Skip to content

Compliance for Mobile Devices


What is the Notifiable Data Breaches scheme?

The amendment to the Australian Privacy Act established the Notifiable Data Breaches scheme in Australia, and became effective from the 22nd of February 2018. The NDB scheme strengthens protections to personal information, providing affected individuals with an opportunity to take steps to protect their personal information following a data breach. The consequences of failing to notify or not complying with the scheme attract a maximum penalty of up to $360,000 for individuals and $1,800,000 for corporations.

Who must comply with the notifiable data breach scheme?

The following entities must comply with the scheme:

1. Australian government agencies
2. All businesses and not-for-profit organisations with an annual turnover of 3 million dollars or more
3. Small businesses including:
    - All private sector health providers
    - Those that trade in personal information
    - Companies that use tax file numbers, however if the annual turnover is below 3 million dollars the NDB scheme will apply only in relation to tax file number information
    - Those that hold personal information in relation to certain activities, for example providing services to the Commonwealth under a contract

What is an eligible data breach under the scheme?

An eligible data breach arises when the following three criteria are satisfied:

1. There is unauthorized access to or disclosure of personal information or a loss of personal information that an organization holds
2. This is likely to result in serious harm to one or more individuals
3. The organization has not been able to prevent the likely risk of serious harm with remedial action

What is a data breach?

Unauthorized access:

This occurs when personal information is accessed by someone who is unauthorized to do so

Unauthorized disclosure:

This occurs when an organization whether intentionally or unintentionally makes personal information accessible or visible to others outside the organization and releases that information from its effective control in a way that is not permitted by the Privacy Act

Loss of information:

This refers to the accidental or inadvertent loss of personal information held by an organization where it is likely to result in unauthorized access or disclosure

What types of data are involved in a data breach?

There are some kinds of personal information that may be more likely to cause an individual serious harm if compromised:

- Sensitive information, such as information about an individual's health
- Documents commonly used for identity fraud, including a driver's license and passport details...
- Financial information

When should you notify?

A notifiable breach event happens when the following criteria is met:

- A data breach occurred
- The breach will likely result in serious harm
- The organization holding this information was not able to prevent the risk of serious harm

Who should you notify?

You must notify any individuals that are at risk of serious harm as a result of the data breach. You must also notify the Australian Information Commissioner. There are three options for notifying affected individuals:

1. Notify all individuals whose personal information is involved in the eligible data breach
2. Notify only the individuals who are at likely risk of serious harm
3. Publish your notification and publicize it with the aim of bringing it to the attention of all individuals at likely risk of serious harm

How to notify affected individuals in the Office of the Australian Information Commissioner (OAIC)?

Your notification and statement to the OAIC must include the following information:

- The identity in contact details of your agency your organisation
- A description of the eligible data breach
- The kinds of information involved in the eligible data breach
- What steps your agency or organization recommends that individuals take in response to the eligible data breach

When to conduct an assessment?

If you suspect a data breach which may meet the threshold of “likely to result in serious harm” then you must conduct an assessment.

Generally there is a maximum of 30 days to conduct this assessment. This begins from when you become aware of a potential breach.

You should review your data breach response framework to ensure that relevant personnel will be made aware of a breach as soon as possible.

It is not expected that every data breach will require an assessment that takes 30 days to complete before notification occurs. You must notify as soon as possible once you hold the belief an eligible data breach has occurred.

What is involved in an assessment?

The Act says assessments must be reasonable and expeditious. It is up to entities to decide what process to follow when conducting an assessment. Generally an assessment should cover off the following three stages:

1. Initiate: decide whether an assessment is necessary, and identify which person or group will be responsible for completing it
2. Investigate: quickly gather relevant information about the suspected breach including for example what personal information is affected, who may have had access to the information and the likely impacts
3. Evaluate: make a decision based on the investigation about whether the identified breach is an eligible data breach