Notifiable Data Breaches scheme – Are you prepared?

NDB Scheme - Prepared?

  If your organisation stores anyone’s personal information, then keep reading!


In February this year the Federal Government commenced the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act).

“The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.”

Do you fall inside the scope of the scheme? If you have any employees, yes.

But there are other criteria too. A full break down of entities covered by the scheme can be found here.

What’s a data breach?

Unauthorised access:  This includes unauthorised access by an employee of the entity, or an independent contractor, as well as by an external third party (e.g. hackers).

Unauthorised disclosure:  Whether intentionally or unintentionally.  Making the personal information accessible or visible to outsiders, and releasing it from its effective control (in a way that is not permitted by the Privacy Act).

Loss: Whether accidental or inadvertent, where it’s likely to result in unauthorised access or disclosure.

What sort of personal information are we talking about?

Sensitive information (as defined by the Privacy Act). Please follow this link for a full list.

Documents (including scans/copies) commonly used for identity fraud. Medicare cards, driver licences, and passports, etc.

Financial information.

A combination of types of personal information that allows more to be known about the individuals the information is about.

Serious harm?!?!

Don’t brush this phrase off too quickly. In this case, it can include; serious physical, psychological, emotional, financial, or reputational harm.


OK, now you’re a little more clued-up, what else do you need to be aware of?

Assessment and Notification

If you have reasonable grounds to believe a breech has occurred, you have 30 days to notify individuals and the Commissioner about the breech.

Notifying the Commissioner can be done here, although you have three options for notifying individuals.

  1. Notify all individuals: If you can’t reasonably assess exactly whose personal information was exposed as part of the breech, or are unsure who may be of risk of serious harm, this may be your simplest option. This approach ensures that all individuals who may be at risk are notified, allowing them to consider whether they need to take any action
  2. Notify only those at risk of serious harm: If you have been able to identify an individual or a group of individuals, you are able to target them with a notification. This has the benefit of minimising administrative costs, as a well not alarming those that are not affected.
  3. Publish notification: If the above options are not possible or practical (e.g. contact details not up to date for some individuals), you must take proactive steps to publish a statement.

More information on notifying can be found here.

If you suspect a breech has occured, you need to move quickly to establish whether this is the case and perform an assessment (usually within 30 days).

The Commissioner expects you to have practices, procedures, and systems in place to comply with their information security obligations.

More info here can be found here, but unless you have a highly skilled and specialised IT department, you’ll need to call a professional.


Remedial action

At any time, you can (and should) take steps to reduce any potential harm to individuals caused by a data breach. If remedial action is successful in preventing serious harm to affected individuals, notification is not required.


Well, that’s more than enough from the Government for one day, but I am going to leave you with some homework.

  • Where and how does your organisation store its data?
  • How is it supposed to be accessed and by who?
  • If you had a data breach, how would you know?

Too hard or too complicated? Contact us today and start getting secured!