What Your School Needs to Know About the Notifiable Data Breach Scheme (NDBS)March 29, 2019
Let’s be honest. With the digital world consuming so much of our day-to-day, and so much of our data circling around the interwebs, it’s no wonder that data security has become a hot topic in the last 12 months.
First we saw the GDPR (General Data Protection Regulation). Then we saw Facebook getting themselves in quite the pickle and losing the trust of, well, everyone on Earth. And now we have the Notifiable Data Breach Scheme (NDBS). And yes, most of us are asleep by the time we’ve finished reading its name. But if you are someone who is responsible for the collection, use, or storage of any personal information within your school, then bookmark this blog, because the NDBS impacts you.
Okay, so what is the NDBS?
To put it simply: the NDBS was effectively put into place to ensure the right people get notified when there has been a security breach (sharing personal data, whether unintentional or malicious). A breach can range from an employee unknowingly attaching the wrong document to an email, through to a large scale cyber hack, Mr Robot style (but nowhere near as entertaining).
The requirement that the Australian government provides as to whether something is considered a breach is whether a ‘reasonable person’ believes that the breach will cause the affected individuals ‘serious harm’. This harm can be in the form of psychological, emotional, physical, reputational, or other damage.
For example, sharing a parent’s email address with your marketing manager is okay (as long as they have provided consent for you to do so). On the other hand, sharing their home address with another parent is a no-no.
Secondly, you need to be able to show that your school has been unable to take measures to avoid the potential harm - like recalling the wrongly sent email.
What happens if there is a breach?
The NDBS is in place to make sure that the right people get notified before any harm is caused, but also to make sure that people aren’t notified unnecessarily. If your school meets the requirements for a breach, you have 30 days from when the suspected breach occurred to submit an assessment to the OAIC. This assessment must contain all of the gory details about what kind of data has been shared, and how the breach happened.
During this time you also need to contact the affected parties to make sure they are aware of the breach and what might happen to them because their data has been shared. You should also include possible remedies, like advising them to change their password.
The NDBS applies to organisations with obligations under the Privacy Act 1988. This includes all Australian Government Agencies, some small business operators (those that trade in personal information, all private sector health service providers, TFN recipients, and those that hold personal information in relation to certain activities), and all businesses and not-for-profit organisations with an annual turnover of $3 million of more.
Given this, your school should have a plan in place for what to do when a breach occurs, and the right protocol to ensure you comply with the NDBS.
Make sure your data is as secure as it can be. Educate your staff on what to do when accidents happen. Review your processes to ensure this aligns with what NDBS has provided. And ensure that everyone knows how to react if a malicious breach should occur.
The more prepared you are to comply with the NDBS when needed, the more swiftly you can deal with privacy issues. When it comes to their kids, that’s the number one priority of every parent, and it should be yours too.
If you’re curious to hear more about how your school can comply with the NDBS, get in touch. The Digistorm team is here with the best education and software for schools to make sure that your data is better protected, better organised, and better cared for!