The Notifiable Data Breaches (NDB) scheme, which went into effect February 22, 2018, mandates that Australian Government agencies and other organizations with the obligation to protect secure personal information under the Privacy Act 1988 (Cth) (Privacy Act) must notify individuals affected by data breaches who are likely to be adversely affected. Much in the same way the EU’s GDPR will penalize those organizations that do not comply with this notification. Fines for noncompliance can reach up to $2.1 million.

The new Scheme falls under Part IIIC of the Privacy Act 1988 (Privacy Act). The requirements of this Act are outlined in the Australian government’s ‘Guide to securing personal information‘ which provides guidance on the reasonable steps organizations are required to take to protect “the personal information they hold from misuse, interference, loss, and from unauthori[z]ed access, modification or disclosure.” This guide is not legally binding; however, it is used by the government as a reference when undertaking Privacy Act functions, including its privacy assessments and investigations. The guide gives recommendations on securing data throughout its lifecycle, including the “destruction or de-identification of the personal information when it is no longer needed.”

Under the Australian Privacy Principles guidelines (APP) 11.2, government and other affected organizations must take reasonable steps to destroy or de-identify the information they have once it is no longer needed for any purpose that it may be used or disclosed under these guidelines. The exception is personal information is included in a “Commonwealth record” or where the entity is required to do so by law (court order) to retain the personal information.

lifecycle management graphic

 

[crp limit=”5″ heading=”1″ cache=”0″]