Presentation is loading. Please wait.

Presentation is loading. Please wait.

Notifiable data breaches Roundtable

Published byGeorge Blaise Conley Modified over 6 years ago

Similar presentations

Presentation on theme: "Notifiable data breaches Roundtable"— Presentation transcript:

1 Notifiable data breaches Roundtable
Andrew Solomon — Assistant Commissioner, Dispute Resolution Sydney, Wednesday 3 May 2017

2 Notifiable Data Breaches roundtable
The Notifiable Data Breaches (NDB) scheme commences 22 February 2018 The Office of the Australian Information Commissioner (OAIC) is seeking your input on the guidance we can develop to help you prepare.

3 Key elements of the NDB scheme
Notifiable data breaches roundtable | OAIC

4 The OAIC’s role The Commissioner’s key responsibilities under the scheme are: Receiving notifications Offering advice and guidance, and providing information to the community about the operation of the scheme Promoting compliance, including taking regulatory action in response to instances of non-compliance (investigations, assessments, directions to notify).

5 Who must comply? The NDB scheme will apply to organisations with existing security obligations under the Privacy Act Specifically: APP entities that hold personal information – Commonwealth government agencies and private sector organisations Credit reporting bodies that hold credit reporting information Credit providers that hold credit eligibility information File number recipients that hold tax file number information

6 Eligible data breaches
What is a data breach? Unauthorised access to or disclosure of personal information, or Loss of personal information, where unauthorised access or disclosure is likely to occur. Eligible data breach? A reasonable person would conclude that the data breach is likely to result in serious harm to any of the individuals to whom the information relates. Suspect an eligible data breach? You must carry out a reasonable and expeditious assessment and take all reasonable steps to complete the assessment within 30 days.

7 Remedial action Quick remedial action can reduce the likelihood of serious harm. If remedial action is successful in preventing the likelihood of serious harm, the data breach is not an ‘eligible data breach’ and you do not need to notify. If remedial action is only successful for some individuals affected by a data breach, but not others, you still need to notify those individuals who are at risk of serious harm (and the OAIC).

8 Exceptions to notifying
Exceptions for notification under the NDB scheme include: Entities subject to a ‘multiple entity’ data breach, where another entity has notified about the same data breach Law enforcement bodies where notification would prejudice law enforcement activities Government agencies in relation to secrecy provisions in other laws Entities that are granted an exemption by the Commissioner Data breaches notified under the My Health Records Act 2012.

9 How to notify 1. Notify the OAIC with a statement that includes:
Your organisation’s identity and contact details A description of the data breach The kind or kinds of information concerned Recommendations about the steps individuals should take in response to the data breach. 2. Notify individuals – 3 options: (i) Notify all individuals whose personal information is involved, if practicable OR (ii) Each individual who is ‘at risk’ of serious harm, if practicable. The notice to individuals must include the ‘contents’ of the statement prepared for the OAIC. (iii) If it is not practicable to notify affected individuals, an entity must: publish a copy of the statement prepared for the OAIC on its website, AND take reasonable steps to publicise the contents of the statement.

10 OAIC’s preparation for the scheme
Notifiable data breaches roundtable | OAIC

11 Expected timeline Stage 1 Stage 2 Stage 3 April 2017 Project commenced
May 2017 Publication of first set of guidance for public comment September 2017 Publication of all remaining content for public comment November 2017 Finalisation of all content Stage 1 Stage 2 Stage 3 Notifiable data breaches roundtable | OAIC

12 OAIC guidance Key topics Who is covered Eligible data breaches
Exceptions Assessing data breaches When to notify How to notify Notifiable data breaches roundtable | OAIC

13 The first set of guidance The first set of guidance
Who must comply with the NDB scheme What is an ‘eligible data breach’ (and remedial action) How to notify individuals Overview of the OAIC’s role in the NDB scheme The first set of guidance Keep up-to-date with our guidance on our NDB scheme webpage:

14 Discussion & Questions
What aspects of the NDB scheme are you seeking regulatory guidance about? Do you have particular concerns about the way the scheme will operate for your industry, which you believe may be able to be addressed in the OAIC’s guidance? From your industry’s experience in responding to data breaches, what examples can you offer that might inform the OAIC’s regulatory guidance? Notifiable data breaches roundtable | OAIC

15 www.oaic.gov.au www.oaic.gov.au/ndb

Download ppt "Notifiable data breaches Roundtable"

Similar presentations

SESSION 9 TITLE 5 - COMPLAINTS RP.

SESSION 9 TITLE 5 - COMPLAINTS RP.
Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
The Australian Privacy Principles Protecting information rights –­ advancing information policy.

The Australian Privacy Principles Protecting information rights –­ advancing information policy.
Hong Kong Privacy Code on Human Resource Management

Hong Kong Privacy Code on Human Resource Management
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Role of the Information Commissioner’s Office 'Promoting public access to official information and protecting your personal information' Christine Johnson.

Role of the Information Commissioner’s Office 'Promoting public access to official information and protecting your personal information' Christine Johnson.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Per Anders Eriksson

Per Anders Eriksson
An overview of the Data Protection Act 1998. Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.

An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
13 July 2006Susan Joseph Health Privacy It’s My Business Health Records Act 2001 (Vic) eReferral Service Co-ordination System.

13 July 2006Susan Joseph Health Privacy It’s My Business Health Records Act 2001 (Vic) eReferral Service Co-ordination System.
1 Freedom of Information (Scotland) Act 2002 A strategic view.

1 Freedom of Information (Scotland) Act 2002 A strategic view.

Similar presentations

Ads by Google