On 22 February this year, the Notifiable Data Breaches (NDB) scheme came into play in Australia. This directly affects all health service providers including aged care facilities. So what does this mean to you and what do you need to know?

Firstly, what is it?
As stated by Australian infosec company, Sense of Security, the Notifiable Data Breaches (NDB) scheme applies to all organisations under the Australian Privacy Act 1988. It outlines an obligation to notify individuals affected by a data breach. Not only do they have to be notified, but the organisation must include recommended steps that the affected parties should take to respond to it and best protect their data.

The Office of the Australian Information Commissioner (OIAC) must also be notified of a breach, and if an organisation fails to do so, there can be fines of $360,000 for individuals and $1.8 million for organisations.

Who does it affect?
You need to comply with the NDB scheme if you’re a:
• Business or not-for-profit organisation with an annual turnover of $3 million or more
• Health service provider
• Credit reporting body
• TFN recipient (someone holding a Tax File Number in your systems), or an
• Australian Government agency

What needs to be reported?
Sense of Security also highlights three indicators that can tell you whether an incident needs to be reported to the Commissioner and to affected parties.

1. Unauthorised access, such as personal information or data. This includes company employees accessing data, as well as external parties/hacks. This also includes accidental access as well as intentional.

2. Unauthorised disclosure, such as when personal information is exposed to the public. This again can be intentional or accidental.

3. Loss, which can often be reported as a pre-cursor to unauthorised access and/or disclosure. It can involve instances such as employees unintentionally leaving hard drives or information on public transport.

It is not necessary to report loss every time, such as when information is deliberately deleted before a third party can access it, or lost information is highly encrypted.

Who do I need to tell?
Breaches need to be reported to the OAIC via an online form. There’s also a guide that you can use to help you prepare in case a data breach occurs. You will need to advise your company name, the date and time of the breach and specifically what data was affected in the breach and who it affects.

You have up to 30 days to notify the OAIC of the breach, but it is also important to notify those that may have been affected by the breach – these could include your residents, their families, your staff and possibly even your suppliers.

You also need to outline steps to them on how they can further secure and protect their personal information, i.e.: by changing passwords, by not responding to spam or “phishing” emails that appear to have come from your facility, by checking bank accounts to ensure no unauthorised transactions have occurred.

What do I do next?
Next week we look at 5 actionable ways to protect from cyber-crime.

For more information on the Notifiable Data Breach scheme and what to do, visit the Office of the Australian Information Commissioner website.

References
The Notifiable Data Breaches Scheme – What is it? Sense of Security.
https://www.senseofsecurity.com.au/notifiable-data-breaches-scheme/

What You Need To Know About Australia’s Mandatory Data Breach Notifications Scheme. Lifehacker AU.
https://www.lifehacker.com.au/2018/02/australias-notifiable-data-breaches-scheme-starts-next-week/