To heighten the personal information protection in Australia, Notifiable Data Breaches Scheme will be enforced starting February.

The Office of the Australian Information Commissioner (OAIC) has introduced the new Notifiable Data Breaches Scheme (NDBS) which is set to take effect on 22 February 2018. The initiative was established following the passage of Privacy Amendment (Notifiable Data Breaches) Act 2017.

The NDB scheme mandates all individuals and organisations to notify OAIC and the affected party of any suspected and known data breach. Civil fines of up to $1.7 million will be imposed as restitution for eligible data breaches.

To whom NDB Scheme is addressed to

The mandatory data breach notifications will apply to the following entities:

• Australian government agencies
• Businesses and non-profit organisations (with annual turnover of $3 million and more)
• Credit reporting bodies
• Health service providers
• TFN recipients
• Other entities that are recognised under the Privacy Act.

What constitutes an eligible data breach

Based on the legislation, a data breach is eligible when it satisfies these criteria:

• There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
• This is likely to result in serious harm to one or more individuals (see, Is serious harm likely?), and
• The entity has not been able to prevent the likely risk of serious harm with remedial action (see, Preventing serious harm with remedial action).

How to notify an eligible data breach

Individuals and organisations are advised to use the Notifiable Data Breach statement — Form to inform the Australian Information Commissioner of any suspected and known data breach.
Visit the AIDC’s website for the detailed information about the NDB scheme.