Mandatory Data Breach Notification Law
Notifiable Data Breaches scheme
The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018. The scheme mandates that organisations notify individuals affected by data breaches that are likely to result in serious harm.
Who does the law apply to?
The new law applies to all government agencies and organisations governed by the Privacy Act. (e.g. Private sector businesses and not-for-profit organisations with an annual turnover of more than $3 million.) The Privacy Act also extends to some types of businesses with an annual turnover of less than $3 million. This includes business and individuals that:
- Handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records.
- Sell or purchase personal information along with credit reporting bodies;
- Are related to a business that is covered by the Privacy Act;
The act also makes special reference to:
- Private sector health services providers – such as medical practitioners, pharmacists, even alternative medicine practices, gyms and weight loss clinics fall under this category;
- Childcare centres, private schools and private tertiary educational institutions;
What happens if I fail to act?
Those that fail to notify face sanctions like public apologies and compensation payments up to of $360,000 for individuals and $1.8 million for organisations. Of course there is also the risk of reputational and associated commercial damage to the business. The good news is the law seeks to protect businesses who are proactive and effective when dealing with data breaches.
For further details, please call us on 1800 816 044.