In 2017 the Australian Government passed an amendment (Privacy Amendment (Notifiable Data Breaches) Act 2017) to the Australian Privacy Act 1988 ensuring that affected individuals are notified by companies about data security breaches where personal information has been compromised.

This takes effect from the 22nd of February 2018 and applies to all businesses, government agencies and other organisations covered by the Australian Privacy Act 1988 (Privacy Act).

You have a little over six months to make sure that you have everything in place for your company to be compliant!


A Notifiable Data Breach (NDB) is a data breach which is likely to result in serious harm to any of the individuals to whom the information relates.

The NDB scheme requires:

  • Organisations to notify any individuals affected by these serious data breaches.
  • This notice must include recommendations about the steps that individuals should take in response to a serious data breach.
  • The Office of the Australian Information Commissioner (OAIC)must also be notified.
  • Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.


A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.

Examples include:

  • When customers personal information is lost or stolen
    • Such as loss or theft of hard copy documents, removable storage devices, backup tapes, tablets, smart phones etc.
    • This can also include electronic losses of personal information such as failing to keep adequate backups of personal information in the event of a systems failure.
  • Unauthorised access to a database (or backup of a database) containing personal information
    • Such as unauthorised access by an employee, former employee or independent contractor, as well as unauthorised access by an external third party (eg. hacking).
  • When personal information is mistakenly provided to the wrong person.
    • Such as when personal information, intentionally or otherwise, is accessible or visible to others outside of the company and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee.


The Privacy Act and APP apply to organisations that deal with sensitive personal information, including:

  • Most Australian Government agencies
  • Businesses and not-for-profit organisations with >$3 million annual turnover
  • Child care centres
  • Private schools and private education institutions
  • Private sector health service providers
  • Any individuals/companies who primarily handle personal information such as tax file numbers, credit applications and other personal sensitive records.


Australian Privacy Principle 11 (APP 11), requires an entity to actively take measures to ensure the security of personal information it holds, and to consider whether it is permitted to retain personal information.

An entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss as well as unauthorised access, modification or disclosure.

An entity must also take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs.


The reasonable steps that an entity can take to ensure the security of personal information depends on the circumstances.

Factors that the OAIC takes into considering “reasonable steps” are as follows:

  • the nature of your entity
  • the amount and sensitivity of the personal information held
  • the possible adverse consequences for an individual in the case of a breach
  • the practical implications of implementing the security measure, including the time and cost involved
  • whether a security measure is itself privacy invasive.

The OAIC has provided some steps and strategies which may be reasonable to take which cover the following 9 key areas:

  1. Governance, culture and training
  2. Internal practices, procedures and systems
  3. ICT security
  4. Access security
  5. Third party providers (including cloud computing)
  6. Data breaches
  7. Physical security
  8. Destruction and de-identification
  9. Standards


With a strong focus on security process and strategy, our Resolution Technology team can ensure that your business systems and documentation align with the 9 areas outlined in the OAIC Steps and Strategies.

After an initial review, we can provide you with a gap analysis detailing focus areas for your organisation as well as a road map to make sure you’re covered by the time that the NDB Scheme takes effect.

Contact Us to book a review of your Security Response Strategy

OAIC References: