Author: Government recordkeeping

What is the Notifiable Data Breach Scheme?

Amendments to the Commonwealth Privacy Act close Privacy Act Definition The Victorian Information Privacy Act 2000 sets the standard for the way in which government agencies, statutory bodies and councils in this state handle personal information about individuals. 1988 late last year included the requirement for Australian Government agencies (and other organisations that collect information covered by the Privacy Act) to: 

  • assess the security around the personal information they capture for possible breaches and 
  • notify both the people concerned and the Australian Information Commissioner if a breach has occurred that is likely to result in serious harm.

The Notifiable Data Breaches (NDB) Scheme requires that:

  • the breach qualifies as an eligible data breach under the NDB scheme
  • individuals concerned are notified that their personal information has been involved in a data breach that is likely to result in serious harm
  • the Australian Information Commissioner is advised of the breach.

Some examples of a breach include the loss or theft of a device containing individual’s personal details; a database containing personal information is hacked; or records containing personal information are mistakenly provided to the wrong person. The main criteria for the situation being classified as a Notifiable Data Breach is unauthorised access, remedial action has been unable to minimise risk, and the access close access Definition Refers either to the process of providing records for researchers to use in PROV reading rooms, or to the process of determining if records should or should not be withheld from researchers for a period of time. would be likely to result in serious harm to the individuals affected.

The Notifiable Data Breach Scheme came into effect on 22 February 2018 with the first notification of a breach occurring in March. The Shipping company Svizter Australia revealed a data breach that saw the personal information of half of its employees leaked outside the company 

For more information about the NDBS please refer to the Office of the Australian Information Commissioner.

 

What impact does this have on Victorian Government agencies?

Victorian Government agencies are primarily affected if they capture information governed by the Commonwealth Privacy Act 1988, which would mainly be tax file close file Definition An accumulation of documents relating to the same subject, person, activity or transaction that are kept together.  Documents in a file are usually, but not always, fastened together.  Files are usually arranged in an identifiable sequence (e.g. numerical or alphabetical). number (TFN) information. The Office of the Victorian Information Commissioner has advice about how the NDB Scheme may affect Victorian agencies and what to do if an agency close agency Definition Any department, agency or office of the Government of Victoria suspects they have a data breach.

For further information, see the Office of the Victorian Information Commissioner guidance: Notifiable Data Breaches Scheme under the Privacy Act 1988: Obligations for Victorian public sector organisations

 

What can agencies do to minimise risk?

In summary:

  1. Know what data is considered eligible under the NDB Scheme and what systems this data is captured in or managed by
  2. Manage systems in accordance with Standards designed to prevent unauthorised access and protect the integrity close integrity Definition The integrity of a record refers to its being complete and unaltered. of the records
  3. Dispose of records once their retention period has concluded
  4. Regularly assess systems for risk associated with unauthorised access or loss of integrity and mitigate risks identified

The IM3 tool can assist agencies by helping to identify gaps in knowledge about systems and what areas may need to be strengthened to prevent risk of a breach occurring. Ensure that systems used to manage or capture records are in line with the Victorian Electronic Records Strategy (VERS) and relevant Recordkeeping Standards. This will assist with preventing unauthorised access and should be part of a compliance audit close compliance audit Definition  The systematic and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the audit criteria are complied to within the agency program that regularly identifies and mitigates risk associated with unauthorised access and loss of record integrity.

Retention periods for records containing TFN will vary depending on the reason the information was obtained (see Retention and Disposal Authorities). As with any personal information collected, TFNs should only be collected when absolutely necessary and only for as long as needed. Knowing what records are within which systems and the level of information they contain can assist with determining whether a breach has placed personal information at risk.