Notifiable Data Breaches: Draft Resources Released

Share on twitter
Share on linkedin
Share on facebook

Last Friday the Office of the Australian Information Commissioner (OAIC) released draft resources to help businesses comply with the Notifiable Data Breaches (NDB) scheme.

Under the NDS scheme, organisations covered by the Privacy Act are required to notify individuals if their personal information is involved in a data breach that is likely to result in serious harm. This will be an important area of compliance for all APP entities.

The resources published on Friday cover:

• Entities covered by the NDB scheme
• Notifying individuals about an eligible data breach
• Identifying eligible data breaches
• The Australian Information Commissioner’s role in the NDB scheme.

This is the first in a series of posts looking at the NDB scheme. In this post, we will examine the definition of a Notifiable Data Breach based on the draft reference material.

What is a Notifiable Data Breach?

There are two elements to the test of a Notifiable Data Breach. The first is that personal information held by an organisation must have been lost or subject to unauthorised access or subject to unauthorised disclosure. The second is that the breach must be likely to result in serious harm to affected individuals.

Unauthorised access occurs when personal information is accessed by someone who is not permitted to have access. This may include access by unauthorised employees, contractors and third-parties.

Unauthorised disclosure occurs when an entity makes personal information available or visible to outsiders. This may include unauthorised disclosures by employees.

Loss refers to the accidental or inadvertent loss of personal information in circumstances where it is likely that unauthorised access or disclosure will occur. Loss may include accidental loss of storage devices on public transport by an employee, as an example.

‘Under the NDB scheme, if personal information is lost in circumstances where subsequent unauthorised access to or disclosure of the information is unlikely, there is no eligible data breach (s 26WE(2)(b)(ii)).’

When is Serious Harm Likely?

For the purpose of the NDB scheme, serious harm will be found where from the ‘perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.’

A reasonable person in this test is in the position of the entity (rather than the individual whose personal information was the subject of the data breach). Such a reasonable person is deemed to be properly informed.

Harm is said to include physical, psychological, emotional, financial, or reputational harm. Clearly, an example may include the loss of credit card and other financial details that would allow a third party to cause financial harm.

The NDB scheme includes a non-exhaustive list of ‘relevant matters’ that may assist entities to assess the likelihood that there has been serious harm. We will look in depth at these in a future post.

What should Businesses Do to Comply?

Businesses should examine (and consider contributing to) the draft resources. If you have feedback on the draft resources, please send it to before 14 July, 2017.

The NDB scheme will come into effect on 22 February 2018. Compliance Quarter will be developing a range of tools to assist clients in their compliance with the NDB scheme over the coming months. If these are of interest to you, contact us.


More to explorer

Autumn leaves falling with copy space on black background

Avoiding Compliance Atrophy: The Critical Role of Assurance Reviews for Growing Energy Retailers

As energy retailers expand their customer base and operations, ensuring ongoing compliance with regulatory obligations can become increasingly challenging. A key risk is “compliance atrophy” – where initially compliant documents, processes and systems slowly deteriorate and waste away over time if not regularly monitored and reviewed. What is compliance atrophy? Compliance atrophy is typically a result of documents, processes and systems being ‘updated’ or ‘reworded’ to reflect changes in focus for the business and input from other stakeholders including marketing

person holding debit card

AER payment difficulty framework review

The Australian Energy Regulator (AER) is conducting a review of the consumer protections available under the National Energy Customer Framework (NECF) for those experiencing payment difficulties. On 14 May 2024, the AER released an issues paper for consultation. The review is driven by the commitment in Action 8 of the ‘Towards Energy Equity’ strategy in which the AER committed to considering whether improvements could be made to the NECF to ensure that consumers experiencing payment difficulties are identified early, engaged

Technicians installing photovoltaic solar panels on roof of house.

Compliance Quarter’s Submission to the AER’s Review of the Compliance Procedures and Guidelines

On 11 April 2024, Compliance Quarter put forward its submission on proposed changes to the AER Compliance Procedures and Guidelines. The AER is reviewing its Compliance procedures and guidelines, which set out the manner and form in which energy businesses in jurisdictions that have adopted the National Energy Retail Law must submit compliance information and data to the AER. We argue that there should be consideration of measures to incentivise early reporting of potential breaches. These may, for example, take the

Leave a Reply

Your email address will not be published. Required fields are marked *