Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Notifiable Data Breaches scheme

The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) established requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach. 

This page provides information to help entities comply with the NDB scheme. Our guide, Data breach preparation and response, provides a comprehensive overview of the NDB scheme, as well as a general framework to help you prepare for, and respond to, data breaches. An overview of the scheme, including a summary diagram, is set out below, and links are provided to additional resources that may be helpful for entities regulated by the Privacy Act.

If you are concerned that your own personal information may have been involved in a data breach, you may be interested in our data breach guidance for individuals.

Notify the OAIC of a data breach

Notifiable Data Breaches scheme. Resources for agencies and organisations.

Overview

What is the Notifiable Data Breaches scheme?

The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.

The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.

Agencies and organisations can lodge their statement about an eligible data breach to the Commissioner through the Notifiable Data Breach statement — Form.

Agencies and organisations must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result require notification.

Which data breaches require notification?

An ‘eligible data breach’, which triggers notification obligations, is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.

A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

Examples of a data breach include when:

  • a device containing customers’ personal information is lost or stolen
  • a database containing personal information is hacked
  • personal information is mistakenly provided to the wrong person.

Why the NDB scheme is important

The NDB scheme strengthens the protections afforded to everyone’s personal information and improves transparency in the way agencies and organisations respond to serious data breaches.

This supports greater community confidence that personal information is being protected and respected, and encourages a higher standard of personal information security across Australian industries.

Notification also provides individuals with the opportunity to take steps to minimise the damage that can result from a data breach.

When the NDB scheme requirements took effect

The NDB scheme commenced on 22 February 2018. It only applies to eligible data breaches that occur on or after that date.

Section 6 of the Privacy Amendment (Notifiable Data Breaches) Act 2017 says that the scheme applies to incidents where personal information is subject to unauthorised access or disclosure, or is lost, following the scheme’s commencement.

An organisation that discovers a data breach before 22 February 2018 is not subject to the NDB scheme. If the organisation discovers the breach after 22 February 2018, but the breach occurred prior to that date, the breach is not an eligible data breach for the purposes of the NDB scheme.

However, certain data breaches occur over a period rather than at a discrete point in time. For example, a system may be compromised by an attacker before 22 February 2018, with data subsequently stolen both before and after 22 February 2018. While entities will need to assess their particular circumstances, in such a situation, the OAIC suggests that entities should assume that the breach is subject to the NDB scheme.

Example 1 – Data breach that occurs before the NDB scheme takes effect

On 30 March 2018, a routine IT security assessment reveals that an unauthorised third party accessed a business’s customer database on 10 February 2018. The business’s IT security analysis determines that the unauthorised third party downloaded a data file containing the names and email addresses of 5,000 customers, but concludes that there was no further unauthorised access after 10 February 2018. Because the breach occurred before 22 February 2018, notification under the NDB scheme is not required.

Example 2 – Data breach that is ongoing when the NDB scheme commences

On 1 April 2018, an organisation discovers that an employee inadvertently placed a data file containing the name and health information of its customers on a publicly accessible website. The organisation conducts an assessment, and finds that the file was placed on its website in December 2017, but was downloaded both before and after 22 February 2018. Because the data breach (namely, the unauthorised disclosure of personal information) occurred both before and after 22 February 2018, the NDB scheme applies and notification may be required.

Back to Contents

Who must comply with the NDB scheme

The NDB scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.

Entities covered by the NDB scheme

Data breaches involving more than one organisation

Back to Contents

Which data breaches require notification

The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’. There are a few exceptions which may mean notification is not required for certain eligible data breaches.

Identifying eligible data breaches

Exceptions to notification obligations

Back to Contents

Assessing suspected data breaches

Agencies and organisations that suspect an eligible data breach may have occurred must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected.

Assessing a suspected data breach

Back to Contents

How to notify

When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.

The notification to affected individuals and the Commissioner must include the following information:

  • the identity and contact details of the organisation
  • a description of the data breach
  • the kinds of information concerned and;
  • recommendations about the steps individuals should take in response to the data breach.

The notification to the Commissioner can be made using the OAIC's Notifiable Data Breach form.

Notifying individuals about an eligible data breach

What to include in an eligible data breach statement

Notifiable Data Breach statement — Form

Back to Contents

The role of the OAIC in NDB scheme regulation

The Commissioner has a number of roles under the NDB scheme. These include:

  • receiving notifications of eligible data breaches
  • encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance
  • offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.

Australian Information Commissioner’s role in the NDB scheme

Guide to OAIC Privacy Regulatory Action — Chapter 9: Data breach incidents

Back to Contents

Additional resources

Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)

This guide consolidates the information provided in our Data breach notification — A guide to handling personal information security breaches released in 2014, the Guide to developing a data breach response plan released in 2016, and the resources published to assist entities in complying with the Notifiable Data Breaches (NDB) scheme. This guide is a comprehensive resource that can support the development and implementation of an effective data breach response.

View Data breach preparation and response

Securing personal information

The OAIC has a comprehensive Guide to securing personal information to assist you in implementing practices, processes, and systems to secure personal information. Regularly reviewing and updating your personal information security can reduce the risk of a data breach occurring.

View Guide to securing personal information

Preparing for the NDB scheme webinar recording

The OAIC hosted a webinar on preparing for the NDB scheme on 21 November 2017. The webinar covered the key requirements of the scheme, and responded to frequently asked questions. View the webinar recording by registering below:

View the webinar

pdfPreparing for the NDB scheme — webinar slides778.06 KB

Obligations for Victorian public sector entities — OVIC guidance

The Office of the Victorian Information Commissioner (OVIC) has developed guidance for Victorian public sector agencies on their NDB scheme obligations.

pdfNotifiable Data Breaches scheme under the Privacy Act 1988 — Obligations for Victorian public sector organisations522 KB

New South Wales public sector agencies and Notifiable Data Breaches — IPC guidance

The Information and Privacy Commission (IPC) New South Wales (NSW) has created a fact sheet that outlines how the requirements of the NDB scheme apply to NSW public sector agencies.

pdfNSW Public Sector Agencies and Notifiable Data Breaches71 KB

Back to Contents

Data breach response summary

The following diagram provides an overview of a typical data breach response, including the requirements of the NDB scheme. This diagram is a summary, and should be read with reference to the more detailed resources listed above.

pdfDownload the Data breach response summary PDF62.81 KB

Back to Contents

Quarterly statistics

The OAIC publishes quarterly statistical information about notifications received under the Notifiable Data Breaches scheme, to assist entities and the public to understand the operation of the scheme.

pdfNotifiable Data Breaches Quarterly Statistics Report January to March 2018.pdf388.95 KB

Back to Contents