Notifiable Data Breaches – New Legislation
Commencing in February this year, changes to the federal Privacy Act made it compulsory for organisations to notify specific types of data breaches (Notifiable Data Breaches or NDBs), to individuals affected by the breach, and to the Office of the Australian Information Commissioner (OAIC).
A data breach occurs where “personal information held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference”. The new requirement applies to all private organisations, unless they have a revenue of less than $3 million. Not all data breaches will be NDBs. A NDB is defined as a breach that is likely to result in serious harm to any of the individuals to whom the information relates. Serious harm could include: serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation.
To ensure that data breaches are identified and dealt with as required by the Privacy Act’s NDB scheme, with the NDB requirements, organisations will need to have procedures in place which are known and understood by employees, and integrated into their existing documented Privacy Program. A key element of this is the development of a data breach response plan so that employees understand their roles and responsibilities should a notifiable breach occur.
SchoolPRO’s parent company, the Education Horizons Group (EHG), has invested significant resources to ensure we are well prepared and that clients have sound reassurance (supported by procedural documentation) of compliance and proactive and collaborative responses, in the event of a suspected breach.
You can request copies of our Data Breach Assistance Plan and Data Breach Response Plans by contacting firstname.lastname@example.org.
Given the significant changes to the privacy act, we strongly recommend schools review their existing security setup (including encryption) and user permissions in SchoolPRO so that they can take measures to prevent unauthorised access to the system. If further assistance is required in this space please contact Gary Stoneham at email@example.com or 0438 188 132.