When we talk about the Notifiable Data Breach Scheme (NDBS) and the changes to the Privacy Act 1988, a lot has been left ‘undefined.’ This doesn’t help your average business owner or management team, so we at Qbt Consulting want to help out a little and offer our take on what is classed as Eligible Data.
Serious Harm
According to the act, the data they’re looking at refers to a number of things. Mainly anything that can be used to cause Serious Harm to an individual, or a group of individuals. First, we must understand what is meant by Serious Harm. According to the OAIC information, the following is considered Serious Harm:
- identity theft
- a significant financial loss by the individual
- threats to an individual’s physical safety
- loss of business or employment opportunities
- humiliation, damage to reputation or relationships
- workplace or social bullying or marginalisation
Eligible Data
We can now move on to define what Eligible Data is.
As this is a new change, not a lot is definitively outlined. When determining, we must use the generally accepted definitions and meanings of the words. A good gauge on what data could be used to cause Serious Harm are:
- ‘sensitive information’, such as information about an individual’s health
- documents commonly used for identity fraud (including Medicare card, driver licence, and passport details)
- financial information
- a combination of information that can be used to develop a profile about the person
So, in relation to the NDBS, Eligible Data is considered anything that can be used to cause an individual Serious financial, emotional, physical and reputational harm. Pieces of information such as healthcare records, financial information, identifiable documents such as passports and drivers licenses can be used to cause this damage.
Ensuring that your business stores, manage access and encrypts any client, customer or staff information is paramount moving forward. Empowering your staff to be your Human Firewall is also a major step in the right direction. The responsibility of placing data security at the front of mind to all employees has moved away from the IT Department. It is now something that must be tackled everywhere in the business. From the Boardroom to the reception desk.