In mid-February of 2017, the Australian Government passed the Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB). This act, effective as of 22 February, 2018, establishes an obligatory data breach notification process on the national level. It functions as an amendment to the pre-existing Privacy Act 1988, and means that all organisations covered by this act also fall under the new NDB Amendment and must comply with its rules.
The NDB works to keep the privacy rights of Australians safe and helps them establish a relationship that is built on trust with their vendors. It legally requires government organisations and other entities covered by the Privacy Act that fall victim to a data breach to alert affected customers and the Office of the Australian Information Commissioner (OAIC) if the incident can result in potentially harmful consequences.
If an entity has reason to believe that it may have been breached, it is obliged to investigate the matter. Breaches include the loss of data, cyber attacks, and any form of unauthorised access to personal data. In the event that the entity is able to confirm the occurrence of a security incident, it must prepare a statement and submit it to the Privacy Commissioner as well as the affected individuals. The statement must contain details of the security incident, the type of data that was accessed, and ways customers can avoid suffering serious damage.
The amendment has also limited the timestamp for covered entities to report breaches to 30 days. However, in the event that the data breach is too complex to be assessed within the time limit, it can be extended. In such cases, the organisation must still work to complete its breach assessment within a relatively reasonable scope of time. This rule provides affected individuals with the opportunity to quickly take the necessary measures to minimise the damage that could occur as a result of unauthorised access to their personal data. Failure to alert the OAIC and victims of the breach can incur fines of approximately $400,000 for individuals and just under $2 million for organisations.
According to the OAIC, it has received 107 data breach notifications in the years 2015 and 2016. But, information on these security breaches was provided voluntarily, meaning the real number of incidents is almost certainly considerably higher. Significantly, the sector that topped this list was the Australian Government, followed by finance, health care providers, retail and online services.
Even though this amendment is a step forward in data security, it does not cover a large number of organisations, and there have been concerns about the low applicability thresholds. The use of this amendment has not been maximised as it does not extend to some government agencies or all local councils, as well as entities with a gross revenue of over $3 million annually. Additionally, if a breached organisation has taken corrective action in response to an incident and is able to mitigate the risks towards its customers, it is not obliged to report it.