businesses should they have a data breach involving loss of tax file numbers.
The NDB scheme will strengthen the protections of personal information, and will improve accountability, and transparency in the way that organisations respond to serious data breaches, which will support consumer and community confidence that personal information is being respected and protected. It also gives individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.
The NDB will commence on 22 February 2018. It will only apply to eligible data breaches that occur on, or after this date.
Whilst the NBD is outside the Office of the Information Commissioner (OIC) Queensland’s jurisdiction, we are encouraging all affected organisations and agencies to review their privacy and data security policies to ensure, when handling sensitive information they are doing so responsibly. For more information and resources on notifiable data breaches visit the Office of the Australian Information Commissioner's website.