The change that came about on 22^nd February, commences the Notifiable Data Breaches scheme. When a data breach is likely to result in an individual suffering serious harm then the entity must notify both the individuals that are likely affected by the breach and the Australian Information Commissioner.

Deciding when ‘serious harm’ is likely to occur is also not an easy exercise in itself. The factors to consider if serious harm is likely include the:

• nature of the information
• sensitivity of the information
• security measures that protect the information (ie - encryption in place)
• who could have obtained or who could obtain access to the information
• nature of the harm

The notification must include:

• the identity and contact details of the organisation
• a description of the data breach
• the kinds of information concerned and;
• recommendations about the steps individuals should take in response to the data breach.

Failure to notify is considered a serious breach and attracts fines of up to $2.1M.

It is important for organisations to recognise that the security of personal information is not just a problem for the IT department. Robust policies and procedures, training and a culture of protecting personal information are also required to prevent data breaches. Previous public examples of data breaches have included hard copy medical records being dumped without shredding – not an action that an IT department could have prevented.

Having a Data Breach Plan in place before any breach occurs is an important process to ensure that you manage the breach effectively and minimise damage to any individuals and the impact that it will have on your organisation and your reputation.

The Office of the Australian Information Commissioner www.oaic.gov.au has lots of information and resources to assist organisation meet their obligations.