Notifiable Data Breach Scheme

What is the Notifiable Data Breach Scheme?

Amendments to the Commonwealth Privacy Act 1988 late last year included the requirement for Australian Government agencies (and other organisations that collect information covered by the Privacy Act) to: 

• assess the security around the personal information they capture for possible breaches and 
• notify both the people concerned and the Australian Information Commissioner if a breach has occurred that is likely to result in serious harm.

The Notifiable Data Breaches (NDB) Scheme requires that:

• the breach qualifies as an eligible data breach under the NDB scheme
• individuals concerned are notified that their personal information has been involved in a data breach that is likely to result in serious harm
• the Australian Information Commissioner is advised of the breach.

Some examples of a breach include the loss or theft of a device containing individual’s personal details; a database containing personal information is hacked; or records containing personal information are mistakenly provided to the wrong person. The main criteria for the situation being classified as a Notifiable Data Breach is unauthorised access, remedial action has been unable to minimise risk, and the access would be likely to result in serious harm to the individuals affected.

The Notifiable Data Breach Scheme came into effect on 22 February 2018 with the first notification of a breach occurring in March. The Shipping company Svizter Australia revealed a data breach that saw the personal information of half of its employees leaked outside the company 

For more information about the NDBS please refer to the Office of the Australian Information Commissioner.

What impact does this have on Victorian Government agencies?

Victorian Government agencies are primarily affected if they capture information governed by the Commonwealth Privacy Act 1988, which would mainly be tax file number (TFN) information. The Office of the Victorian Information Commissioner has advice about how the NDB Scheme may affect Victorian agencies and what to do if an agency suspects they have a data breach.

For further information, see the Office of the Victorian Information Commissioner guidance: Notifiable Data Breaches Scheme under the Privacy Act 1988: Obligations for Victorian public sector organisations. 

What can agencies do to minimise risk?

In summary:

1. Know what data is considered eligible under the NDB Scheme and what systems this data is captured in or managed by
2. Manage systems in accordance with Standards designed to prevent unauthorised access and protect the integrity of the records
3. Dispose of records once their retention period has concluded
4. Regularly assess systems for risk associated with unauthorised access or loss of integrity and mitigate risks identified

The IM3 tool can assist agencies by helping to identify gaps in knowledge about systems and what areas may need to be strengthened to prevent risk of a breach occurring. Ensure that systems used to manage or capture records are in line with the Victorian Electronic Records Strategy (VERS) and relevant Recordkeeping Standards. This will assist with preventing unauthorised access and should be part of a compliance audit program that regularly identifies and mitigates risk associated with unauthorised access and loss of record integrity.

Retention periods for records containing TFN will vary depending on the reason the information was obtained (see Retention and Disposal Authorities). As with any personal information collected, TFNs should only be collected when absolutely necessary and only for as long as needed. Knowing what records are within which systems and the level of information they contain can assist with determining whether a breach has placed personal information at risk.