How much do you know about the NDB Scheme?

Share on facebook
Share on linkedin

Australia passed its first Privacy Act in 1989 with the objectives to protect personal information and also safeguarding the collection of information. Coverage of the Act subsequently spread and in 2014, saw the commencement of the Privacy Amendment (Enhancing Privacy Protection) Act 012 enacting changes including Australian Privacy Principles (APP).

2018 will see further coverage of the Act with the Notifiable Data Breach (NDB) scheme that mandates the obligations of entities to notify the authority and also affected individuals in cases where personal information could be involved in the breach.

With NDB scheme kicking in on 22 February, there will be more at stake for many businesses than ever. Here’s a summary of what it is.

What is the NDB scheme?
Notifiable Data Breaches (NDB) scheme requires eligible entities to notify the authority of a likely breach or the individuals whose personal information may likely be resulted in serious harm in the course of a breach. The amendment aims to provide affected individuals with notice after a breach so that they can take protective action against any harms possible related.

Who are impacted by the scheme?
Private sector organisations (individuals, bodies corporate, partnerships, unincorporated associations or trusts) formed in Australia who conduct business in the country or collecting personal information from individuals located in Australia that have, or are related bodies of an entity that has, an annual turnover of more than A$3 million. It also includes Australian government agencies; and credit providers (eg, those who issue credit cards).

Which data breach will need notification?
“Eligible data breaches” refer to personal information that are leaked out that will likely result in serious harm to the individual affected. There are also a few exceptions to note. For example, data breaches that are notified under s 75 of the My Health Records Act 2012 (My Health Records Act), do not need to be notified under the NDB scheme.

When are entities required to notify the breach?
Entities will have to consider if the data breach will likely result in serious harm to the affected individuals and if so, the entity will need to notify the data breach.

Key takeaways

  1. Entities will be required to notify the Information Commissioner and affected individuals of data breaches that are likely to result in “serious harm”.
  2. If an entity suspects there has been a breach but is not certain that it is an “eligible data breach”, it must carry out an assessment to make that determination within 30 days.
  3. Consistent with other jurisdictions, there is a real potential for increased litigation concerning significant publicised breaches. This includes actions for failing o report a breach and class action litigation from a class of individuals who were affected by the data breach. Early notification of breaches will help claimants in identifying the type of claim to be made and the affected class of individuals.

For more updated information, be sure to access OIAC website.

Related articles

6th May, 2022 | Nexon Asia Pacific
Innovation and agility will be your secret weapon in 2022
In the latest budget announcements, the Australian government announced plans to bolster cyber security investments to accelerate digital programs and prioritise relief to support cyber spending. This move highlighted the critical nature of our threat landscape and the need to build a cyber security workforce to minimise and mitigate cyber threats nationally. The question remains, […]
2 minutes
4th May, 2022 | Nexon Asia Pacific
Why Analytics and AI are essential and valuable to your organisation
Analytics and AI have become a significant area for businesses in recent years with an IDC research reporting that Australian organisations “will spend $2 billion on artificial intelligence systems by the end of 2022”, the research also predicted that investments in AI by Australian organisations “will continue beyond 2022, and AI spending will reach more […]
3 minutes
11th April, 2022 | Nexon Asia Pacific
Drive meaningful interactions and improve user experience
As the world rapidly changes, so does technology and customer expectations. In an ever-evolving reality where everyone seems to be going in the fast lane, organisations need to follow suit and invest in technology that improves interactions with customers, as well as delivers impactful experiences for employees and stakeholders. When the subject is virtual agents […]
3 minutes


Expert strategies for tackling 2021’s cyber security norms

nexon-cybersecurity-ebook@1x 1