Effective from 22nd February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017, establishes the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme establishes the requirements for entities in responding to data breaches.
The NDB scheme applies to:
- TFN recipients (which will include all Registered Tax Agents, financial planners, and finance brokers).
- Businesses and not-for-profit organisations with an annual turnover of $3 million or more.
- Australian Government agencies.
- Credit reporting bodies.
- Health service providers.
Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach. Both the Australian Information Commissioner (Commissioner) and the individuals concerned must be notified of the following information:
- The identity and contact details of the organisation.
- A description of the data breach.
- The kinds of information concerned.
- Recommendations about the steps individuals should take in response to the data breach.
Entities that suspect an eligible data breach may have occurred must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected. Any time a data breach involves an individual’s TFN or bank details, the breach is serious and needs to be reported.