Money Matters Practice Management New Data Breach Legislation
New Data Breach Legislation
Print E-mail

The Notifiable Data Breaches Scheme (NDB) provides additional legislation to the privacy management framework, setting out the process that requires organisations covered by the Australian Privacy Act 1988 to notify individuals at risk of serious harm by a data breach.

Penalties, rectification and restitution can be levied against an organisation over a data breach event occurrence.

Not all data breaches are notifiable, the legislation only requires organisations to report breaches when it is determined that a data breach would most likely result in serious harm to individual(s) whom the information relates.

The Office of the Australian Information Commissioner (OAIC) opened comments, which ended August 2017, to engage the public in providing feedback for the draft legislation.

Shortly after the legislation was introduced to the House of Representatives in October 2016, the Australian Red Cross Blood Service (ARCBS) notified the OAIC about a serious data breach from their DonateBlood website.

After a lengthy 10-month investigation, it was found that a file containing personal information of over 500,000 individuals who had signed up on the website, was publicly available on the web server, managed by a third party provider.

The ARCBS was ultimately not found to be directly responsible for the breach, although it did contribute to it. The majority of the blame was levelled at the website provider, Precedent, who failed to protect the sensitive information and also fell short of the privacy legislation on a number of fronts; inadequate safeguards were put in place to restrict access and no periodic auditing was performed.

The OAIC did comment that both ARCBS and Precedent were very cooperative, acted promptly and appropriately in response to the data breach and subsequent investigation.

It is highly recommended that all organisations that come under the Privacy Act to prepare for the NDB Scheme which is set to commence 22 February 2018.

The OAIC website has drafts of the scheme which highlight who must comply, how to identify data breaches and other resources to help prepare for the commencement of the scheme.

Although the legislation is still in draft form at time of writing this, we recommend doctors to review the final scheme, assess and shore up any weak points in their organisation in relation to handling and storage of information, train staff to take appropriate steps to handle information in a secure manner, monitor and audit all information transactions and have a policy in place to deal with data breaches.

By Jerome Chiew