13 min read

Notifiable Data Breach [NDB] Scheme and what you need to do

Featured Image

Privacy of personal information in Australia

The Privacy Amendment (Notifiable Data Breaches) Act 2017 has established the Notifiable Data Breaches (NDB) scheme in Australia.

The NDB scheme applies to all organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act).

The NDB scheme commences on 22 February 2018. It only applies to eligible data breaches that occur on or after that date.

Do the NDB requirements apply to your organisation?

If you are a business or non-for profit organisation with an annual turnover of $3 million or more this applies to you.


If your business has an annual turnover of $3 million or less and meets one of the following criteria, the Privacy Act will apply to your business or some aspects of it.

  • If you hold an individual’s personal information, or have given another organisation this information to hold you have an obligation under the NDB scheme.

  • If you are:​

    • a trader in personal information such as buying or selling a mailing list

    • a provider of services under a Commonwealth contract

    • an operator of a residential tenancy database

    • a credit reporting body

    • Organisations) Act 2009- an employee association registered or recognised under the Fair Work (Registered

    • a provider of protection action ballots [secret ballots]

    • information is retained under the mandatory data retention scheme, as per Part 5-1A of the Telecommunications (Interception and Access) Act 1979.

More detail is provided by the OAIC – go to: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/entities-covered-by-the-ndb-scheme

What is personal information?

‘Personal information’ is defined in s 6(1) of the Privacy Act to include information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

What is an eligible data breach?

An eligible data breach involves personal information likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’.

‘Serious harm’ can include psychological, emotional, physical, financial, reputational or other forms of harm.

This occurs when:

  • there is unauthorised access to or unauthorised disclosure of personal information, or loss of personal information that an organisation holds,

  • the information disclosed is likely to result in serious harem to one or more individuals, and

  • the organisation has not been able to prevent the likely risk of serious harem with remedial action

If all of the above apply, then this is an eligible data breach.


If you suspect a data breach has occurred

Assess a suspected data breach immediately [or no later than 30 days after becoming aware of the data breach risk as an absolute maximum]

  • If an organisation only suspects that it may have experienced a data breach, it must immediately assess the situation to decide whether or not there actually has been a [eligible] data breach.
  • The assessment must be reasonable and undertaken quickly following a standard procedures and protocols set up by the organisation and known to the individuals who need to undertake the assessment.


When a data breach has occurred

If an organisation has reasonable grounds to believe a [eligible] data breach has occurred, then they must promptly notify individuals whose data has been breached and the Commissioner about the breach.

  1. Prepare a statement for the Commissioner and notify individuals of the contents of this statement.
  2. Notification to individuals

Notify all individuals or only those individuals at risk of serious harm

a) If an organisation can’t reasonably assess who are at risk of serious harm form the data breach then the most practical approach is to notify all individuals whose personal data was or could be part of the data breach.

b) If the organisation can specifically identify those individuals whose data was breached then the notification can be specific to these individuals.

Notification methods to individuals could include:

  • Telephone,

  • SMS

  • Letter

  • Social media posts

c) If it is not possible to do either of the above as it may not be known whose data was breached or the current details of individuals for notification purposes are not available, the organisation must publish a copy of the statement on its website and take all other reasonable steps to publicise the content of the statement provided to the Commissioner.These steps must be proactive in providing information and the notification on the website must remain for a period of no less than 6 months.

When notification is through publication of the breach the following must be considered:

  • Ensure the nature of the risk of harm is clearly articulated e.g financials, credit card access etc

  • Give an indication of the cohort of affected individuals to assist persons in identifying whether they are part of the affected cohort

  • The approach to publicising the statement may depend on the publication method and associated costs.

  • Provide links for further information and contacts for affected persons

  • Ensure notices are clear, concise and transparent in the message they are communicating..


Content of notifications

Content of the notification must include the following as prescribed in the Statement to the Commissioner:

  • Organisations identity and contact details

  • Description of the breach

  • Type of information breached

  • Recommendations about the steps the individual should take in response to the breach


Timing of notifications

Organisations must notify individuals as soon as practicable after completing the statement prepared for notifying the Commissioner taking into consideration cost and time. This must be asap in order to meet the expectations of the Commissioner.

In many cases notification to individuals may occur before the Commission receives the required statement.

Keep a record of all notifications and their timing in order to satisfy due diligence should an audit take place.



What is the worst thing you can do?

The worst thing you can do is to do nothing and not be prepared to respond to a data breach.

  • Not being prepared in itself is a breach of legislation.

  • Doing nothing when a breach occurs is also a breach of legislation.


What is the least you can do?

  • Determine whether the legislation [Privacy Amendment (Notifiable Data Breaches) Act 2017] applies to you.

  • Where it applies, be prepared [Notifiable Data Breaches (NDB) scheme].