Skip to content

My App Has a Data Breach. Does the NDB Scheme Apply?

As a developer, you may develop apps for various purposes, such as entertainment, information or social networking. Your application may collect personal information such as names, email addresses, location data and more. If someone loses, misuses, or steals data, your company may face a data breach. This article explains the steps you may need to take if you discover a data breach in your app and considers what laws might apply.

What is a Data Breach?

A data breach occurs when someone accesses or discloses personal information without the person’s consent. It can also involve losing personal information. Personal information includes details that identify a person, such as an email address or a name.

Often, businesses think of data breaches as actions taken by hackers who steal data through planned attacks. However, human error or IT failures can also cause data breaches.

Examples of data breaches in apps include:

  • a criminal group that hacks your heart monitoring app to access sensitive medical information about its users;
  • an employee forgetting to encrypt sensitive data on the app; and
  • a glitch in the app that allows access to private photos that people publish online without user consent.

If a data breach occurs, your business may have to comply with the Notifiable Data Breach (NDB) scheme under the Privacy Act 1988 (Cth). The scheme outlines rules for reporting data breaches. It applies to any business that may qualify as an APP entity or if a business is:

  • a health service provider;
  • a credit reporting body; or
  • receiving tax file numbers (TFNs), such as when you are paying employees and require their TFNs to comply with tax rules.

However, not all data breaches require reporting. The NDB scheme only requires the reporting of an ‘eligible data breach’ where:

  1. there is a loss of personal information, disclosure to an unauthorised person or unauthorised third party access;
  2. the loss, access or disclosure may lead to a risk of serious harm to a person or people; and
  3. your business could not prevent the risk of serious harm.

For example, hackers access the data of people who have signed up to use your heart monitor app. They steal information about their names, email addresses and medical conditions. The hacking group then publishes that information online. This situation would be an ‘eligible data breach’.

However, if an app developer accidentally receives customer data from your app while testing a feature, they can quickly patch the data loss. As no one is at risk of serious harm in that situation, there is no need to report the data breach. 

Continue reading this article below the form
Loading form

How Do I Respond to a Data Breach in my App?

If you suspect a data breach in your app, you should follow these steps to keep your customers safe and comply with your legal requirements. You should always consult with an experienced privacy lawyer when responding to a data breach in your app

1. Contain the Breach

Limit the spread of lost data. Ensure you can recover any lost customer information. Check who has access to backup data systems. Find out who is in control of the data processing and change permission settings immediately.

2. Assess the Breach

You must assess the seriousness of the breach within 30 calendar days. You should analyse the events that led up to the breach as well as the immediate fallout. Determine if any serious harm is likely to occur.

3. Determine if the Breach is Serious.

You should ask yourself questions such as:

  • what is the harm?;
  • did the breach cause any loss of sensitive information about users of the app?;
  • did the breach reveal sensitive information like credit card or driver’s license details;
  • who has access to the information because of the breach;
  • is the information encrypted?; and
  • will the breach cause serious physical, psychological, emotional, financial, or reputational harm to the person or people affected? 

4. Notify the Office of the Australian Information Commissioner (OAIC)

If required, you may need to notify the OAIC of the data breach. You can report this online using OAIC’s reporting function via the Notifiable Data Breach Form, available online here. You should notify the OAIC as soon as practicable after becoming aware of an eligible data breach and, at most, within 30 days of becoming aware. 

5. Notify Affected Individuals At Risk of Harm

After you have notified the OAIC, you must notify the affected individuals who use your app as soon as practicable and explain:

  • the events that have occurred;
  • what information has been affected; and
  • practical steps individuals can take to limit risk, such as removing their credit card details from the app or cancelling their account for a new account. 

6. Review the Incident

To prevent future data breaches, you should carefully review how you handled the incident. You may want to create a data breach response plan that sets out the steps your business will take if there is another data breach. It can be useful for businesses to have a quick reference on how to comply with the NDB scheme requirements. 

7. Update or Create New Documents

As part of your review, you should ensure your documents relating to privacy and data security are up-to-date and useful. You should have an IT Security Policy that states how you prevent data breaches within your app. In addition, your policy can explain:

  • how the business prevents misuse of customer data and information;
  • how users access devices that hold information and what level of access they receive;
  • the mobile app’s security standards; and
  • an incident response procedure.

You can also draft a Privacy Compliance Manual to train employees to comply with any data breach notification requirements if they affect customer privacy. The manual should contain information on: 

  • the use, disclosure and storage of personal information;
  • use of personal information for marketing purposes; and
  • a complaint procedure for customers.
Front page of publication
Notifiable Data Breach Factsheet

This factsheet explains what a data breach is and when one is serious, your reporting obligations, and limiting an NDB’s impact.

Download Now

Key Takeaways

Keeping customer data safe is essential for your business’ reputation. You must prepare to handle a data breach before it happens to your app. If a data breach occurs, you need to respond and follow your obligations under the NDB Scheme. Always consult with a lawyer to understand your legal responsibilities and how to react to a specific data breach.

If you need assistance understanding your obligations under Australian privacy laws, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

When does the Notifiable Data Breach (NDB) Scheme apply to my app?

The NDB scheme applies if personal information is lost, disclosed to an unauthorised person, or accessed by an unauthorised third party, leading to a risk of serious harm that your business cannot prevent. It’s relevant to APP entities, health service providers, credit reporting bodies, or businesses receiving tax file numbers (TFNs).

What steps should I take if I discover a data breach in my app?

If you suspect a data breach, contain the breach, assess its seriousness within 30 days, and determine if it poses a risk of harm. If necessary, notify the OAIC and affected individuals, review the incident to prevent future breaches, and update your privacy and data security documents.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Danielle Pedersen

Danielle Pedersen

Lawyer | View profile

Danielle is a Lawyer at LegalVision in the Corporate and Commercial team. She regularly assists clients in understanding key legal documents required for their businesses and their regulatory obligations.

Qualifications: Bachelor of Laws, Graduate Diploma of Legal Practice, Bachelor of Commerce, University of New South Wales.

Read all articles by Danielle

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards