The Notifiable Data Breach (NDB) Scheme went into effect on 22 February 2018. If your nonprofit is an entity that is covered by Part IIIC of the Privacy Act 1988, then you will need to meet the requirements of the Notifiable Data Breach Scheme.

Is Your Nonprofit by the NDB Scheme?

Entities that are typically covered include agencies of the Australian Government, credit reporting bodies, providers of health services, TFN recipients, as well as businesses and nonprofits with $3 million or more in annual turnover.

Also known as Australian Privacy Principle (APP) entities, covered organisations must contact both the Australian Information Commissioner (AIC) and any affected individuals, if they reasonably believe that any of the private information that they hold has been disclosed without lawful authorisation and is likely to cause harm to the affected parties.

Common Events that Can Lead to Unauthorised Disclosure

When we think of private information being disclosed without permission, we typically think of cybersecurity issues where files, records and other data are “hacked” or otherwise accessed illegally. While malware, spyware, computer viruses, and hacking are some of the most common ways that private information can be obtained and used to cause serious harm, there are other methods where personal information can be disclosed without consent.

The information in physical files, as well as electronic ones, can also be accessed without authorisation if it becomes lost. Individuals, such as staff, might commit a mistake or other human errors and verbally or physically release information without permission.

Regardless of why the information has been released, if it is likely to cause serious harm to an affected individual, it qualifies as an eligible data breach and must be disclosed to the person or persons affected, as well as the AIC.

What Happens When Nonprofits Believe a Data Breach Has Occurred?

Once an NFP becomes aware of a data breach, they must conduct an assessment to determine if it is likely to cause serious harm to an individual. Once this is determined, they must then notify the AIC, as well as the affected individual(s), of the breach.

At a minimum, this notification should include details about the kind of information that was released, as well as details about how the breach occurred, your NFP’s name and contact details, along with recommendations and steps the parties that are affected should take to protect themselves and otherwise respond to the breach.

To learn more about data breach notifications, nonprofits can read the Office of the AIC’s guide: Data Breach Preparation and Response.

What Happens if My Nonprofit Fails to Comply?

Nonprofits and other entities should have procedures, processes and policies in place to prevent the release of confidential information. In addition to taking steps to increase the security of information, they should develop a data breach response plan and take swift, decisive action when a data breach occurs.

Nonprofits that fail to comply with the NDB scheme can face fines and penalties up to $2.1 million by the AIC if serious data breaches occur, and they fail to notify or remedy the situation that led to the unauthorised release. This means that nonprofits have more reason than ever to update their systems and processes so that sensitive information about their members, beneficiaries, staff, volunteers, applicants, and others who have shared confidential information, is kept secure.

Four Steps NFP Boards Can Take to Prepare and Better Protect Data

NFP boards should review their existing privacy policies, as well as assess the current physical and electronic security procedures that they have in place to protect personal information and other confidential data.

Make sure that your staff and others that use and access systems where confidential information is kept have been trained on the best security practices to keep your data safe.

Consider the processes that your organisation has in place to classify and otherwise protect data and ensure that they are adequate to protect the information of everyone who interacts with, and provides information to, your nonprofit.

It’s also a good idea to review your NFP’s current insurance coverages at this time to ensure that your organisation is financially protected should a data breach occur.