The Notifiable Data Breaches (NDB) scheme went into effect on February 22, 2018. This requires agencies and organizations in Australia that are covered by the Privacy Act to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm” as soon as practicable after becoming aware of a breach. This notification must include recommendations about the steps individuals should take in response to the breach.
The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches. The link provided here sends the reader to the Office of the Australian Information Commissioner and the online form to be used to notify the Australian Information Commissioner.
When a breach occurs, the organization is tasked with conducting a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm to any individual affected and thus notification. ‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.
The first step in deciding whether an eligible data breach has occurred involves considering whether there has been a data breach, that is, unauthorized access to or unauthorized disclosure of personal information, or a loss of personal information (s 26WE(2)). The Privacy Act 1988 (Cth) (Privacy Act) does not define these terms. However, the Office of the Australian Information Commissioner provides some guidance through examples.