Heard of the Notifiable Data Breaches scheme? If not, you soon will

Heard of the Notifiable Data Breaches scheme? The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988, and is set to take effect from 22 February 2018.

The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Office of the Australian Information Commissioner must also be notified of eligible data breaches.

There will be a form to use for such notification, which for now is in draft form (but you can view the form as it stands on this business.gov.au web page).

In general terms, an eligible data breach refers to an unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.

The Tax Practitioners Board (TPB) has announced, in relation to the new NDB, that it may take a failure to comply with the NDB scheme into account in assessing whether a registered tax practitioner has breached the Tax Agent Services Act 2009 (TASA), for example the TPB’s Code of Professional Conduct. For now the TPB has said it would consider matters and any appropriate sanctions on a case-by-case basis.

While the criteria may seem wide in terms of what sort of entities are covered by the scheme, the administrator of the NDB, the Office of the Australian Information Commissioner (OAIC), spells out that it covers any entity that receives an individual’s tax file number (TFN).

“A TFN recipient is any person who is in possession or control of a record that contains TFN information,” the OAIC states. It adds: “In certain circumstances, entities that are not otherwise covered by the Privacy Act, such as state government bodies, may also be authorised to receive TFN information and will be considered TFN recipients.”

More information can be found on the OAIC website, and the TPB says it will continue to monitor developments as they relate to tax practitioners, and will release further guidance and more information on its website as this comes to hand.

The OAIC held a webcast on preparing for the NDB scheme late last year. The webcast covered the key requirements of the scheme, and responded to frequently asked questions. You can view a recording of the webcast by registering on this OAIC web page.

Heard of the Notifiable Data Breaches scheme? Heard of the Notifiable Data Breaches scheme? Heard of the Notifiable Data Breaches scheme? Heard of the Notifiable Data Breaches scheme?