Header simPRO Legal

Notifiable Data Breaches

simPRO legal information

What is the Notifiable Data Breaches (NDB) Scheme

The Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia (to be Part IIIC of the Privacy Act 1988 on commencement).

The NDB scheme sets out obligations for notifying affected individuals and the Australian Information Commissioner about a data breach which has occurred and is likely to result in serious harm. The NDB scheme seeks to strengthen protections to personal information. It includes provisions for providing affected individuals with an opportunity to take steps themselves to reduce their risk of harm following such a data breach.

How simPRO will respond to a suspected data breach

simPRO has a comprehensive information security management program in place with the aim to prevent data breaches.

In the event that a data breach does occur, simPRO has a documented Data Breach Response Plan in place to meets its obligations under the NDB scheme. This plan includes notifications to affected individuals and supervisory authorities as required under the scheme.

For further information about how simPRO handles personal information, please refer to our Privacy Policy.

How clients can manage their obligations under the NDB

Whilst simPRO has a responsibility to manage overall security of simPRO provided systems and services there are also obligations to simPRO customers under the NDB.

Clients need to ensure they are reviewing / auditing the access they provide to users of their simPRO system. It is important that security permissions are set to suit the use case and that unused or expired accounts have their access removed to limit the potential for unlawful access to data. simPRO provides user access logs for this purpose and these should be reviewed periodically for any sign of illicit use of your simPRO system.

In the event you become aware or concerned that unlawful access or use of your system has taken place then this should be reported in the first instance to simPRO so that a complete investigation of the activities can be reviewed and steps taken under simPROs Data Breach Response Plan if required.