From 22nd February all businesses that have obligations under the Privacy Act 1988 (Cth) will be required to report data breaches to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches Scheme.

What is the Notifiable Data Breaches Scheme?

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) created the Notifiable Data Breach (NDB) Scheme, meaning that all entities and government agencies that already have obligations under the Privacy Act, must notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. The notification must also contain information about the steps that individuals can take in response to the breach (for example, if credit card information has been hacked, to cancel their credit card and get a new one). It is important to note that the Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.

What is an ‘eligible’ data breach?

 An eligible data breach is a breach that is likely to result in serious harm to the individuals who have had their personal information breached. Although ‘serious harm’ is not defined in the Act, the harm could be physical, psychological, economic, financial or otherwise. Therefore, it is up to the entity to assess how the data breach could affect or is likely to affect those individual concerned, having consideration to factors such as:

  1. What kind of information was breached (e.g. credit card or health information);
  2. How it was breached;
  3. Who it was accessed by (or is likely to be accessed by); and
  4. How they would intend to use it.

Which entitles does this apply to?

If your business or non-profit organisation turns over more than $3 million per year, the NBD scheme applies to you. It also applies to government agencies and businesses that either trade in personal information or are classified as health providers.

But I’m just a small business, does this apply to me?

Generally, small business operators or SBO’s that have a turnover of less than $3 million per year do not need to comply. However, there are a range of exceptions to this, including if your small business is related to an APP entity (i.e. an entity that must observe the Australian Privacy Principles) or if you provide services to the Commonwealth (government) under a contract. If you are unsure of whether you need to be compliant, go to the OAIC website to see whether your business needs to comply with the Privacy Act (refer or simply give us a call.


Ok, so it applies to my business. What do I have to do?

All businesses subject to the Notifiable Data Breach Scheme should have a plan (called a Data Breach Response Plan) in place to respond quickly to these breaches. You will need to assess what personal information you have and what your risk is in relation to unauthorised access or disclosure of this information. More importantly, you need to think about how a breach would impact on the individual to whom that personal information relates, and whether this is likely to result in serious harm. If you need help with this, please give us a call on 1300 272 878.

For eligible data breaches, notifications to the Commissioner should be lodged via the  Notifiable Data Breach statement — Form on the OAIC website .

Where can I get more information?

The OAIC website has a plethora of information on this – please visit However, if your confused about whether your business needs to comply with this and how to get ready, please contact us and we will be more than happy to help!