Notifiable Data Breaches (NDB) scheme came into force 22 February 2018

Why you should know:

Today’s marketing communications efforts collect a lot of customer information or data. Therefore, it is important to be aware of the laws that apply.

What you should know:

1. The NDB scheme pertains to the Privacy Act 1988 (Cth) (Privacy Act)
2. The NDB scheme mandates that Australian Government agencies and the various organisations with obligations to secure personal information notify individuals affected by data breaches that are likely to result in serious harm.
3. The NDB scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.
4. Organisations are required to notify the Australian Information Commissioner in addition to notifying individuals affected by an ‘eligible data breach’ (a data breach that is likely to result in serious harm). Failures to comply with the NDB scheme can attract fines up to $2.1 million.
5. Generally, SBOs (Small Business Owners) do not have obligations under the APPs (Australian Privacy Principals) unless an exception applies such as:a. The SBO provides any health services
   b. The SBO is related to an APP entity
   c. The SBO trades in personal information
   d. Credit reporting bodies

More information: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme