The Privacy Act 1988 (Privacy Act) regulates how personal information is handled. The Privacy Act defines personal information as:

…information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.

Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person. The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research.

On 22nd February 2018, the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act).

The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches as soon as practicable.

Who must comply with the NDB scheme?

The NDB scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.

Which data breaches require notification?

The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’.

Assessing suspected data breaches

If an entity is aware that there are reasonable grounds/information to suspect that there may have been a serious breach, which is likely to result in serious harm to any individual affected, it must complete a reasonable and expeditious assessment into the relevant circumstances within 30 calendar days.

Responding to data breaches — four key steps

An effective data breach response generally follows a four-step process:

  1. Contain;
  2. Assess;
  3. Notify; and
  4. Review.

A summary of the key points

  • A data breach is an unauthorised access or disclosure of personal information, or loss of personal information.
  • Data breaches can have serious consequences, so it is important that entities have robust systems and procedures in place to identify and respond effectively.
  • Entities that are regulated by the Privacy Act should be familiar with the requirements of the NDB scheme, which are an extension of their information governance and security obligations.
  • A data breach incident may also trigger reporting obligations outside of the Privacy Act.
  • For detailed information in relation on Notifiable Data Breaches Scheme please refer to Australian Government Office of the Information Commissioner website at