New rules around mandatory reporting of serious data breaches have come into effect as of 22 February 2018.
Through the Notifiable Data Breaches Scheme, the Australian Government is setting new standards of accountability and transparency to protect individuals’ personal information.
Entities subject to the Privacy Act 1988 – including most Australian Government agencies, businesses with an annual turnover of more than $3 million, and specific categories of smaller businesses, such as health providers – are now required to notify individuals if their personal data has been involved in a serious breach.
Under the scheme individuals may be fined up to $420,000 for non-compliance, and corporations up to $2.1 million.
Data breaches that might increase the risk of serious harm include the release of sensitive information about an individual’s health, Medicare card information, driver’s licences, passport details, or financial information.
Attorney-General, Christian Porter, said the new scheme sent a clear message that the Government was taking the security of personal information seriously.
“This means that Australians will know if their personal information has been breached and will be empowered to protect themselves, by being able to act quickly to minimise damage,” Mr Porter said.
Federal Minister for Law Enforcement and Cyber Security, Angus Taylor, said not knowing how to protect client or customer data was becoming a poor excuse.
“There is a lot of information now available on cyber security. The onus is with business operators, with organisations and with government agencies, to put measures in place to reduce the risk of data breaches,” Mr Taylor said.
The Australian Information Commissioner, Timothy Pilgrim, said, “The Notifiable Data Breaches scheme formalises a long-standing community expectation to be told when a data breach that is likely to cause serious harm occurs.
“The practical benefit of the scheme is that it gives individuals the chance to reduce their risk of harm, such as by re-securing compromised online accounts. The scheme also has a broader beneficial impact — it reinforces organisations’ accountability for personal information protection and encourages a higher standard of personal information security across the public and private sectors.
“By reinforcing accountability for personal information protection, the NDB scheme supports greater consumer and community trust in data management. This trust is key to realising the potential of data to benefit the community, for example, by informing better policy-making and the development of products and services.”
The 2017 Australian Community Attitudes to Privacy Survey found that 94 per cent of Australians believe they should be told if a business loses their personal information.
95 per cent said they should be told if a government agency loses their personal information.
The OAIC’s new resources for the Australian public can be read online: www.oaic.gov.au/individuals/data-breach-guidance.