Notifiable Data Breach Scheme Legal Requirements

In accordance with Article 26WL, the Company must then make this declaration available to the persons concerned. The data subjects that an APP entity is required to notify depend on a number of circumstances described in Section 26WL of the Data Protection Act. This section also contains requirements on how individuals are notified and that this must be done “as soon as practicable” after reporting. Looking ahead: The anniversary of the launch of the system provides a useful opportunity for companies that retain personal data to: (i) reflect on how best to respond to data breaches, given the OAIC`s approach; (ii) verify their management of such information; and (iii) ensure that their management is in line with best practices. Section 3 – Notification of Permitted Data Breaches Significant Harm – requires a case-by-case assessment of each data breach. Factors to consider in determining whether significant harm has been caused include: Your reputation as a good steward of stakeholder and customer data is now at stake. It`s more important than ever to ensure that not only your IT staff, but all employees have the skills to minimize data breaches and properly handle breach incidents. 4. Where the entity has reasonable grounds to believe that the access, disclosure or loss that constitutes the data breach authorised by the Company constitutes a lawful data breach by one or more other entities, the statement referred to in point (a)(i) of paragraph 2 may also include the identity and contact details of those other entities. Understanding whether your data breach is actually a legitimate data breach is crucial in determining what your legal obligations are in the event of a data breach.

Retention periods for records containing NTPs vary depending on the purpose for which the information was collected (see Storage and Disposal Authorizations). As with all personal data collected, TFNs should only be collected when strictly necessary and for as long as necessary. Knowing which records are in which systems and what information they contain can help determine whether a breach has compromised personal data. Individuals who are notified must include recommendations on what to do in response to the data breach. You must notify the OAIC via our online data breach notification form. For more information, see Reporting a Data Breach. Determining whether a data breach is a legitimate data breach is often complicated and requires a thorough understanding of a range of legal concepts and a forensic assessment of IT systems. Therefore, if you are facing a potential legitimate data breach, it is advisable to hire professionals (such as lawyers and computer forensics) to assist you in the process and determining your legal obligations. According to Section 26WH of the Data Protection Act, APP companies have an obligation to conduct an assessment if they are aware of a reasonable belief that they may have been victims of a legitimate data breach, but do not yet have reasonable grounds to believe that they have actually been victims of a legitimate data breach. In such circumstances, an APP entity must conduct a “reasonable and timely assessment” to determine whether the data breach constitutes a breach of the authorized date and take all reasonable steps to ensure that such assessment is completed within 30 days of the Company becoming aware of the reasonable grounds for suspicion. Under the Notifiable Data Breaches (NDB) program, any organization or agency covered by the Privacy Act 1988 must notify data subjects and the OAIC if a data breach is likely to cause serious harm to an individual whose personal information is affected. The most significant legal obligation in relation to a data breach is an APP entity`s obligation to notify under Section 26WK of the Data Protection Act if it knows that there are “reasonable grounds to believe that there has been a legitimate data breach by the Company.” At this stage, a PPA entity must create a notification statement as soon as possible and provide a copy of that statement to the OAIC.

The correct drafting of this statement is crucial as there are specific legal requirements in Section 26WK that must be included in this statement. We hope this page and our plan have helped you understand your legal obligations in the event of a data breach. If you have any further questions about the FIS program or data protection law in general, please call us for a non-binding conversation. Understanding your legal obligations against data breaches is more important than ever. According to the real-time cyber threat map of global cybersecurity firm Kaspersky, Australia is the 30th most attacked country in the world. In fact, the Australian Cyber Security Centre (ACSC) reports that an average of 164 cybercrime reports are made by Australians every day! Attacks on businesses are an important part of this and carry major reputational, financial and legal risks. 6 Enforcement of changes – authorized data breaches The IM3 tool can help agencies identify gaps in systems knowledge and identify areas that may need to be strengthened to avoid the risk of a security breach. Ensure that the systems used to manage or capture records comply with the Victorian Electronic Records Strategy (VERS) and relevant recordkeeping standards. This helps prevent unauthorized access and should be part of a compliance verification program that regularly identifies and mitigates risks associated with unauthorized access and loss of record integrity. Even leaving out regulatory compliance, there are reputational risks associated with a data breach.

People are generally aware of the prevalence of security incidents, so your reputation may be more affected not by the fact that you were exposed to a data breach, but by how you responded to it. Consider a data breach as an opportunity to show how seriously you take the protection of personal data and show how to resolve issues quickly and efficiently. A data breach response plan and/or privacy policy is a valuable first step in demonstrating good community engagement. Independent Evaluation of the Cyber Security Program Best practices include hiring an external consultant to hire technical advice to review the cyber security program. The reason for hiring an external consultant is to protect any observations regarding deficiencies or problems identified by technical advice under solicitor-client privilege. (a) conduct an appropriate and timely assessment to determine whether there are reasonable grounds to believe that the relevant circumstances constitute an eligible data breach by the company; and (b) access, disclosure or loss that constitutes a legitimate breach of Company Data constitutes an eligible data breach by one or more other companies; If you believe that your personal information may be involved in a data breach, please see our Privacy Breach Information for Individuals. As a result, recent publications from the Australian Information Commissioner`s Office (“OAIC”) indicate that a significant number of data breaches have been reported since the launch of the system. Exception 26WJ – Data breaches authorized by other companies The reportable data breach system came into effect on February 22, 2018 with the first breach notification in March.