The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 establishes requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach. 

​

The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act1988 from 22 February 2018.

 

The NDB scheme obligates agencies and organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner must also be notified of eligible data breaches.

​

Agencies and organisations must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result require notification. When an agency or organisation is aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm.

​

The notification to affected individuals and the Commissioner must include the following information:

​

• the identity and contact details of the organisation

• a description of the data breach

• the kinds of information concerned and;

• recommendations about the steps individuals should take in response to the data breach.

​

For more information visit: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme