Fund managers and other businesses need to understand the new notifiable data breaches (NDB) scheme where entities have notification obligations when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach. Funds management lawyer Elliott Stumm highlights the key concerns and requirements.
From 22 February 2018, the NDB scheme applies to all entities with existing personal information security obligations under the Privacy Act. Among other business types, Australian fund managers operating managed investment schemes generally have personal information security obligations under the privacy laws (irrespective of the size of their business) due to their obligations under the Anti- Money Laundering and Counter- Terrorism Financing Legislation.
Notice of the relevant data breach must be provided to the Australian Information Commissioner and the affected individual, so there is real reputational risk if notice of a breach must be given.
All affected entities must ensure they are in a position to comply with the NDB scheme by 22 February 2018, including preparing or updating their data breach response plan. The Office of the Australian Information Commissioner has published resources to assist entities with meeting their obligations under the NDB scheme.
Our Funds Management team can help with determining whether the NDB scheme applies to your business and provide advice about how you can ensure you are in a position to comply with the scheme.