The NDB scheme in Part IIIC of the Privacy Act requires entities to notify affected individuals and the Commissioner of certain data breaches.
The NDB scheme requires entities to notify individuals and the Commissioner about ‘eligible data breaches’. An eligible data breach occurs when the following criteria are met:
- There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
- This is likely to result in serious harm to any of the individuals to whom the information relates.
- The entity has been unable to prevent the likely risk of serious harm with remedial action.
The primary purpose of the NDB scheme is to ensure individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm. This has a practical function: once notified about a data breach, individuals can take steps to reduce their risk of harm. For example, an individual can change passwords to compromised online accounts, and be alert to identity fraud or scams.
All businesses should have a data breach response plan that enables a business to respond quickly to a data breach. The reason for this is for a business to substantially decrease the impact of a breach and reduce the costs associated with dealing with a breach. The plan also helps you meet your obligations under the Privacy Act, limit the consequences of a data breach and preserve and build public trust.
- Entities that have existing obligations under the Privacy Act to secure personal information must comply with the NDB scheme.
- This includes Australian Government agencies, businesses and not-for profit organisation’s that have an annual turnover of more than AU$3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.
- Entities that have Privacy Act security obligations in relation to particular types of information only (for example, small businesses that are required to secure tax file number information) do not need to notify about data breaches that affect other types of information outside the scope of their obligations under the Privacy Act.
“The practical benefit of the scheme is that it gives individuals the chance to reduce their risk of harm, such as by re-securing compromised online accounts,” claimed Commissioner Timothy Pilgrim.
For a complete guideline of the Notifiable Data Breach scheme, you may visit or click this link Office of the Australian Information Commissioner – Data Breach Preparation & Response – A guide to managing data breaches in accordance with the Privacy Act 1988.