Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Draft: Entities covered by the NDB scheme

pdfPrintable version439.24 KB

The Office of the Australian Information Commissioner (OAIC) published this resource as an exposure draft on 2 June 2017. Comments are now closed.

Key points

  • In general terms, agencies and organisations (entities) that are already covered by the Privacy Act 1988 (Cth) (‘Privacy Act’) must comply with the Notifiable Data Breaches (NDB) scheme.
  • More precisely, the scheme applies to those entities that the Privacy Act requires to take steps to secure certain categories of personal information. Namely, Australian Privacy Principle (APP) entities, credit reporting bodies, credit providers, and tax file number (TFN) recipients.
  • Entities that have Privacy Act security obligations in relation to particular types of information only (for example, small businesses that are required to secure tax file number information) do not need to notify about data breaches that affect types of information outside the scope of their obligations under the Privacy Act.

Back to Contents

APP entities

The NDB scheme applies to entities that have an obligation under APP 11 of the Privacy Act to protect the personal information they hold (s 26WE(1)(a)).[1] Collectively known as ‘APP entities’, these include most Australian Government agencies, some private sector and not-for-profit organisations, and all private health service providers. The definition of APP entity generally does not include small business operators, registered political parties, state or territory authorities, or a prescribed instrumentality of a state (s 6C).

For more information about APP entities, see paragraphs [B.2]-[B.9] of the Australian Privacy Principle Guidelines (APP Guidelines).[2]

Back to Contents

Small business operators

A small business operator (SBO) is an individual (including a sole trader), body corporate, partnership, unincorporated association, or trust that has not had an annual turnover of more than $3 million in any financial year since 2001 (s 6D).

Generally, SBOs do not have obligations under the APPs unless an exception applies (s 6D(4)).

If an SBO falls into one of the following categories they are not exempt and must comply with the APPs, and therefore with the NDB scheme, in relation to all of their activities:

  • entities that provide health services
  • entities related to an APP entity
  • entities that trade in personal information
  • credit reporting bodies
  • employee associations registered under the Fair Work (Registered Organisations) Act 2009, and
  • entities that ‘opt-in’ to APP coverage under s 6EA of the Privacy Act.

If an SBO carries on any of the following activities it must comply with the APPs, and therefore must comply with the NDB scheme, but only in relation to personal information held by the entity for the purpose of, or in connection with, those activities:

  • providing services to the Commonwealth under a contract
  • operating a residential tenancy data base
  • reporting under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
  • conducting a protected action ballot, and
  • information retained under the mandatory data retention scheme, as per Part 5-1A of the Telecommunications (Interception and Access) Act 1979.

More information about how to determine whether a business or organisation is an APP entity or subject to the APPs for some of its activities is available at ‘Privacy business resource 10: Does my small business need to comply with the Privacy Act?[3]

Back to Contents

Credit reporting bodies

A credit reporting body (CRB) is a business or undertaking that involves collecting, holding, using, or disclosing personal information about individuals for the purpose of providing an entity with information about the credit worthiness of an individual (s 6P). Credit reporting information is defined as credit information or CRB derived information about an individual (s 6(1)).

CRBs have obligations under the NDB scheme in relation to their handling of ‘credit reporting information’ (s 26WE(1)(b)), and in relation to their handling of any other personal information for which they have obligations under APP 11.

Back to Contents

Credit providers

The NDB scheme applies to all credit providers whether or not they are APP entities. The section of the Privacy Act under which a credit provider is required to comply with the scheme will depend on what kind of information is involved in the data breach.

If it is ‘credit eligibility information’ (defined in s 6(1)) the NDB scheme will apply because of the security requirement in s 21S(1) in relation to that information.

If the credit provider is also an APP entity the NDB scheme applies in relation to other personal information because of the security requirement in APP 11.

The following kinds of organisations are considered credit providers for the purposes of the Privacy Act (s 6G):

  • a bank
  • an organisation or small business operator if a substantial part of its business is the provision of credit, such as a building society, finance company or a credit union
  • a retailer that issues credit cards in connection with the sale of goods or services
  • an organisation or SBO that supplies goods and services where payment is deferred for seven days or more, such as telecommunications carriers, and energy and water utilities
  • certain organisations or SBO that provide credit in connection with the hiring, leasing, or renting of goods.

An organisation or SBO that acquires the right of a credit provider in relation to the repayment of an amount of credit is also considered a credit provider, but only in relation to that particular credit (s 6K).

For more information about categories of credit-related personal information, see ‘Privacy business resource 3: Credit reporting – what has changed’.[4]

Back to Contents

TFN recipients

The NDB scheme applies to Tax File Number (TFN) recipients[5] in their handling of TFN information (s 26WE(1)(d)). A TFN recipient is any person who is in possession or control of a record that contains TFN information (s 11). TFN information is information that connects a TFN with the identity of a particular individual (s 6).

A TFN recipient may also be an APP entity or credit provider. The NDB scheme applies to TFN recipients to the extent that TFN information is involved in a data breach. If TFN information is not involved, a TFN recipient would only need to comply with the NDB scheme for breaches of other types of information if they are also a credit provider or APP entity.

More information about TFN recipients is available in ‘Privacy business resource 12: The Privacy (Tax File Number) Rule 2015 and the protection of tax file number information.[6]

Back to Contents

Information disclosed overseas

Disclosing personal information

If an APP entity discloses personal information to an overseas recipient, in line with the requirements of APP 8, then the APP entity is deemed to ‘hold’ the information for the purposes of the NDB scheme (s 26WC(1)). APP 8 says that an APP entity that discloses personal information to an overseas recipient is generally required to ensure that the recipient will comply with the APPs when handling that information. This means that if the personal information held by the overseas recipient is subject to unauthorised access or disclosure, the APP entity is still responsible for assessing whether it is an eligible data breach under the Privacy Act, and if it is, for notifying the Commissioner and individuals at risk of serious harm.

More information about APP 8 is available in ‘Privacy business resource 8: Sending personal information overseas’.[7]

Disclosing credit eligibility information

If a credit provider discloses credit eligibility information to a person or related body corporate that does not have an ‘Australian link’ (s 26WC(2)(a)),[8] the credit provider may also have obligations under the NDB scheme. In the event that credit eligibility information held by the person or related body corporate is subject to unauthorised access or disclosure, the credit provider is responsible for assessing whether there is an eligible data breach that needs to be notified to the Commissioner and individuals at risk of serious harm.

For more information on what is an ‘Australian link’, see paragraphs [B10]-[B22] of the APP Guidelines.[9]

Back to Contents

Footnotes

[1] ‘Personal information’ is defined in s 6(1) of the Privacy Act to include information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

[2] Available online at https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-b-key-concepts#app-entity.

[3] Available online at https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-10.

[4] Available online at https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-3-credit-reporting-what-has-changed.

[5] Referred to in the Privacy Act and Privacy (Tax File Number) Rule 2015 (TFN Rule) as ‘file number recipients’.

[6] Available online at https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-12-the-privacy-tax-file-number-rule-2015-and-the-protection-of-tax-file-number-information.

[7] Available online at https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-8.

[8] This section only applies to a disclosure of credit eligibility information by a credit provider to a related body corporate under s 21G(3)(b), to a person processing an application for credit made to the credit provider or to a person who manages credit provided by the credit provider under s 21G(3) or to a debt collector under s 21M(1) of the Privacy Act.

[9] Available online at https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-b-key-concepts#australian-link.

Back to Contents