The NDB scheme, or Notifiable Data Breach scheme, is a requirement that was developed by the Australian government for all agencies and organisations regulated under the Privacy Act 1988. These entities are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach. First commenced on 22 February 2018, the NDB scheme outlines exactly how an organisation should proceed when a breach occurs.
The Australian government has created two guides for action in the occurrence of a breach.
The NDB scheme was established by the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017. The scheme applies from 22 February 2018 to all organisations and agencies with existing personal information security obligations under the Privacy Act. It obligates these entities to notify anyone whose personal information has been involved in a data breach that is likely to cause serious harm. The notification must include recommendations about the steps individuals should take in response to the data breach. The Australian Information Commissioner must also be notified.
In order to comply with the NDB scheme, agencies and organisations must prepare themselves for the possibility of a data breach, and how to respond quickly to reduce and contain the resulting harm. To notify the Commissioner, entities should use the Notifiable Data Breach form.
Section 6 of the Privacy Amendment (Notifiable Data Breaches) Act 2017 says that the scheme applies to incidents where personal information is subject to unauthorised access or disclosure, or is lost.
Who Must Comply?
Agencies and organisations that the Privacy Act requires to secure specific categories of information are required to comply to the NDB scheme. This list includes the Australian Government agencies, not-for-profit organisations and businesses with an annual turnover of $3 million or more, health service providers, credit reporting bodies, and TFN recipients.
When is Compliance Required?
A data breach occurs when personal information stored by an organisation is lost or subjected to unauthorised access or disclosure. Not every data breach requires compliance. Only those data breaches involving personal information that are likely to cause serious harm require NDB scheme compliance. The NDB scheme calls them “eligible data breaches.”
Examples of a qualifying data breach include:
A database with personal information is hacked
Personal information is provided to the wrong person by mistake
A device containing customers’ personal information is stolen or lost
There are a few exceptions that don’t require notification outlined in the Data breach preparation and response guide. If a data breach is suspected, agencies and organisations are required to assess quickly if it is likely to cause serious harm.
How to Notify
If an eligible data breach has occurred, individuals at risk of serious harm must be promptly notified. The Commissioner must also be notified as soon as practical. Notification must include the following information:
Name and contact details of the organisation
Description of the data breach
Types of information affected
Recommendation of steps that individuals should take in response to the data breach
The Commission is notified using the Notifiable Data Breach form.
Role of the OAIC
The Commissioner has several roles under the NDB scheme.
Receiving notifications of data breaches
Encouraging compliance through handling complaints, taking regulatory action and conducting investigations
Offering guidance to organisations, and information to the public about the scheme
Time For An Experience IT Firm For Your Mining Company?
Xyber Solutions is globally recognised for their excellence in working with many of the top mining corporations as their trusted technology team.
Let us be your next IT team.
Fill out the form below to schedule time with one our mining technology professionals.
Your Information Is Safe With Us. Xyber Solutions will never sell, rent, share or distribute your personal details with anyone. In addition, we will never spam you.
Have Questions About Technology? Need The Right Answers?
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.