How much do you know about the NDB Scheme?


Australia passed its first Privacy Act in 1989 with the objectives to protect personal information and also safeguarding the collection of information. Coverage of the Act subsequently spread and in 2014, saw the commencement of the Privacy Amendment (Enhancing Privacy Protection) Act 012 enacting changes including Australian Privacy Principles (APP).

2018 will see further coverage of the Act with the Notifiable Data Breach (NDB) scheme that mandates the obligations of entities to notify the authority and also affected individuals in cases where personal information could be involved in the breach.

With NDB scheme kicking in on 22 February, there will be more at stake for many businesses than ever. Here’s a summary of what it is.

What is the NDB scheme?
Notifiable Data Breaches (NDB) scheme requires eligible entities to notify the authority of a likely breach or the individuals whose personal information may likely be resulted in serious harm in the course of a breach. The amendment aims to provide affected individuals with notice after a breach so that they can take protective action against any harms possible related.

Who are impacted by the scheme?
Private sector organisations (individuals, bodies corporate, partnerships, unincorporated associations or trusts) formed in Australia who conduct business in the country or collecting personal information from individuals located in Australia that have, or are related bodies of an entity that has, an annual turnover of more than A$3 million. It also includes Australian government agencies; and credit providers (eg, those who issue credit cards).

Which data breach will need notification?
“Eligible data breaches” refer to personal information that are leaked out that will likely result in serious harm to the individual affected. There are also a few exceptions to note. For example, data breaches that are notified under s 75 of the My Health Records Act 2012 (My Health Records Act), do not need to be notified under the NDB scheme.

When are entities required to notify the breach?
Entities will have to consider if the data breach will likely result in serious harm to the affected individuals and if so, the entity will need to notify the data breach.

Key takeaways

  1. Entities will be required to notify the Information Commissioner and affected individuals of data breaches that are likely to result in “serious harm”.
  2. If an entity suspects there has been a breach but is not certain that it is an “eligible data breach”, it must carry out an assessment to make that determination within 30 days.
  3. Consistent with other jurisdictions, there is a real potential for increased litigation concerning significant publicised breaches. This includes actions for failing o report a breach and class action litigation from a class of individuals who were affected by the data breach. Early notification of breaches will help claimants in identifying the type of claim to be made and the affected class of individuals.

For more updated information, be sure to access OIAC website.

Related articles

6th December, 2023 | Stephen Ellis

How to deliver modern customer experiences with legacy finance platforms

Financial service providers are wedged between yesterday and tomorrow. While traditional systems still power core solutions (and will for some time), today’s customers expect personalised, real-time service delivery across any channel. How do you bridge the gap without reinventing the wheel?
4 minutes
21st November, 2023 | Dan Weis

From static reports to remediation: the journey to next-level cybersecurity

Our rigorous penetration test reporting is just the beginning. We understand that for most organisations, the real challenge begins with turning those findings into tangible security improvements. That's why we've introduced an intuitive, interactive Penetration Testing Reporting portal that allows you to seamlessly manage your vulnerabilities in a central location for multiple stakeholders to action accordingly.
5 minutes
20th November, 2023 | Janniek Starren

How Teams proliferation exposes you to security and compliance risks

Remember that cross-functional team that ran the big product launch in 2022? No, neither do I. But it still exists online, complete with sensitive financial documents, third-party access, and private discussions about competitors. Did anyone lock the door on the way out?!?   The recent rush to remote and hybrid work has created a flurry […]
5 minutes


Expert strategies for tackling 2021’s cyber security norms

nexon-cybersecurity-ebook@1x 1