Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Notifiable Data Breaches

Notifiable Data Breaches: guidance for businesses and agencies

Overview

What is the Notifiable Data Breaches scheme?

The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia.

The NDB scheme requires organisations covered by the Australian Privacy Act 1988 (Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach.

This notice must include recommendations about the steps that individuals should take in response to the data breach. The Australian Information Commissioner (Commissioner) must also be notified.

Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.

What is a Notifiable Data Breach?

A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.

A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

Examples of a data breach include when:

  • a device containing customers’ personal information is lost or stolen
  • a database containing personal information is hacked
  • personal information is mistakenly provided to the wrong person.

Why is the NDB scheme important?

The NDB scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that organisations respond to serious data breaches.

This in turn supports consumer and community confidence that personal information is being respected and protected.

It also gives individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.

When does it take effect?

The NDB scheme will commence on 22 February 2018. It only applies to eligible data breaches that occur on, or after, that date.

Section 6 of the Privacy Amendment (Notifiable Data Breaches) Act 2017 says that the scheme applies to incidents where personal information is subject to unauthorised access or disclosure, or is lost, following the scheme’s commencement.

An organisation that discovers a data breach before 22 February 2018 is not subject to the NDB scheme. If the organisation discovers the breach after 22 February 2018, but the breach occurred prior to that date, the breach is not an eligible data breach for the purposes of the NDB scheme.

However, certain data breaches occur over a period rather than at a discrete point in time. For example, a system may be compromised by an attacker before 22 February 2018, with data subsequently stolen both before and after 22 February 2018. While entities will need to assess their particular circumstances, in such a situation, the OAIC suggests that entities should assume that the breach is subject to the NDB scheme.

Example 1 – Data breach that occurs before the NDB scheme takes effect

On 30 March 2018, a routine IT security assessment reveals that an unauthorised third party accessed a business’s customer database on 10 February 2018. The business’s IT security analysis determines that the unauthorised third party downloaded a data file containing the names and email addresses of 5,000 customers, but concludes that there was no further unauthorised access after 10 February 2018. Because the breach occurred before 22 February 2018, notification under the NDB scheme is not required.

Example 2 – Data breach that is ongoing when the NDB scheme commences

On 1 April 2018, an organisation discovers that an employee inadvertently placed a data file containing the name and health information of its customers on a publicly accessible website. The organisation conducts an assessment, and finds that the file was placed on its website in December 2017, but was downloaded both before and after 22 February 2018. Because the data breach (namely, the unauthorised disclosure of personal information) occurred both before and after 22 February 2018, the NDB scheme applies and notification may be required.

Back to Contents

Resources to prepare for the NDB scheme

We recommend that all organisations review their practices, procedures and systems for securing personal information in preparation for the scheme. The OAIC has a comprehensive Guide to securing personal information to assist you with this.

Organisations should also prepare or update their data breach response plan to ensure that they are able to respond quickly to suspected data breaches. The OAIC’s Data breach notification — A guide to handling personal information security breaches and Guide to developing a data breach response plan provide a best practice model, and will be updated in consultation with stakeholders ahead of the commencement of the NDB scheme.

Our privacy management framework sets out the steps that the OAIC expects organisations to take to ensure good privacy governance and compliance with the Privacy Act.

Back to Contents

Who must comply with the NDB scheme

The NDB scheme will apply to businesses, Australian Government agencies, and other organisations that are already required by the Privacy Act to keep information secure.

iMore information
Draft: Entities covered by the NDB schemeComments closed

Back to Contents

Which data breaches are notifiable

Not all data breaches are notifiable — the NDB scheme only requires organisations to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates. Exceptions to the NDB scheme will apply for some data breaches, meaning that notification to individuals or to the Commissioner may not be required.

iMore information
Draft: Identifying eligible data breachesComments closed
iMore information
Draft: Exceptions to notification obligationsComments closed

Back to Contents

Assessing suspected data breaches

Organisations that suspect an eligible data breach may have occurred are required to undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm.

iMore information
Draft: Assessing a suspected data breachComments closed

Back to Contents

How to notify

Where an organisation becomes aware that there are reasonable grounds to believe an eligible data breach has occurred, they are obligated to notify individuals at likely risk of serious harm and the Commissioner as soon as practicable. This notification must set out:

  • the identity and contact details of the organisation
  • a description of the data breach
  • the kinds of information concerned and;
  • recommendations about the steps individuals should take in response to the data breach.

Back to Contents

The role of the OAIC in NDB scheme regulation

The Commissioner will have a number of roles under the NDB scheme. These include:

  • receiving notifications of eligible data breaches
  • encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance
  • offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.

Back to Contents

Keep informed

To keep up-to-date on the latest privacy news, sign up to our Privacy Professionals’ Network (PPN). The OAIC regularly holds events across the country for members of the PPN.

Back to Contents