The new Mandatory Data Breach reporting scheme requires organisations to conduct assessments of suspected data breaches and notify individuals likely to be at risk.
From 22 February 2018, it will be mandatory for organisations to notify the Office of the Australian Information Commissioner (OAIC). Organisations will need to notify any individual whose personal information is compromised by the breach.
What is a data breach?
A notifiable data breach occurs when personal information held by an organisation is lost, accessed or disclosed without authorisation.
The Privacy Act 1988 defines personal information as information or an opinion about an individual who is reasonably identifiable. Personal information may include but is not limited to: a person’s name, email address, medical records, bank account details, photos and videos, information about what an individual likes, their opinions and where they work. Whether information constitutes personal information depends on whether an individual can be identified or is ‘reasonably identifiable’ in the particular circumstances.
Why is the data breach reporting changing?
The data breach reporting scheme intends to strengthen the protections afforded to personal information, and improve transparency in the way that organisations respond to serious data breaches. It also gives individuals the opportunity to minimise the damage that can result from unauthorised use of their personal information.