What is the Notifiable Data Breaches scheme?

This new legislation requires you to notify the Australian Information Commission and any affected individuals of a data breach that is likely to result in serious harm.

What type of data is covered by the legislation?

Any type of personal data that could cause harm to the individual if in the wrong hands. Some examples:

  • Information about a person’s ethnicity, religion, political opinions, sexual orientation, criminal record
  • Health information
  • Payment Card Information
  • Financial information
  • Tax File Numbers
  • Credit information

Which organisations are required to comply?

Any organisation that the Privacy Act requires to take steps to secure certain types of data. This list includes government agencies, businesses and not-for-profit organisations with an annual turnover of $3M or more, credit reporting agencies, TFN recipients and health service providers.

What do you need to do?

There are many avenues for a data breach within your business and from outside your office or datacentre walls. Here are some of the things to consider:

  • A secure and capable firewall on all internet connections is essential
  • Web filtering and DNS protection to protect against phishing and malware
  • Antivirus protection
  • Email antivirus and anti-spam filtering (even for Office 365)
  • Security patching of all servers, workstations and devices
  • Restricting administrative privileges
  • Disabling untrusted macros
  • Daily backups and disaster recovery …to name a few

If you are an organisation that needs to comply with the Mandatory Data Breach Notification legislation and you hold any of the covered data types, we recommend that you undergo a vulnerability and security assessment to identify potential risks and gaps in your security. Get in touch with our Security team if you’d like to discuss the NDB scheme or a security engagement.