Notifiable Data Breaches Scheme

Notifiable Data Breaches Scheme

The new Notifiable Data Breaches Scheme (NDB) was established after an amendment to the Privacy Act in 2017 .
The legislation aims to improve on the protection of personal information, specifically with regards to electronic data.  Unfortunately it is likely to add an additional burden on businesses that handle personal data.
Many small businesses handle customers personal information without thinking about it. For example, personal data could be anything from an email address or name and date of birth.Not properly securing this information or, in the event that it is stolen, not being able to contact these customers will cause problems.
These new Privacy Laws will take effect from 22nd February 2018 and failure to comply will result in fines and penalties.

Who will it affect?

The official term for businesses that this law applies to is an Australian Privacy Principal (APP) entity. All businesses with a turnover of $3,000,000 or more will be subject to this legislation.
However, in addition to this many smaller businesses will be affected, regardless of turnover. For example:
  • Private Sector Health Services Providers.
  • Those that trade in personal information.
  • TFN recipients.
  • Those that hold personal information.
For example, Health Service Providers includes gyms, weight loss clinics and alternative therapy practices.
Businesses that hold personal information include Accountants, childcare centres, private schools and tertiary education centres.
The list goes on and if you want to see the full details you can click in this link to the Australian Government Information Commissioner:
In summary, it is not just big businesses that will be affected by the Notifiable Data Breaches Scheme. Many small business with minimal resources must comply.

What does Breach mean?

The Notifiable Data Breaches Scheme will apply where there has been an Eligible Data Breach. Three criteria need to be met, to constitute a breach:
  • There is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds.
  • This is likely to result in serious harm to one or more individuals.
  • The entity has not been able to prevent the likely risk of serious harm with remedial action.
Serious harm includes emotional, economic or reputational harm. Again within the legislation there is more detail about what ‘harm’ means.

What happens next?

Once you have worked out that you have had a breach, there is a process of containing the breach, assessing the result, remedial action and notification to the Commissioner.
Included in this link are some case studies and examples:
There will be costs and expertise involved in in  this process and many businesses might struggle to manage it correctly.

But I outsource my data storage and collection.

It’s also worth bearing in mind that by outsourcing the collection and storage of data the business will not be immune from the scheme. The new law has provisions to deal with this, whether the breach is offshore or within Australia.
The Commissioner suggests that in general the entity with the most direct relationship with the affected individuals is the best one to notify.
Clearly some consideration has been given to this scenario although how apportioning responsibility works in practice remains to be seen. Either way, some expense, time & effort is going to be required, even if you outsource.


Preventing a hacking attack is easier said than done, but basic precautions such as virus protection, password/system updates, and off site back ups will be useful.
Contingency planning and consultation  with IT providers is always going to be helpful. If a problem occurs and you have a meaningful disaster recovery plan in place, the first few hours are going to be easier.
Cyber Insurance is a simple way to outsource the costs and expertise required to manage the Notifiable Data Breaches Scheme.
As with all business risks, a mixture of planning, preventative measures and insurance is best practice.
If you want to discuss this and or any other insurance matter, please feel free to contact us.

Comments (0)

Leave Comment