Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Which small businesses have mandatory data breach reporting obligations?

From 22 February 2018, the Notifiable Data Breaches scheme (NDB scheme) will require a wide range of organisations to report data breaches that are ‘likely to result in serious harm’ to the individuals whose personal information is affected by the breach. They will also be required to notify the OAIC.

The NDB scheme applies to organisations that already have obligations to secure personal information under the Privacy Act 1988 (Privacy Act). Generally, this does not include small businesses that have a turnover of $3 million a year or less.

However, there are a few exceptions. Organisations that fall under the following categories will have mandatory data breach reporting requirements, regardless of their size:

  • Health service providers (including, for example, private hospitals, day surgeries, medical practitioners, pharmacists, allied health professionals, gyms and weight loss clinics, childcare centres, and private schools)
  • Organisations that trade in personal information
  • Credit reporting bodies
  • Employee associations registered under the Fair Work (Registered Organisations) Act 2009
  • Organisations that opt-in to being covered by the Australian Privacy Principles under section 6EA of the Privacy Act.

The NDB scheme will also apply to small businesses in these categories that are based overseas if they have an ‘Australian link’.

Tax File Number (TFN) recipients (which is any person in possession or control of a record with TFN information) will also need to comply with the NDB scheme in relation to their handling of TFN information. This means that if TFN information is involved in a data breach, a TFN recipient will be obligated to meet the requirements of the NDB scheme.

Read our guidance on organisations covered by the NDB scheme

Organisations that aren’t covered by the NDB scheme are encouraged to use the information in our guidance on notifying individuals under the scheme to create or review their data breach response plans.

Being transparent when a data breach occurs is central to meeting community and consumer expectations. 94% of Australians believe they should be told when a business loses their personal information. Informing individuals about a data breach is one step that organisations can take to demonstrate that they take their responsibility to protect personal information seriously.

And as a practical measure, notifying individuals at risk of harm can provide them with the opportunity to reduce their chances of experiencing harm. For example, individuals can resecure compromised online accounts. This can reduce the potential impact of a data breach overall.

View NDB scheme resources

Update 14 February 2018: ‘Credit providers’ was originally listed in this article as a category of organisation that will have mandatory data breach reporting requirements under the NDB scheme. It was removed from the list to avoid the misconception that credit providers with an annual turnover less than $3 million who are not otherwise APP entities would have notification requirements in relation to data breaches that involve personal information other than credit eligibility information. Read more.