Personal data is collected every day by a wide range of businesses and organisations. This can be beneficial in providing ease of access to information. However, a breach of this data could potentially damage the reputation of an entity and pose potential harm to individuals.
The Privacy Act 1988 was recently amended to include the Notifiable Data Breaches Scheme. The Office of the Australian Information Commissioner (OAIC) oversees this Scheme. As a result, all entities with existing obligations under the Act must comply with the Scheme. Examples of these entities include:
Those who do not comply may be liable for significant fines of up to $2.1 million.
For an eligible data breach to occur the following needs to be satisfied:
OR the information is lost in circumstances where:
The term “Serious Harm” is not defined in the Act. The OAIC, however, has noted: “in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial or reputational harm”.
If an eligible data breach occurs, an entity must:
If you think your business may need to comply with the Scheme, please visit the OAIC website for more information https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme.