20 Sep 2018

Unpacking Australia’s Notifiable Data Breaches scheme

Australia’s Notifiable Data Breaches (NDB) scheme came into effect on 22 February this year, mandating that organisations responsible for or aware of serious data breaches inform the Office of the Australian Information Commissioner (OAIC).

It was timed to increase awareness and accountability within corporate Australia around cyber security and data privacy amid a sharp increase in incidences both here and overseas, as well as rising public and business community expectations.

The 2017 Australian Community Attitudes to Privacy Survey found that 94% of Australians believe they should be told if a business loses their personal information. Ninety-five percent said they should be told if a government agency loses their personal information.

Who needs to know?

All Australian organisations governed by the Privacy Act 1988 are affected by NDB scheme, including any commercial entity with a turnover exceeding $3 million.

Exemptions include intelligence agencies, not-for-profit organisations and credit reporting bodies, as well as political parties – possibly because there are simply too many data breaches and leaks to keep track of.

Importantly, companies that make a commercial gain from sharing personal information are affected by the NDB scheme regardless of whether they turnover less than $3 million a year, and any business can choose to opt-in to the scheme.

Staff working for organisations covered by the NDB scheme are also liable for failing to report data breaches likely to cause ‘serious harm’, with organisations and individuals facing the prospect of heavy fines for failing to comply.

What breaches need to be reported?

The NDB scheme uses the phrase ‘eligible data breaches’ to specify that not all breaches require reporting.

An eligible data breach means the unauthorised access, loss, or disclosure of personal information that could cause serious harm to those whose personal information has been compromised.

Examples include:

  • Loss or theft of a device containing customers’ personal information;
  • A database containing personal information is hacked; or
  • When personal information is mistakenly shared with someone other than the intended recipient.

An employee browsing sensitive customer records without any legitimate purpose, could therefore constitute a data breach as they do not have authorised access to the information in question.

How to notify

When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm.

The Privacy Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.

The notification to affected individuals and the Commissioner must include the following information:

  • The identity and contact details of the organisation;
  • A description of the data breach;
  • The kinds of information concerned; and
  • Recommendations about the steps individuals should take in response to the data breach.

What can the OAIC do when organisations don’t comply?

The Privacy Act confers a range of enforcement powers on the Commissioner, including:

  • Accept an enforceable undertaking
  • Bring proceedings to enforce an enforceable undertaking
  • Make a determination
  • Bring proceedings to enforce a determination
  • Report to the Minister in certain circumstances following a CII, monitoring activity or assessment
  • Seek an injunction including before, during or after an investigation or the exercise of another regulatory power
  • Apply to the court for a civil penalty order for a breach of a civil penalty provision.

The ‘civil penalty provisions’ in the Privacy Act include:

  • A serious or repeated interference with privacy (s.13G) – 2000 penalty units (current total is $420,000)
  • The maximum penalty that the court can order for a body corporate is five times the amount listed in the civil penalty provision (current maximum $2.1 million).


The financial implications of getting it wrong are high, so how best can you avoid falling into that trap? We’ve got 5 key tips to help you to prevent a data breach from occurring, read about them in our blog: 5 ways that you can prevent becoming one of last quarter’s 242 data breaches.

To see how you’re fairing, do download your copy of our ‘New data regulations: is your business compliant?’ here now.

Contact Brennan IT today to find out what your obligation are under the NDB scheme and Privacy Act 1988, and how to make sure not only that your organisation understands its responsibilities, but that you also never need to act on them.

Top