Monday, 12 February 2018

Notifiable Data Breach Scheme: What Are My Obligations?

Written by Ray Sun

Reading Time: 3 minutes

While technology has helped improved business growth and efficiency, it has also made businesses vulnerable to cyber-crime. In fact, studies shows that 43% of cyber-crime incidents are directed towards small businesses, yet only 33% of businesses with fewer than 100 employees do not take proactive measures against cyber security breaches.

Fortunately, the issue of cyber-security has recently been gathering national attention following the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 which established the Notifiable Data Breaches (NDB) scheme in Australia. But what is the NDB scheme? When does it apply? What do I have to do? Find out the answers below or connect with a privacy lawyer for more specific legal advice according to your circumstances.

What is the purpose of the NDB Scheme?

The NDB scheme purports to:

  • strengthen the protections afforded to everyone’s personal information,
  • improve transparency in the way agencies and organisations respond to serious data breaches,
  • support greater community confidence that personal information is being protected and respected,
  • encourage a higher standard of personal information security across Australian industries.

To achieve the above aims, the scheme will prescribe a notification procedure so that affected entities can take steps to minimise the damage resulting from a data breach.

The NDB Scheme will be administered by the Office of the Australian Information Commissioner’s (OAIC). Here, the OAIC will be responsible for:

  • receiving notifications of eligible data breaches,
  • encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance,
  • offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.

When does the NDB Scheme apply?

The NDB scheme will come into effect on 22 February 2018. Thereafter, the NDB scheme will apply to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988. This includes:

  • Australian Government agencies,
  • businesses and not-for-profit organisations with an annual turnover of $3 million or more,
  • credit reporting bodies,
  • health service providers, and
  • TFN recipients.

How does the NDB ‘notification procedure’ work?

Step 1: Identify an ‘eligible data breach’

The trigger for the application of the NDB scheme is when an ‘eligible data breach’ occurs.

An ‘eligible data breach’ is defined as a ‘data breach’ involving personal information that are likely to result in serious harm to any individual affected. For present purposes, a ‘data breach’ occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

Check out the OAIC’s resource sheet for examples of eligible data breaches.

But not all ‘eligible data breaches’ will trigger the notification requirements of the NBD scheme. Exempted eligible data breaches are those that relate to:

  • eligible data breaches of other entities (see data breaches involving more than one organisation)
  • enforcement related activities
  • inconsistency with secrecy provisions
  • declarations by the Commissioner.
  • Data breaches that are notified under s 75 of the My Health Records Act 2012 (My Health Records Act).

Step 2: Assess the suspected data breach

The purpose of this step is to confirm that the data breach which occurred is in fact an ‘eligible data breach’.

Once you suspect an eligible data breach, you are obliged to undertake a ‘reasonable and expeditious assessment’ of it to determine if it is likely to result in serious harm to any individual affected. Here, ‘reasonable’ means “reasonable grounds of belief” while ‘expeditious’ means “30 calendar days after the day you become aware of a suspected data breach”.

As to the method of assessment, the OAIC recommends a three-stage process involving (1) Initiate, (2) Investigate, and (3) Evaluate.

Step 3: Notify individuals and the OAIC

Once your assessment has confirmed that there are reasonable grounds to suspect an ‘eligible data breach’, you are obliged to promptly notify individuals who are at likely risk of serious harm.

In addition, you are obliged to notify the OAIC as soon as practicable through an ‘eligible data breach statement’.

Both your notification to affected individuals and the OAIC must indicate:

  • the identity and contact details of your organisation,
  • a description of the data breach,
  • the kinds of information concerned and;
  • recommendations about the steps individuals should take in response to the data breach.

What if I don’t follow the NDB scheme?

Failure to comply with the NDB scheme when necessary will carry significant financial penalties of up to $360,000 for individuals and $1.8 million for organisations. Indeed, such penalties would have a devastating impact on non-compliant small businesses.


If you run a small business that collects personal information from customers and staff, it is imperative that you take the time leading up to 22 February 2018 to understand the NDB scheme. That way, you minimise the risk of failing to comply with the Scheme and thus avoid its hefty penalties. Again, it is highly recommended that you consult a privacy lawyer who can acquaint you on the procedure required under the NDB Scheme. In the meantime, it is also a good idea to check out the Cyber Security Best Practice Guide and the summary resource sheet by the OAIC.

Need to find a privacy lawyer? Contact a LawPath consultant on 1800 529 728 to learn more about customising legal documents, obtaining a fixed-fee quote from our lawyer marketplace or any other legal needs.


Create and access documents anytime, anywhere

Sign up for one of our legal plans to get started.

You may also like