Data Breaches - What Are Your New Obligations?

24 APR 2018


Being a successful business in today’s world means you not only need to use the cutting-edge technology on offer, but you also need to ensure that your business is up to speed with its obligations to protect against data breaches.

The data protection provisions of the Privacy Act 1988 (Cth) have been beefed up a few times in recent years. Most recently, the Commonwealth government has introduced a scheme that requires certain organisations and businesses to notify the Office of the Australian Information Commissioner (OAIC) when a data breach occurs. The ‘Notifiable Data Breaches scheme’ (NDB Scheme) came into force on 22 February 2018.

What is the NDB scheme?

Put simply, the NDB scheme requires certain organisations to notify any individuals whose personal information has been involved in a data breach that is likely to result in serious harm to those individuals. The notice must also include recommendations about the steps the individuals should take as a result of the breach, and the OAIC must also be notified of the breach.

Failures to comply with the NDB Scheme can expose your business to heavy penalties (serious repeat offences could be punished with fines of up to $2.1 million).  So how then does the NDB Scheme work?

What is a notifiable data breach?

Generally, a notifiable data breach occurs when:

  1. There is unauthorised access, disclosure or loss of personal information that a business holds;
  2. The data breach is likely to result in serious harm to one or more individuals; and
  3. The business has not been able to prevent the risk of serious harm.

Who must comply with the scheme?

The types of entities that may fall under the NDB scheme include:

  1. Almost all businesses and non-for-profit organisations with a turnover of more than $3 million a year;
  2. Some small businesses, such as sole traders, partnerships, unincorporated associations or trusts with annual turnover of less than $3 million a year;
  3. All organisations which receive a Tax File Number (which basically means all employers);
  4. Credit Providers and Credit Reporting Agencies.

What should you focus on?

You need to:

  1. Have a Data Breach Response Plan that covers what needs to be done, and by whom, after a breach has occurred.
  2. Be prepared to conduct a prompt assessment of suspected data breaches, and have a system in place to notify individuals and the OAIC.

Marsdens' Comment

The need to protect individuals’ privacy is a reality of doing business in a digital world.  It’s important that businesses are vigilant in protecting themselves, from the outset, against issues arising out of failures to comply with the Privacy legislation. If you need assistance developing a Data Breach Response Plan, or if you would simply like to discuss your Privacy obligations, please feel free to contact:

Grant Butterfield on,

Aaran Johnson on or,

Joey Leith on

The contents of this publication are for reference purposes only. This publication does not constitute legal advice and should not be relied upon as legal advice. Specific legal advice should always be sought separately before taking any action based on this publication.

Posts you may find interesting


POSTED: 07 May 2019
Trade unions are lobbying for a national reform to workplace safety laws, to make it more stringent, following the death of a teenage apprentice in a scaffolding collapse in NSW on 1 April 2019. ...
Read more