Data breach laws come into effect this week

The Notifiable Data Breach (NDB) scheme coming into effect this week on February 22 (2018) and applies to breaches occurring on or after 23 February 2018.

It is imperative that insurance brokers are aware of the changes that are being implemented and how they impact their own as well as their clients’ businesses. They need to advise their clients that, businesses need to ensure they take adequate measures to prevent a data breach and be able to respond appropriately in the event of one.

All businesses and organisations should review their privacy and data security protocols to ensure that they will be able to comply with the NDB Scheme for Mandatory Data Breach Notifications when they come into force.

The main objective of the new laws is to ensure that an ‘eligible data breach’ which is defined as ‘unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity where the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

This information would include personal details, credit reporting information, credit eligibility information and tax file number information.

Serious harm could be anything that constitutes physical, psychological, emotional, financial or reputational harm.

What kinds of businesses does this scheme apply to?

The NDB scheme will apply to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3m or more, credit reporting bodies, health service providers and TFN recipients, among others.

It is important to remember that companies with a turnover below $3M will also  be affected if they: 

  • provide a health service and hold any health information (except in an employee record) including hospitals and medical practitioners as well as gyms, weight-loss agencies, child care centres and alternative medicine practices;
  • disclose personal information about another individual to anyone else for a benefit, service or advantage;
  • provide a benefit, service or advantage to collect personal information about another individual from anyone else;
  • are a contracted service provider for a Commonwealth contract;
  • are any credit reporting body; and
  • are related to a business that is covered by the Privacy Act i.e. a subsidiary of an organisation the fits one of the above criteria.Determining whether these exceptions apply can be difficult, and the Office of the Australian Information Commissioner has pushed for a broad interpretation of these categories.If a company fails to notify a data breach, then a civil penalty can be applied for serious or repeated interferences with the privacy of an individual, which can attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.For a comprehensive read of this topic along with inputs from experts in the industry, please read the full feature in the February issue of NIBA magazine, Insurance Adviser.