The Office of the Australian Information Commissioner (OAIC) recently published new draft resources to assist organisations to prepare for the Notifiable Data Breaches Scheme, which is scheduled to commence on 22 February 2018. Consultation on the draft resources is open until 23 October 2018.
The OAIC considers that a data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. They offer the following examples to illustrate this:
- a device containing customers’ personal information is lost or stolen
- a database containing personal information is hacked
- personal information is mistakenly provided to the wrong person.
Even if your not-for-profit organisation does not wish to provide feedback on these drafts, you may find it helpful to review these resources with a view to updating your risk register and data governance policy before the new requirements take effect early next year.
If you have not yet considered cyber-risk insurance, it would also be timely to talk to your insurance broker about obtaining suitable cover for this growing area of risk.