On 22 February 2018 the Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into force, the Act applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act).
The NDB scheme introduces an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.
Whilst there is no obligation for organisations to create a plan to deal with data breaches, it would seem foolish not to prepare adequately for a data breach in any organisation that manages or holds personal information.
EdSmart has created a Data Breach Plan to enable us to contain, assess and respond to data breaches in a timely fashion, to help mitigate potential harm to affected individuals. It sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist us to respond to a data breach.
In addition we ask all of our customers to notify us of their Data Privacy contact staff member, to ensure we know who to liaise with in the event of a breach.