Does your business need to comply with the Notifiable Data Breaches scheme?

The Privacy Act 1988 (Privacy Act) regulates how personal information is handled. The Privacy Act defines personal information as:

…information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.

Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.

Agencies and organisations regulated under the Privacy Act are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach.

This article and accompanying flowchart (download the pdf here) provides an overview of the Notifiable Data Breaches scheme and information to help you determine:

  • if and when you need to comply with these requirements
  • what constitutes a Notifiable Data Breach
  • what to do when an eligible breach occurs


What is a data breach?

A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.


What is serious harm?

Individuals whose personal information is involved in a data breach may be at risk of serious harm, whether that is harm to their physical or mental well-being, financial loss, or damage to their reputation.


What is unauthorised access, disclosure or loss?

Unauthorised access of personal information occurs when personal information that an entity holds is accessed by someone who is not permitted to have access. This includes unauthorised access by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party (such as hacking). For example, an employee browses sensitive customer records without any legitimate purpose, or a computer network is compromised by an external attacker resulting in personal information being accessed without authority.

Unauthorised disclosure occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee of the entity. For example, an employee of an entity accidentally publishes a confidential data file containing the personal information of one or more individuals on the internet.

Loss refers to the accidental or inadvertent loss or theft of physical devices (such as laptops and storage devices), or paper records that contain personal information, in circumstances where it is likely to result in unauthorised access or disclosure. For example, an employee of an entity leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) on public transport.


Who needs to report breaches?

The data breach laws apply to government agencies and private sector organisations who are currently subject to the Australian Privacy Principles (APP) under the Privacy Act. This includes private sector organisations, including not-for-profits, with an annual turnover of more than $3 million. It also includes small businesses that may be earning $3 million or less where they are a health service provider, are related to an APP entity, trade in personal information, are a credit reporting body, amongst others. There are some exceptions to the notification requirements, which relate to:

  • Data breaches involving entities that hold information jointly. The entity with the most direct relationship with the individuals affected by the data breach should carry out the notification.
  • Enforcement related activities where the CEO has reasonable grounds to believe notifying is likely to cause prejudice.
  • Inconsistency with secrecy provisions. An exception may apply where the Commonwealth law prohibits or regulates the use or disclosure of information.
  • Declarations by the Commissioner where Notifiable Data Breach (NDB) notification would conflict with public interest.

Although a Small Business Operator is not obligated to notify under the NDB scheme, those seeking to adopt good privacy practices and increased consumer confidence and trust are encouraged by the Office of the Australian Information Commissioner (OAIC) to opt in to the Privacy Act and would therefore be obligated to report a data breach.

Please refer to for full details regarding the reporting exemptions.


How to notify

When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Commissioner must also be notified as soon as practicable through a statement about the eligible data breach. This notification can be made via the OAICs Notifiable Data Breach Form.


Further help:

Share this article on LinkedIn:

Subscribe to our newsletter:
Get tax updates, business advice and seminar invitations delivered straight to your inbox.