Notifiable Data Breaches scheme: Obligations for Victorian public sector organisations
The Notifiable Data Breaches (NDB) scheme comes into effect on the 22nd of February 2018. From this date, entities captured by the scheme will have obligations to report eligible data breaches (breaches that are likely to result in serious harm) to the Office of the Australian Information Commissioner (OAIC) and to affected individuals.
In the Victorian public sector, the NDB scheme will apply to Victorian public sector organisations that are tax file number (TFN) recipients, to the extent that an eligible data breach involves TFN information. If a Victorian public sector organisation experiences an eligible data breach involving TFN information, they will be required to report the breach to the OAIC and affected individuals.
The NDB scheme is designed to provide individuals the opportunity to take positive steps to protect their personal information following a data breach. The requirements placed on entities under the scheme to report eligible data breaches formalise existing community expectations of entities holding personal information, to ensure that personal information is handled and protected appropriately.
The NDB scheme requires organisations to be transparent with individuals in the event of a privacy breach and provide guidance to affected individuals, in the form of recommended steps to take to minimise the harm that may be caused by a breach. These requirements can in turn assist organisations to build public trust and confidence in the handling of their personal information, through being transparent and proactive in the management of privacy breaches.
Members of the Operational Privacy and Assurance, Data Protection and Strategic Privacy teams at OVIC have produced a factsheet to assist Victorian public sector organisations to navigate their obligations under the NDB scheme. The factsheet includes information on how Victorian government agencies should make an assessment of suspected eligible data breaches, how eligible data breaches under the scheme should be reported, and outlines the steps organisations can take to prepare for the NDB scheme.
For breaches that involve other personal information or public sector data, Victorian public sector organisations are strongly encouraged to report the breach to OVIC. The factsheet includes a flowchart to help organisations determine when they need to report to the OAIC under the NDB scheme, and when they should consider voluntarily reporting to OVIC.
The factsheet can be downloaded from our website here.
For any questions regarding obligations in the Victorian public sector under the NDB scheme, Victorian public sector bodies should get in touch with the OVIC enquiries line, on 1300 006 842 or at firstname.lastname@example.org.
For questions relating to the operation of the NDB scheme, please get in touch with the OAIC on 1300 363 992 or at email@example.com.