The NDB scheme makes it mandatory for Australian Government agencies and other bodies that are obliged to comply to secure personal information under the Privacy Act 1988 (Cth) and notify individuals who are affected by data breaches that are likely to result in serious harm.
One new resource, titled Receiving data breach notifications, provides guidance on what to expect when a data breach notification is received, including how organisations might deliver notifications and when a privacy complaint can be made to the OAIC.
The other new resource, What to do after a data breach notification, details actions that can be taken to reduce the risk of harm after a data breach.
Australian Information Commissioner, Timothy Pilgrim, said, “The Notifiable Data Breaches scheme formalises a long-standing community expectation to be told when a data breach that is likely to cause serious harm occurs.
“The practical benefit of the scheme is that it gives individuals the chance to reduce their risk of harm, such as by re-securing compromised online accounts. The scheme also has a broader beneficial impact — it reinforces organisations’ accountability for personal information protection and encourages a higher standard of personal information security across the public and private sectors.
“By reinforcing accountability for personal information protection, the NDB scheme supports greater consumer and community trust in data management. This trust is key to realising the potential of data to benefit the community, for example, by informing better policy-making and the development of products and services.”
The 2017 Australian Community Attitudes to Privacy Survey found that 94% of Australians believe they should be told if a business loses their personal information. Ninety-five per cent said they should be told if a government agency loses their personal information.
Organisations are required to notify the Australian Information Commissioner in addition to notifying individuals affected by an "eligible data breach". Failures to comply can attract fines up to $2.1 million.