Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Retailers — check out mandatory data breach reporting obligations and prepare for 2018

Australians increasingly provide personal information to retailers to purchase products online, or to gain rewards — almost three quarters of Australians are signed up to a store loyalty program.

The Notifiable Data Breaches scheme begins 22 February 2018. Will your business be ready?Earlier this year, legislation was introduced to add to existing protections for personal information in the Australian Privacy Act. From 22 February 2018, retail businesses with an annual turnover of $3 million or more, or that trade in personal information, will be required to comply with the Notifiable Data Breaches (NDB) scheme.

Under the NDB scheme, these organisations must notify individuals affected by a data breach which is likely to result in serious harm. The Australian Information Commissioner must also be notified.

Failure to comply with the NDB scheme will fall under the Privacy Act’s existing enforcement and civil penalty framework.

‘Serious harm’ may include serious physical, psychological, emotional, financial, or reputational harm. Understanding whether serious harm is likely or not will generally rely on an evaluation of the context of a data breach — including the types of personal information involved, who has access to it, whether the data breach can be contained, and more.

In the context of retail for example, the disclosure of customers’ credit card details may be likely to result in serious financial harm. Notifying customers of this data breach provides them with the opportunity to take protective action, including cancelling credit cards.

It is important to understand your obligations under the NDB scheme before commencement on 22 February 2018 — find out more, and start preparing for the scheme, with our draft NDB resources.

The OAIC is also hosting a webinar on the scheme’s requirements on 21 November 2017. Sign-up to attend.