As of 22 February 2018, the Notifiable Data Breach (NDB) scheme went into effect and included in its requirements is a mandatory data breach notification.  Failure to correctly notify those affected by an eligible data breach can result in fines of up to $2.1 million, besides potential compensation for affected individuals.  There are certain things that every Australian organisation needs to be aware of when it comes to mandatory breach notification.

Data Breach Notification

To Whom Does It Apply?

The NDB scheme applies to organisations and agencies that have personal security information obligations under the Australian Privacy Act 1988.  Such organisations and agencies include businesses, health service providers, credit reporting agencies, Australian government agencies, TFN recipients, and not-for-profits with an annual turnover of $3 million or more.

If an organisation …

  • Collects personal information,
  • Receives personal information on behalf of clients,
  • Processes personal information on behalf of clients,
  • Or holds personal information

Then they can be impacted by the NDB scheme.

If a breach occurs, the organisation and everyone involved in the chain can be affected, including marketers, data providers, brands, agencies, and similar partners.  In addition, if an organisation has clients, those clients may impose notification requirements to make sure they are in compliance with their own NDB obligations.

What Is an Eligible Data Breach?

Data breaches refer to unauthorised access of, the disclosure of, or loss of an individual’s information. If a data breach involves an individual’s personal information and this breach is likely to result in serious harm to said individual, then that breach must to be reported. This type of data breach is referred to as an eligible data breach.  Note that there are, however, some exceptions to the notification obligations.

What Constitutes Serious Harm?

While no hard and fast definition of “serious harm” has been provided, it is reasonable to assume that any type of harm – be it physical, psychological, or financial – would likely fall under the category of serious.  This is especially true of information of a sensitive nature or involving an individual’s health.  For example, loss of information involving medical allergies could result in life-threatening circumstances for an individual in a serious accident, or unauthorised access to financial information could result in identity theft and financial loss.

What Should Be Done When a Data Breach Is Suspected?

If a data breach is suspected, there are four key steps to be followed: contain, assess, notify, and review.  Of course, as soon as a data breach is suspected it should be contained to prevent any additional compromise of information.  Next, it should be thoroughly assessed by determining who was affected and what data was compromised, followed by risk assessment and, if possible, remediation.  The third step is notification. The final step is a review of the incident and developing a plan of action to prevent a similar breach from occurring again.

Who Needs to be Notified?

According to the Office of the Australian Information Commissioner,

“The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.”

In addition, the Australian Information Commissioner must also be notified of the breach, and this information can be submitted via an online form.

When Must Notification Take Place?

Notification must take place as soon as the organisation can determine what information was compromised and who was affected.

What Information Must Needs to be Included?

The following information must be included as part of the notification:

  • The identity and contact information for the organisation
  • A description of the data breach that took place
  • The type of information that was involved in the breach
  • Recommendations as to what steps the affected individual should take as a result of the breach

In terms of notifying individuals, there are two basic options available as to how the notification should take place: either notify all individuals or notify only the individuals who are at risk of serious harm.

If it is not practicable to notify individuals, then a statement about the breach can be published on the organisation’s website and then publicised.

What Happens When an Organisation Fails to Notify?

If an organisation fails to notify the affected individuals and the Australian Information commissioner of an eligible breach, fines of up to $2.1 million are possible.  However, there is also the possibility of compensation for affected individuals if there is a privacy compliance failure.  Compensation averages between $10,000 and $15,000 per individual if their complaint is successful.


Mandatory data breach notification is a critical part of the Notifiable Data Breach scheme, and failure to comply with notification requirements can result in hefty fines and compensation for those affected.  If you are an organisation in Australia that deals with any type of personal information, then you need to know what your responsibilities are and how to respond should an eligible data breach occur under your watch.