David Sofrà and Analyn Toledo discuss the implementation of the Notifiable Data Breach (NDB) scheme from February 2018.
The Australian Information Commissioner has commenced the implementation of the Notifiable Data Breach (NDB) scheme effective 22 February 2018. This applies to agencies and organisations (entities) subject to the Privacy Act 1988 for the protection of personal information.
The NDB scheme mandates entities to notify affected individuals and the Commissioner about ‘eligible data breaches’. This occurs when:
The notification must include recommendations about the steps individuals should take in response to the breach. Entities must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and thus require notification.
The drive to improve efficiency, reprioritise resources and optimise stakeholder returns has led most entities to outsource payroll or invest in a new or improved technology. This transformation has resulted in the rapid increase of information technology reliance and operation in an online environment.
Just as it applies to any parts of the business, entities running payroll (whether outsourced or in-house) are entrusted with valuable personal information of individuals and have an obligation to protect this information by all reasonable means. The NDB Scheme is another mechanism directed at ensuring that entities are upholding this accountability particularly in a period where online activities are embraced by Australians more and more each day.
The NDB scheme is in fact another reporting obligation that entities have to comply with. But beyond being a compliance exercise, the scheme trickles down on the following:
So as you go about your day to day business of running payroll, consider these questions:
Do not wait until you have to report an eligible data breach. Financial and reputational damages can be devastating. Get your safeguards tight or even tighter. Now is the time to act.