The Australian Government has established a Notifiable Data Breaches (NDB) scheme, to ensure that affected individuals are notified about serious data breaches.
The NDB scheme will apply to all businesses, government agencies and other organisations covered by the Australian Privacy Act 1988 (Privacy Act) and will commence on 22 February 2018.
The Office of the Australian Information Commissioner (OAIC) is developing guidance and organising events to help organisations understand their obligations under the NDB scheme, and prepare for commencement.
This page provides an outline of the scheme and will provide updates on the development of guidance and event details as we prepare for 2018.
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.
Examples of a data breach include when:
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
The NDB scheme requires organisations to notify any individuals affected by these serious data breaches.
This notice must include recommendations about the steps that individuals should take in response to a serious data breach. The OAIC must also be notified.
Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
The NDB scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that business and agencies respond to serious data breaches.
This in turn supports consumer and community confidence that personal information is being respected and protected.
It also gives individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.
The NDB scheme will commence on 22 February 2018.
We strongly recommend that all organisations review their practices, procedures and systems for securing personal information. The OAIC has a comprehensive Guide to securing personal information to assist you with this.
Organisations should also prepare or update their data breach response plan to ensure that they are able to respond quickly to suspected data breaches. The OAIC’s Data breach notification — A guide to handling personal information security breaches and Guide to developing a data breach response plan provide a best practice model, and will be updated in consultation with stakeholders ahead of the commencement of the NDB scheme.
Our privacy management framework sets out the steps that the OAIC expects organisations and agencies to take to ensure good privacy governance and compliance with the Privacy Act.
The OAIC will work with businesses, agencies and other stakeholders to develop practical guidance on complying with the NDB scheme.
Our NDB guidance will focus on key changes to current best practice, including the threshold for notifying a serious data breach, and assessing suspected data breaches. Our guidance will also clarify the OAIC’s regulatory role in the NDB scheme.
There will also be a series of consultation events on the NDB scheme held in Australian capital cities through the Privacy Professionals' Network.
To keep up-to-date on the latest privacy news, sign up to our Privacy Professionals’ Network.
This page will be updated as events are announced, and as material is released for consultation and comment.
You can also email us directly with your questions at firstname.lastname@example.org.