Australian Privacy Act: Notifiable Data Breaches Scheme

The Australian gov’t has stepped up its anti-data breach measures.

Following the enactment of Privacy Amendment (Notifiable Data Breaches) Act 2017, a new Notifiable Data Breaches Scheme (NDBS) has been set in motion by the Office of the Australian Information Commissioner (OAIC) effective 22 February 2018.

What is Notifiable Data Breaches Scheme

Once the NDB scheme is in effect on 22 February, data breach notifications will be mandatory. Individuals and organisations are required to report any eligible data breach to the OAIC and the affected entities.

The scheme compensates any entity who experiences serious harm or damage as a result of loss or unauthorised access or disclosure of personal information. Civil penalties of up to $1.7m may be enforced if a breach is verified.

Who must comply the NDB Scheme

The NDB scheme addresses agencies, organisations and other entities that the Privacy Act recognises. This includes Australian Government agencies, businesses and non-profit organisations (with turnover of $3 million+ per annum), credit reporting bodies, health service providers, and TFN recipients, etc.

What is considered as an eligible data breach

An eligible data breach arises when these three criteria are met:

• There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
• This is likely to result in serious harm to one or more individuals (see, Is serious harm likely?), and
• The entity has not been able to prevent the likely risk of serious harm with remedial action (see, Preventing serious harm with remedial action).

How to report a data breach

Individuals and organisations can lodge any suspected or known eligible data breach by filling out the Notifiable Data Breach statement — Form.

In-depth information about the NDB scheme is accessible on the OAIC’s website.