How will the Notifiable Data Breaches (NDB) Scheme affect your business?
Having your business information compromised, lost or stolen by an external party or even a disgruntled employee can be awkward. Your clients trust you with their information and you need to take all reasonable measures to protect it. But when the worst happens, what should you do? Should you avoid losing your clients’ confidence and attempt to keep it quiet?
New changes to the Privacy Act, referred to as the ‘Notifiable Data Breaches (NDB) Scheme’ commenced on Thursday 22nd February 2018 and now means this decision is easy for certain businesses to whom the changes apply.
Does the NDB apply to my business?
Most commonly, businesses effected will be those with a turnover exceeding $3 million per annum or those that provide a health service. Employee associations, credit reporting agencies, Government departments and any business that has ‘opted in’ to the Act (regardless of turnover) are also effected. Notably, any real estate agency that operates a tenancy database also needs to comply, both with the NDB and all of the Australian Privacy Principles.
What is a ‘data breach’?
A data breach occurs when there is unauthorised access, disclosure or loss of your clients’ ‘personal information’ (including contact details, medical records, dates of birth, account details) which is likely to result in serious harm to the client. It also includes circumstances where you seriously suspect there has been a breach, even if you don’t have proof.
‘Serious harm’ is not defined in the Act, but is likely to include any action that causes serious physical, psychological, emotional, financial, or reputational harm. Ultimately this will be a subjective assessment, taking into account various factors such as the kind of information and the likelihood of damage being caused. We recommend that you seek legal advice regarding any breach, so that we can assist you with making an assessment of whether ‘serious harm’ is likely to be caused.
Some examples could include:
- An employee losing a business mobile phone that contains client contact details
- An email containing client details being sent to the incorrect recipient
- A disgruntled employee in a medical clinic taking client medical files on a USB
What do I have to do?
First and foremost, your business should attempt to take immediate remedial action. Considering the examples above, some actions that could be taken are:
- Instructing your IT personnel to remotely delete all data from a device that is lost
- Contacting the incorrect recipient of the email and requesting immediate deletion of all copies and confirmation of same (provided you believe the recipient to be trustworthy in this regard)
- Seeking legal advice regarding the appropriate action to take against the employee, (noting you will likely still need to disclose – see below)
If you are comfortable that the remedial action has removed the chance of harm occurring, no further action is required. However, unless you can be absolutely sure of this, you must also notify your client and advise them to take any relevant steps and also notify the Australian Information Commissioner using the prescribed form.
What if I don’t take these steps?
The Commissioner can force you to take the required action and also apply to the courts seeking penalties of up to $420,000.
More importantly, your reputation could potentially be fatally damaged, if news of the breach and your subsequent inaction gets out!
Prevention is better than cure! Do you want to take steps to safeguard your business’s data integrity?
For a fixed price of $770.00, Enterprise Legal will:
- Review or prepare a Data Breach Procedures Policy
- Give you general advice on other steps your business can take to minimise the chances of data breaches occurring