In 2018, the Australian Government Office of the Australian Information Commissioner (or OAIC for short) released the Notifiable Data Breach (NDB) Scheme to enforce information security breach reporting throughout Australia.

Who does this affect?

The scheme requires businesses and organisation that meet certain criteria as Australian Privacy Principles Entities (APP Entities). These include:

  • Australian Government agencies, businesses and not-for profit organisations that have an annual turnover of more than AU $3 million.
  • Private sector health service providers, this includes:
    • Pharmacist
    • Allied health professionals
    • Gyms
    • Weight loss clinics
  • Credit reporting bodies
  • Credit providers
  • Entities that trade in personal information, such as people that buy and sell email lists.
  • Employee associations registered un the Fair Work (Registered Organisations) Act 2009
  • Provider of services under a Commonwealth contract

Although this list does not include some small businesses, the data they hold does still come under this scheme. If your organisation holds Tax File Numbers (for employees or otherwise) or store credit card information, you will have to comply with the NDB scheme for any breaches to that data.

What do we need to do?

Organisations should review the criteria along with a review into what information they receive, store, and transmit.

If your business or organisation fits any of the criteria above, it is imperative that you are aware of your obligations and a Notifiable Data Breach response plan is developed and implemented. For many organisations, IT management and support has been delegated to a Managed Service Provider. This brings forth the question, who is responsible for NDB response plan?

Who is responsible for the NDB response plan?

Ultimately it is the organisation that is responsible for developing their NDB response plan and communicating it through the organisation. As the MSP can be viewed as your IT department, it is crucial to make them aware of the changes or development of an NDB response plan. This allows the MSP to integrate this plan into their processes when working with your organisation.

In most situations, it is best to work with the MSP to ensure the plan works for both parties. The MSP can also provide great insights and suggestions, as they will have developed their own NDB response plan for securing their internal information systems.

What should you do?

Firstly, review what data your organisation works with (obtains, stores, transmits). Next review if your organisation is an APP entity. You can use this helpful checklist from the OAIC to assist with this. Organise a time to meet with your MSP to discuss the NDB Scheme if it affects your business and what the MSP can do to assist with developing a suitable NDB plan that work for all parties.

If you are unsure of your MSP’s stance on NDB, unhappy with their response or want a second opinion, reach out to us and we can organise a review of your organisation to see where you stand and what needs to be done to ensure you are complying with your obligations.