A slew of high profile government and commercial cyber breaches have raised general public awareness — but it’s up to organisations to let customers know when it affects them personally.
By February next year, any organisation covered by the Privacy Act — including government — must comply with a new Notifiable Data Breaches scheme.
It’s not just major database hacks that fall within the new rules. Other examples could be a device containing customers’ personal information is lost or stolen, or personal information is mistakenly provided to the wrong person.
The Office of the Australian Information Commissioner is building a set of resources for organisations preparing for the new scheme, and it’s seeking comment on its work so far. New material includes
- assessing a suspected data breach
- what to include in an eligible data breach statement
- exceptions to notification obligations
- a draft online form to assist organisations in preparing a statement about an eligible data breach to the Australian Information Commissioner
- a new chapter to the OAIC’s Guide to privacy regulatory action on data breach incidents.
The OAIC is asking for feedback via consultation@oaic.gov.au
