Notifiable Data Breaches: Draft Resources Released

Share on twitter
Share on linkedin
Share on facebook

Last Friday the Office of the Australian Information Commissioner (OAIC) released draft resources to help businesses comply with the Notifiable Data Breaches (NDB) scheme.

Under the NDS scheme, organisations covered by the Privacy Act are required to notify individuals if their personal information is involved in a data breach that is likely to result in serious harm. This will be an important area of compliance for all APP entities.

The resources published on Friday cover:

• Entities covered by the NDB scheme
• Notifying individuals about an eligible data breach
• Identifying eligible data breaches
• The Australian Information Commissioner’s role in the NDB scheme.

This is the first in a series of posts looking at the NDB scheme. In this post, we will examine the definition of a Notifiable Data Breach based on the draft reference material.

What is a Notifiable Data Breach?

There are two elements to the test of a Notifiable Data Breach. The first is that personal information held by an organisation must have been lost or subject to unauthorised access or subject to unauthorised disclosure. The second is that the breach must be likely to result in serious harm to affected individuals.

Unauthorised access occurs when personal information is accessed by someone who is not permitted to have access. This may include access by unauthorised employees, contractors and third-parties.

Unauthorised disclosure occurs when an entity makes personal information available or visible to outsiders. This may include unauthorised disclosures by employees.

Loss refers to the accidental or inadvertent loss of personal information in circumstances where it is likely that unauthorised access or disclosure will occur. Loss may include accidental loss of storage devices on public transport by an employee, as an example.

‘Under the NDB scheme, if personal information is lost in circumstances where subsequent unauthorised access to or disclosure of the information is unlikely, there is no eligible data breach (s 26WE(2)(b)(ii)).’

When is Serious Harm Likely?

For the purpose of the NDB scheme, serious harm will be found where from the ‘perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.’

A reasonable person in this test is in the position of the entity (rather than the individual whose personal information was the subject of the data breach). Such a reasonable person is deemed to be properly informed.

Harm is said to include physical, psychological, emotional, financial, or reputational harm. Clearly, an example may include the loss of credit card and other financial details that would allow a third party to cause financial harm.

The NDB scheme includes a non-exhaustive list of ‘relevant matters’ that may assist entities to assess the likelihood that there has been serious harm. We will look in depth at these in a future post.

What should Businesses Do to Comply?

Businesses should examine (and consider contributing to) the draft resources. If you have feedback on the draft resources, please send it to before 14 July, 2017.

The NDB scheme will come into effect on 22 February 2018. Compliance Quarter will be developing a range of tools to assist clients in their compliance with the NDB scheme over the coming months. If these are of interest to you, contact us.


More to explorer

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

person wearing foo dog costume

Obligations of Energy Retailers Regarding Best Offer Information

Energy retailers in Victoria have specific obligations under the Energy Retail Code of Practice to provide clear information to customers about their ‘best offer’ – that is, the plan that would minimize the customer‘s energy costs based on their usage history. The objective is to ensure small customers can easily understand whether they are on the retailer‘s best plan for them and how to access the retailer‘s best offer if not. One of the significant challenges in the energy sector (as in banking and elsewhere) is that customers

low angle photo of sydney opera house australia

Guide to the National Energy Retail Rules

The National Energy Retail Rules (NERR) are a set of rules that govern the sale and supply of electricity and gas by retailers to consumers in Australia, alongside the related National Energy Retail Law (NERL). The NERR came into effect on 1 July 2012 in Tasmania, the Australian Capital Territory, and the Commonwealth. South Australia followed on 1 February 2013, New South Wales on 1 July 2013, and Queensland on 1 July 2015. The NERR do not yet apply in

Leave a Reply

Your email address will not be published. Required fields are marked *