Data Breach Notification

The 5 things you need to know about the Notifiable Data Breach scheme


Mandatory Data Breach Disclosure and the Notifiable Data Breach (NDB) scheme are both really hot topics at the moment. There is a number of experts from the legal, cyber security and business community all providing their advice, many providing guidance in forensic detail on what should be done to prepare an organisation for this change.

I’m not planning to cover NDB in detail, the aim of this blog post is to quickly and succinctly outline the 5 most important things you need to know about NDB scheme within Australia.

Essentially, the why, what, when, who, and which of NDB. I’ll follow with a number of additional posts designed to provide practical guidance for organiations on this topic.

Why NDB?

With the prevalence and increased impact of data breaches on the news and in our lives, there is a greater need than ever for a consistent treatment mechanism. The absence of any industry consensus on data breach notification meant that it was only a matter of time before the Government put in place a scheme to protect the interests of consumers, and individuals.

After extensive industry and professional consultation, the Notifiable Data Breaches (NDB) scheme was passed under Part IIIC of the Privacy Act 1988 (Privacy Act).

What is the NDB?

The Notifiable Data Breaches (NDB) scheme establishes a framework governing how data breaches are assessed and responded to, and the obligations of organisations in reporting breaches.

Specifically, the NDB introduces obligations for organisations who experience a data breach that exposes personal information and meets the criteria specified as likely to cause ‘serious harm’. More on what constitutes ‘serious harm’ in a moment.

Any breach notification must include recommendations for impacted individuals on the steps that they should take as a result of the breach.

The NDB also specifies that the Australian Information Commissioner must be notified of eligible data breaches.


Security News and Alerts

Get updates and exclusive content from our security experts
  • This field is for validation purposes and should be left unchanged.

When does NDB come into effect?

The NDB comes into effect on the 22nd of February 2018.

Who does the NDB impact?

Unless you live entirely off the grid and share no personal information, ultimately, the NDB affects us all.

Whilst not an exhaustive list, with some exceptions, a good summary of the organisations that are impacted by the NDB include:

  • Australian Government agencies
  • Businesses and not-for-profit organisations with an annual turnover of $3 million or more
  • Credit reporting bodies
  • Credit providers:
    • banks, building societies, credit unions, finance companies
    • retailers who issue credit card
    • organisations where payment is deferred for at least 7 days – telco’s, energy and water utilities
    • organisations that provide credit for hiring, leasing or renting goods
  • Health service providers
  • TFN recipients, which likely impacts State Government entities if they use TFN’s

An important thing to note is NDB applies to overseas organisations that have been incorporated or formed in Australia.

Which breaches are covered by the NDB?

In broad terms a data breach is defined as either: unauthorised access; unauthorised disclosure; or loss of personal information. The type of personal information covered includes:

  • An individual’s health information or other ‘sensitive’ information
  • information used as a precursor to identity fraud (Medicare card, driver licence, and passport details)
  • financial information
  • a combination of types of personal information.

As with all legislation, the devil is in the detail. This information does not seek to be exhaustive, and the usual legal disclaimers around seeking professional legal advice do apply.

The Office of the Australian Information Commissioner (OIAC) states:

The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’. There are a few exceptions which may mean notification is not required for certain eligible data breaches.

What does all this mean? The terms ‘likely’ and ‘serious harm’ are key.

  • ‘Likely to occur’ means more probable than not/possible
  • ‘Serious harm’ may include serious physical, psychological, emotional, financial, or reputational harm to an individual

These terms are subjective and require some assessment against the so called ‘reasonable person’ test. Harm can include: loss of business or employment opportunity, damage to a person’s reputation, relationships; humiliation; identity theft; significant financial loss; threats to physical safety; and workplace or social bullying or marginalisation. The circumstances of the breach is also an important factor.

The stated exceptions are interesting, because if an organisation acts quickly to remediate a data breach, and as a result of their quick response the impact of the data breach reduces the breach to something less than what is termed serious harm, then there is no requirement to notify any individuals or the Commissioner.

Hopefully you have found this blog useful to set the scene for NDB. I’ll be following up with an additional series of posts on how to prepare for NDB, what is important during a breach and how your organisation can be prepared.