Privacy Act – new Notifiable Data Breaches scheme takes effect


Privacy Act – new Notifiable Data Breaches scheme takes effect

The Notifiable Data Breaches scheme is now in effect and requires organisations to notify individuals and the Information Commissioner about breaches.


Get unlimited access to all of our content.

The Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) Scheme. It applies to all agencies and organisations with existing personal information security obligations under the Privacy Act 1988 [Cth].

These obligations came into effect from 22 February 2018.

From that date, these organisations are required to notify individuals affected by a data breach that is likely to result in serious harm to any individuals whose personal information is involved in the breach.

There are also obligations to notify the Office of the Australian Information Commissioner.

The following is a summary of the changes published by the Office of the Australian Information Commissioner.

Entities covered by NDB scheme

The NDB scheme applies to entities that have an obligation under Australian Privacy Principles 11 of the Privacy Act to protect the personal information they hold (s26WE(1)(a)).

Collectively known as ‘APP entities’, these include Australian government agencies and private sector and not-for-profit organisations with an annual turnover of more than $3 million.

The definition of an APP entity generally does not include small business operators, registered political parties, state or territory authorities, or a prescribed instrumentality of a state (s6C). However, some businesses of any size are APP entities, including businesses that trade in personal information and organisations that provide a health service to, and hold health information about, individuals.

Data breaches requiring notification

The Notifiable Data Breaches (NDB) scheme requires regulated entities to notify particular individuals and the Australian Information Commissioner about ‘eligible data breaches’. A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates.

Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s position. Not all data breaches are eligible. For example, if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the Commissioner. There are also exceptions to notifying in certain circumstances.

Eligible data breach

An eligible data breach arises when the following three criteria are satisfied:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
  • this is likely to result in serious harm to one or more individuals, and
  • the entity has not been able to prevent the likely risk of serious harm with remedial action

What is a data breach?

The following analysis and examples draw on the ordinary meaning of these words.

'Unauthorised access' of personal information occurs when personal information that an entity holds is accessed by someone who is not permitted to have access. This includes unauthorised access by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party (such as by hacking). For example, an employee browses sensitive customer records without any legitimate purpose, or a computer network is compromised by an external attacker resulting in personal information being accessed without authority.

'Unauthorised disclosure' occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee of the entity.

For example, an employee of an entity accidentally publishes a confidential data file containing the personal information of one or more individuals on the internet.

'Loss' refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure.

An example is where an employee of an entity leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) on public transport.

Under the NDB scheme, if personal information is lost in circumstances where subsequent unauthorised access to or disclosure of the information is unlikely, there is no eligible data breach (s26WE(2)(b)(ii)).

For example, if personal information is remotely deleted before an unauthorised person could access the information, or if the information is encrypted to a high standard making unauthorised access or disclosure unlikely, then there is no eligible data breach.

Types of personal information

Some kinds of personal information may be more likely to cause an individual serious harm if compromised. Examples of the kinds of information that may increase the risk of serious harm if there is a data breach include:

  • ‘sensitive information’, such as information about an individual’s health
  • documents commonly used for identity fraud (including Medicare card, driver licence, and passport details)
  • financial information
  • a combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals the information is about.

Further information

Further information and examples of data breaches can be found on the Office of the Australian Information Commissioner’s website.

Post details