HR Professionals can’t ignore NDB

In February 2017, the Notifiable Data Breaches (NDB) legislation was passed as an Amendment to the Australian Privacy Act (1988), with the new regime coming into effect on 22 February 2018. It’s literally just around the corner, so now is the time to make sure you understand what you’re required to do and how, as an HR professional, you can locate and protect your current and past sensitive employee data.

The NDB scheme is meant to aid people whose personal information has been breached, by helping them regain some control sooner rather than later. It requires businesses to notify both the Office of the Australian Information Commissioner (OAIC) and any affected individuals if there is any unauthorised access, disclosure, or loss of personal information, if a reasonable person would conclude that this access, disclosure or loss would be likely to result in serious harm. This should be enough to raise the blood pressure of any HR professional!

In our experience, the HR department stores everything from personally identifiable information (PII) and national provider identifiers (NPI), such as tax IDs, to compensation data, disciplinary history, such as sexual harassment, bullying and performance management issues, and medical history, such as substance abuse and depression/anxiety disorders.

Let’s look at some examples. The leaking of someone’s salary information would be unwanted and undesired, but this would not necessarily cause serious harm (unless you’ve been skimping on your partners’ birthday present!). However, a breach of disciplinary or medical history, could certainly cause serious harm. While identity theft is top of the list, reputational damage and credibility are high up there as well. As an HR professional, you understand how damaging this could be to the future professional advancement of an individual.

Any such leak or breach of data in your organisation would require you to report it to the OAIC, and disclose the breach to the individual/s affected.

So, how can you mitigate risk by being proactive. Here are some simple steps to follow:

  1. Locate your sensitive HR data using a data discovery tool
  2. Decide what information you can delete, and what information needs to be kept
  3. Separate your sensitive HR data (e.g. medical claims) from the public HR data (e.g. employee handbook)
  4. For the data that is sensitive, make sure it is securely stored using encryption, and access to it is tightly controlled – so even IT administrator accounts can’t decrypt it

Encrypting data before it’s stored is an excellent way to protect your current, past and future employees’ important data, and to ensure you won’t need to contact the OAIC and they won’t need to track you down either!

December 19, 2017