Notifiable Data Breaches Scheme – What You Need to Know


7 March 2018
Posted by Nerine Konesharan


The Notifiable Data Breaches scheme (“NDB Scheme”) has arrived. The time is therefore ripe for organisations caught by the NDB Scheme to ensure they are well-equipped to respond to a data breach if one occurs.


Generally speaking, organisations required to comply with the NDB Scheme include those that:

– have had an annual turnover of more than $3 million in any year since 2001;
– provide a health service to, and holds health information about, individuals (which may include gyms, naturopaths and child care centres);
– trade in personal information (for example, an organisation that sells lists of contact details to an advertising agency in exchange for payment); or
– provide services to a Commonwealth agency under a contract.

If your organisation falls into one of the above categories, you will be required by law to comply with the NDB Scheme.


The NDB Scheme requires organisations that are subject to it to report certain kinds of data breaches to the Office of the Information Commissioner (“OAIC”) and, where possible, affected individuals.

What kinds of breaches must be notified?

Under the NDB Scheme, organisations will only be required to report eligible data breaches.

An eligible data breach will occur if an organisation believes that personal information it holds:

– has been subject to unauthorised access or disclosure, or has been lost; and
– the unauthorised access, disclosure or loss is likely to result in serious harm to the individual to whom the personal information relates.

Obligation to assess

Additionally, if an organisation suspects an eligible data breach has occurred, it must conduct an assessment within 30 days (“Assessment”).

If after carrying out an Assessment the organisation is satisfied that an eligible data breach has occurred, it must comply with the notification obligations

What are the notification obligations?

If an eligible data breach occurs to personal information held by an organisation, the organisation will need to prepare a statement about the breach as soon as practical (“Notice”).

The Notice must include:

– information identifying the organisation (e.g. its name and registered office);
– the organisation’s contact details;
– a description of the data breach;
– the kinds of information concerned (e.g. financial details, identity or contact information); and
– recommendations about the steps individuals should take to respond to reduce the risk that they experience serious harm as a result of the data breach (e.g. cancel credit cards).

Organisations will need to provide copies of the Notice to:

– the Office of the Australian Information Commissioner; and
– if practical, individuals who are affected by the breach.

Are there any exceptions?

An organisation will not need to provide the OAIC and/or affected individuals with the Notice in certain circumstances, including if:

– it is able to take remedial action to prevent any serious harm resulting from a breach. For example, if a device containing personal information is lost, remotely wiping data stored on the lost device and resetting passwords may prevent the loss of information from causing serious harm; or
– it holds personal information with another entity jointly (for example, a franchisee or a service provider), and that entity notifies the OAIC and/or affected individuals where the personal information is subject to an eligible data breach.


There are certain steps organisations can take to ensure they are prepared for their compliance obligations under the NDB Scheme. At a minimum, we suggest organisations:

– review their information collection handling and storage processes to ensure they are not affected by actual or potential security deficiencies;
– promptly fix any security issues identified during the review process;
– implement internal processes that will allow it organisation to respond to a data breach. Examples of internal processes include developing a data breach response plan and appointing a trusted person within to manage any data breaches that occur; and
– review contracts with any third parties who have access to personal information collected by an organisation to ensure these contain adequate data breach detection and notification terms.


Organisations that fail to comply with the NDB Scheme are susceptible to the imposition of serious financial penalties under the Privacy Act 1988 (Cth), which allows for monetary penalties of up to $1.8 million. In addition to potential financial penalties, an organisation found to be in breach of the NDB Scheme may be affected by customer complaints and may suffer reputational damage.

It is therefore critical for organisations subject to the NDB Scheme to ensure they are adequately prepared to respond to eligible data breaches.

If you would like advice on your obligations under the NDB Scheme, please email us at, or call us on 03 9521 2128.


The information in this article is of a general nature. It does not constitute formal legal advice, and should not be relied on as such. Please see the full disclaimer in our website terms. Please contact Studio Legal if you are seeking advice about a specific legal matter.