Speak Out June 2018

Notifiable Data Breach (NDB) scheme SPA has produced an FAQ document to help members develop a data breach response plan and understand their obligations under the Notifiable Data Breach (NDB) scheme. It can be found on the legal section of our website under Professional Resources. Guild Insurance has provided the following information for SPA members.

How will the Notifiable Data Breach Scheme affect you On 22 February 2018 the new mandatory Notifiable Data Breaches (NDB) scheme comes into force for all Australian Privacy Principle (APP) entities. Under the NDB scheme, affected entities regulated by the Australian Privacy Act will be obligated to notify individuals affected by an eligible data breach that is likely to result in serious harm. These entities are also required to notify the Australian Information Commissioner.

APP entities covered by the NDB scheme

Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s position. Serious harm in the context of the reporting requirements may include serious physical, psychological, emotional, economic, reputational and financial harm, as well as any other form of serious harm that the breach could cause to the affected person(s). More information about identifying and assessing eligible data breaches visit: > oaic.gov.au/privacy-law/privacy-act/ notifiable-data-breaches-scheme/ identifying-eligible-data-breaches > oaic.gov.au/privacy-law/privacy-act/ notifiable-data-breaches-scheme/ assessing-a-suspected-data-breach

For Guild Insured professionals, this will affect Pharmacies, Healthcare Practitioners, Childcare centres and Preschools, OOSH and Vacation Care Services, Fitness Centres and Fitness Studios and anyone else considered an APP entity. More information about APP Entities covered by the NDB Scheme visit: oaic.gov.au/privacy-law/privacy-act/ notifiable-data-breaches-scheme/entities- covered-by-the-ndb-scheme A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates. The NDB scheme only applies to data breaches involving personal information that is likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’. Eligible data breaches

You are considered an APP entity if you fall into one of the following categories: > Businesses and not-for-profit organisations with an annual turnover of more than $3 million > Private sector health services providers (including alternative medicine practices, gyms and weight loss clinics, which fall under this category) > Child care centres, private schools and private tertiary education institutions > Some smaller organisations, such as those that handle health data > Australian government agencies > Businesses that sell or purchase personal information along with credit reporting bodies, and > Individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records.

Better through experience.

34

June 2018 www.speechpathologyaustralia.org.au

Speak Out