Curated Tech Content

Whether we are publishing our own original content or helping our partners get the word out about their technologies. We bring you the latest news, market trends and product innovation.

NDB Scheme – What does it mean for your Business Technology?

With GDPR the focus of many press headlines across the world, you’d think it was the first and only regulation covering the privacy of individuals! However, privacy regulations exist in numerous countries around the globe, and anyone in Australia or its territories will be all-too familiar with the Australian Privacy Act 1988 (which, for simplicity, I’ll just refer to as ‘the Privacy Act’ from this point forward).

Governed by the Office of the Australian Information Commissioner (OAIC), the Privacy Act introduces 13 Privacy Principles (known as Australian Privacy Principles, or APPs) that guide how the personal information of Australian subjects must be managed. Failure to protect personal information is deemed, “…an interference with the privacy of an individual,” with financial penalties that can go up to AUD$360,000 for individuals, and up to AUD$1.8M for organizations.

What’s top of mind for many who are subject to the Privacy Act is a new amendment — the Privacy Amendment (Notifiable Data Breaches) Act of 2017. Inspired by the proliferation of personal information stored in electronic form, such as social media content, healthcare records, and more, the amendment acknowledges the increasing risk (and occurrences) relating to breaches of that data.

Starting 22 February 2018, the amendment introduces the Notifiable Data Breaches (NDB) scheme. This requires organizations to notify individuals of an ‘eligible data breach,’ which is defined as when BOTH the following conditions are met:

  1. An individual’s personal information has been subject to unauthorized access, disclosure, or loss; and
  2. The breach is likely to result in serious harm to that individual.

Who Needs To Comply with the Australian Privacy Act?

The Privacy Act applies to all Australian government agencies, businesses, and non-profit organizations with an annual turnover of more than AUD $3 million.

In addition, small businesses and organizations with an annual turnover less than AUD$3 million who fall into the following categories must also comply with the Privacy Act:

  • Private sector health service providers including:
    1. Traditional healthcare providers (hospitals, day surgeries, medical practitioners, pharmacists, health professionals).
    2. Complementary therapists, such as naturopaths and chiropractors.
    3. Gyms and weight-loss clinics.
    4. Child care centres, and private educational institutions.
  • Businesses that sell or purchase personal information including consumer credit information, credit providers (including energy and water utilities and telecommunications providers), and tax file numbers.

What Happens if a Breach of Personal Information is Suspected?

When a breach of personal information is suspected, organizations subject to the Privacy Act must:

  • Immediately start an investigation to determine the nature, extent, and severity of the breach.
  • Make all reasonable steps to complete the assessment within 30 calendar days from the day after a breach is suspected.

The Privacy Act is not prescriptive in how an investigation is conducted, but the OAIC recommends a three-stage process:

  1. Initiate to determine if an assessment is necessary, and who is responsible to complete that assessment.
  2. Investigate the breach, including what personal information is affected, who may have had access to the information, and what the likely impacts might be.
  3. Evaluate whether the identified breach is an eligible data breach.

If the breach is deemed an eligible data breach, the individual(s) affected must be notified.

‘Reasonable Steps’ To Protect Personal Data

In January 2015, the OAIC published the Guide to Securing Personal Information to advise organizations on what to implement to protect personal information. Part B of this document outlines a mix of administrative and technical controls across the following nine broad topics, which together are deemed the ‘reasonable steps’ that any entity subject to the Privacy Act is expected to put into place.

  • Governance, culture, and training
  • Internal practices, procedures, and systems
  • ICT security
  • Access security
  • Third party providers (including cloud computing)
  • Data breaches
  • Physical security
  • Destruction and de-identification
  • Standards

In addition, some agencies may be subject to even more protections for personal information, such as security provisions, that may be covered within requirements of other frameworks such as the Australian Government’s Protective Security Policy Framework, and the Information Security Manual. Both these documents are designed for governmental agencies, but can be used as guidance for any organization.

To effectively manage cybersecurity risk and satisfy the technical security controls required by this Privacy Act, an organization would conceivably have to procure and deploy multiple point security solutions. In addition, investigating suspected breaches using a myriad of tools can be challenging, especially considering the 30 calendar-day window within which an investigation must be completed. Alternatively, organizations can pursue a unified solution that combines multiple essential security technologies into a single platform with a single management console. ASI Soluitons’ USM does just that.

How ASI can work with you to ensure you are compliant?

With the ever increasing risk of cyber threats in the environment, the sophistication of the tools we use to identify those threats and risks also needs to improve.

ASI Solutions can work with your organisation to  present a Unified Security Management platform to address this requirement, as well as support options to monitor, identify, report on, and remediate discovered vulnerabilities.

For more information contact ASI’s Head of Services, Daniel Johns at, or 0407 544 821.