After some time in deliberation, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 became law on 23rd February 2018. The amendment established a mandatory data breach notification scheme in Australia.

What is Mandatory Data Breach Notification?

It's a scheme that requires all entities subject to the Privacy Act to notify the Office of the Australian Information Commissioner (OAIC) and individuals who may be affected in the event of a data breach. The intention is to ensure that people have the opportunity to take steps to protect their personal information if a breach occurs.

Put simply, if someone gains unauthorised access to your data, and your data contains personal or sensitive information, you are required to notify both the OAIC and the people whose information is stored in your system.

It's important to remember that this legislation applies whether the actual sensitive data was accessed or not - if your system was breached, you need to notify the OAIC and the affected people.

How will this legislation affect my NFP?

The legislation applies to any entity with an annual turnover of $3 million or more.

If any entity doesn't comply with the obligations to notify, it may result in investigations or substantial civil penalties. In addition to these, organisations risk losing the trust of their communities if a breach is not handled correctly.

How can I get myself and my organisation ready to comply with the legislation?

It goes without saying that in an ideal world, there would be no data breaches. While we can't expect this to happen, we can minimise our risk of a breach:

• Do a security audit to expose any vulnerabilities - e.g. weak passwords, out-of-date or unpatched software, unencrypted web connections or data stores, etc.
• Install and update to the latest version of any antivirus, anti-malware, and/or firewall software. If you don't have these in place on your system, install a high-quality and reputable security software solution (such as ESET)​ immediately.
• Make sure all your staff are trained in computer and internet best practices - e.g. choosing strong passwords, keeping track of where data is stored, not installing questionable third-party software on work computers, etc.
• Implement an encryption policy to encrypt all your computer assets - e.g. if an employee or volunteer's laptop is lost or stolen, the data on it will be inaccessible to anyone without the administrator password if the hard drive is encrypted.
• Use a dedicated Data Loss Prevention software solution such as Safetica which can monitor your system and - depending on the version of the software you choose - block breaches from happening at all.

Additionally, having a data breach response plan will allow you to act quickly in case a breach does occur, meaning your organisation is compliant with the legislation and your people are protected.

Resources and more information

• Mandatory Data Breach Notification - webpage on the OAIC website with details of the amendment.
• A guide to handling personal information security breaches
• Guide to developing a data breach response plan
• Who needs to comply with the Act? - a resource from the OAIC on who the Privacy Act, Australian Privacy Principles (APPs) and Amendment apply to.