Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Australian Information Commissioner’s role in the NDB scheme

The Australian Information Commissioner (the Commissioner) has a number of roles under the Notifiable Data Breaches (NDB) scheme in the Privacy Act 1988 (Cth) (Privacy Act). These include:

  • receiving notifications of eligible data breaches
  • encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance
  • offering advice and guidance to regulated entities, and providing information to the community about the operation of the scheme.

This document summarises how the Commissioner anticipates exercising these functions. For more information about the Commissioner’s regulatory powers and how those powers are exercised, see the OAIC’s Privacy regulation action policy[1] and the Guide to privacy regulatory action.[2]

Notifications of data breaches to the Commissioner

How to notify the Commissioner

Once an entity has reasonable grounds to believe there has been an eligible data breach and it is not exempted from notifying, it is required to provide notification to individuals at risk of serious harm and the Commissioner. When notifying the Commissioner, the entity must provide a notification statement that contains the following information (s 26WK(3)):

  1. the identity and contact details of the notifying entity
  2. a description of the data breach
  3. the kind or kinds of information concerned
  4. recommendations to individuals about the steps that they should take to minimise the impact of the breach.

An online form is available on the OAIC website to help entities lodge notification statements and provide additional supporting information (See What to include in an eligible data breach statement).

Providing voluntary information

Although not required by the Privacy Act, entities may provide additional supporting information to the Commissioner to explain the circumstances of the data breach and the entity’s response in further detail. For example, entities may choose to provide the Commissioner with technical information, which may not be appropriate to include in the statement to individuals. This information will assist the Commissioner to decide whether to make further inquiries or to take any other action. It may also be used by the Commissioner when preparing statistical reports about notifications received.

When a data breach affects more than one entity, the entity that prepares the statement may also choose to include the identity and contact details of the other entities involved (s 26WK(4)). The Privacy Act does not require this information to be included on the statement, and it is open to entities to assess whether it is useful to provide this information in the statement.

Confidentiality of information provided in notifications

If an entity elects to provide additional supporting information to the Commissioner, it may request that the Commissioner hold that information in confidence. The Commissioner will respect the confidence of commercially or operationally sensitive information provided voluntarily in support of a data breach notification, and will only disclose such information after consulting with the notifying entity, and with the entity’s agreement or where required by law.

If the Commissioner receives a freedom of information (FOI) request for a notification statement or additional supporting information, the Commissioner will consult with the entity that made the notification before responding. As a matter of course, the Commissioner will offer to transfer any FOI requests relating to agencies to the agencies in question.

The Commissioner’s response to notifications

The Commissioner will acknowledge receipt of all data breach notifications.

The Commissioner may also make inquiries or offer advice and guidance in response to notifications. In deciding whether to make inquiries or offer advice and guidance in response to a notification, the Commissioner may consider the type and sensitivity of the personal information, the numbers of individuals potentially at risk of serious harm, and the extent to which the notification statement and any additional supporting information provided demonstrate that:

  • the data breach has been contained or is in the process of being contained where feasible
  • the notifying entity has taken, or is taking, reasonable steps to mitigate the impact of the breach on the individuals at risk of serious harm
  • the entity has taken, or is taking, reasonable steps to minimise the likelihood of a similar breach occurring again.

The Commissioner may also decide to take regulatory action on the Commissioner’s own initiative in response to a notification, or a series of notifications. In deciding whether to take regulatory action, the Commissioner will have regard to the OAIC’s Privacy regulatory action policy and Guide to privacy regulatory action.

However, generally the Commissioner’s priority when responding to notifications is to provide guidance to the entity and to assist individuals at risk of serious harm.

Back to Contents

The Commissioner’s enforcement of the NDB scheme

The Commissioner has a number of enforcement powers to ensure that entities meet their obligations under the scheme. A failure by an entity to meet any of the following requirements of the scheme is an interference with the privacy of an individual (s 13(4A)):

  • conduct a reasonable and expeditious assessment of a suspected eligible data breach (s 26WH(2)), taking all reasonable steps to ensure that this assessment is completed within 30 days of becoming aware (s 26WH(2)(b))
  • prepare a statement about the data breach, and give a copy to the Commissioner, as soon as practicable (s 26WK(2))
  • notify the contents of the statement to individuals at risk of serious harm (or, in certain circumstances, publish the statement) as soon as practicable (s 26WL(3))
  • comply with a direction from the Commissioner to prepare a statement and notify as soon as practicable (s 26WR(10)).

The enforcement powers available to the Commissioner in response to an interference with privacy, which range from less serious to more serious regulatory action, include powers to:

  • accept an enforceable undertaking (s 33E) and bring proceedings to enforce an enforceable undertaking (s 33F)
  • make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62)
  • seek an injunction to prevent ongoing activity or a recurrence (s 98)
  • apply to court for a civil penalty order for a breach of a civil penalty provision (s 80W), which includes a serious or repeated interference with privacy (s 13G). [3]

The Commissioner is also required, in most circumstances, to investigate a complaint made by an individual about an interference with the individual’s privacy (s 36), which would include a failure to notify an individual at risk of serious harm of an eligible data breach where required to do so.

In deciding when to exercise enforcement powers in relation to a contravention of the NDB scheme, the Commissioner will have regard to the OAIC’s Privacy Regulatory Action Policyand the circumstances outlined in Chapter 9: Data breach incidents of the OAIC’s Guide to privacy regulatory action.

The preferred approach of the Commissioner is to work with entities to encourage and facilitate voluntary compliance with an entity’s obligations under the Privacy Act before taking enforcement action.

The Commissioner acknowledges that it will take time for all regulated entities to become familiar with the requirements of the NDB scheme. During the first 12 months of the scheme’s operation, the Commissioner’s primary focus will be on working with entities to ensure that they understand the new requirements and are working in good faith to implement them.

Back to Contents

The Commissioner’s other powers and functions under the scheme

Direction to notify (s 26WR)

The Commissioner can direct an entity to notify individuals at risk of serious harm, as well as the Commissioner, about an eligible data breach in certain circumstances.

Before directing an entity to notify, the Commissioner will usually ask the entity to agree to notify. This might happen if a data breach comes to the attention of the Commissioner but has not come to the attention of the relevant entity, or if the Commissioner does not agree with the entity’s initial view about whether a data breach triggers an obligation to notify.

If the Commissioner and the entity cannot agree about whether notification should occur, the Commissioner will give the entity an opportunity to make a formal submission about why notification is not required, or if notification is required, on what terms. The Commissioner will consider the submission and any other relevant information before deciding whether to direct the entity to notify under s 26WR.

Declaration that notification need not be made, or that notification be delayed (s 26WQ)

The Commissioner may declare that notification of a particular data breach is not required (s 26WQ(1)(c)). The Commissioner may also modify the period in which notification needs to occur (s 26WQ(1)(d)).

The Commissioner cannot make a declaration under s 26WQ unless satisfied that it is reasonable in the circumstances to do so, having regard to the public interest, any relevant advice received from an enforcement body or the Australian Signals Directorate, and any other relevant matter. While the Commissioner is empowered to make a declaration if it is ‘reasonable in the circumstances to do so’, the Commissioner still has discretion about whether to make a declaration, and on what terms.

In deciding whether to make a declaration, and on what terms, the Commissioner will have regard to the objects of the Privacy Act (s 2A) and other relevant matters. The Commissioner will consider whether the risks associated with notifying a particular data breach outweigh the benefits of notification to individuals at risk of serious harm.

Given the clear objective of the scheme to promote notification of eligible data breaches to affected individuals, and the inclusion of exceptions in the scheme that remove the need to notify in a wide range of circumstances, the Commissioner expects that declarations under s 26WQ will be limited to exceptional cases.

An entity applying for a declaration will be expected to make a well-reasoned and convincing case detailing how the data breach is an eligible data breach, why any relevant exceptions do not apply, and why notification should not occur or should be delayed. The entity should provide detailed evidence or information in support of its application.

Back to Contents

Advice, guidance, and community information

The Commissioner provides general information to the community about the Privacy Act, including the NDB scheme, via the OAIC’s website or its public enquiries service.

The Commissioner has developed a range of guidance material published on the OAIC’s website to help entities comply with the scheme.

However, the Commissioner will not generally be able to provide detailed advice about the application of the scheme to specific data breaches. Entities should seek their own legal and technical advice.

Part of the Commissioner’s role in the NDB scheme is to promote transparency in the way that entities handle personal information. To this end, the Commissioner will regularly publish de-identified statistical information about data breaches notified under the scheme.

Back to Contents

Footnotes

[1] The Privacy regulatory action policy explains the OAIC’s approach to using its privacy regulatory powers and communicating information publicly.

[2] The Guide to privacy regulatory action sets out a detailed explanation of particular privacy regulatory powers, looking at the legislative framework and purpose of the power, and the procedural steps the OAIC will take in the exercise of the regulatory power.

[3] For more information about civil penalty provisions in the Privacy Act, see Guide to privacy regulatory action, Chapter 6: Civil Penalties – serious or repeated interference with privacy and other penalty provisions.

Back to Contents