The Notifiable Data Breaches (NDB) scheme of the Privacy Act that came into effect in February 2018 requires entities to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) of certain data breaches. As a general rule, the NDB scheme applies to agencies and organisations with revenue over $3 million, and in certain cases, others such as those that have contractual arrangements with government.
Despite the “small business exemption” in the Privacy Act, RCSA is taking the view that most Members will be covered because they trade in the supply of personal information – e.g. information about candidate suitability etc. There may be some exceptions. But remember, RCSA Members’ Code of Professional Conduct responsibilities require them to take reasonable steps to maintain the privacy of information obtained in the course of their professional practice, regardless of whether there is any strict legal obligation to do so or not.