Updated: Oct 19, 2018

2018 Notifiable Data Breaches Scheme

The Australian Government's Notifiable Data Breaches (NDB) scheme went into effect on February 22nd, 2018. This regulation requires agencies and organisations under the Privacy Act of 1988 to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach occurs.

This regulation is enforceable on all incidents where personal information is subject to unauthorised access or disclosure, or is lost, according to Section 6 of the Privacy Amendment (Notifiable Data Breaches) Act 2017. Examples of a data breach include the following incidents:

  • A device containing customers' personal information is lost or stolen
  • A database containing personal information is hacked
  • Personal information is mistakenly provided to the wrong person

Who Must Comply

All Australian Government agencies, businesses and not-for-profit organisations with an annual revenue of $3 million or more, credit reporting bodies, health service providers, and TFN recipients must comply with this new notification regulation.

Small business operators, registered political parties, state or territory authorities, or a prescribed instrumentality of a state do not need to comply. However, businesses of any size that trade in personal information and organisations that provide a health service to, and hold health information about, individuals must comply.

Small businesses that are required to secure tax file number information do not need to notify about data breaches that affect other types of information unless it is the secure tax file information that was breached.

Overseas Partners & Jointly Held Information

If a regulated entity discloses personal information to an overseas partner or 3rd party, the Australian entity is still responsible for assessing whether a data breach by the partner is a violation of the Privacy Act, and if it is

In general, compliance by one entity will also be taken as compliance by each of the entities that hold the information. As such, only one entity needs to take the steps required by the NDB scheme. The NDB scheme leaves it up to the entities to decide which entity should do so.

Notification Of Data Breach

A regulated organization must submit a notification to the Commissioner of an eligible data breach in the time specified. The notification must be submitted with the Notifiable Data Breach Form. This form asks for specific information regarding the potential harm of the data breach and provides recommendations to prevent future incidents.

The Commissioner also provides a diagram overview of a standard data breach response following the requirements of the NDB scheme. More information.

All data breaches will be reviewed for severity and necessary injunctions and penalties may be imposed by the Commissioner to ensure future data security by regulated organizations.

WipeDrive's Role In NDB Scheme

WipeDrive Enterprise provides a Common Criteria EAL 2+ certified solution to securely erase data from all storage devices. WipeDrive also provides a tamper-proof audit report for NDB regulated entities. This report verifies that all data was securely removed and eliminates the possibility of a data leak from the wiped devices. We recommend ABB entities to securely delete all IT assets when they are reallocated to another employee and before they leave their current facility. This will ensure that attack targets are limited and focuses efforts on current data storage devices.

WipeDrive Enterprise - Global Data Erasure

For over 20 years, WhiteCanyon Software has been a leader in data erasure throughout Australia. Compliance to Australia's current and future data security policies is WhiteCanyon Software's priority. This provides all WipeDrive clients with reassurance that the erasure software will keep up with technological and legislative changes.

Contact a WipeDrive Sales Executive today for more information.