Reading time: 8 minutes

If you are a startup founder, you are probably overwhelmed with the different rules and regulations that your new business has to follow. If your business collects personal information, you may be required to comply with a new regulation: the Notifiable Data Breaches (NDB) scheme. Coming into effect on 22 February 2018, the NBD scheme established obligations for Australian Privacy Principle (APP) entities. This article explains whether or not your startup needs to comply with the NDB scheme and what to do if you are affected by a data breach. 

Do I Need to Comply With the NDB Scheme?

The first step in determining how the NDB scheme will affect your startup is figuring out whether the APPs will apply to you. If you are an early-stage startup, you may not have considered your privacy obligations yet. The APPs (and, subsequently, the NDB scheme) will apply if you are considered an APP entity. An APP entity is any sole trader, partnership, trust, company or unincorporated association that has:

Most early-stage startups may find themselves outside the scope of the APPs given that they are likely to have less than $3 million in annual turnover. If this is true for your business, it is still worth familiarising yourself with the APPs and the NDB scheme. This is so you are prepared if you undertake rapid growth in the future.

You may also choose to become an APP entity voluntarily to strengthen your pitch to potential investors and high profile clients.

For example, it is not uncommon for larger companies (likely to be APP entities) to ensure that their service providers are also compliant with the APPs.

Tax File Number Recipient

If you have hired employees, you should be in possession of their tax file numbers (TFN). If so, you will need to comply with the NBD scheme and other privacy obligations in case a data breach causes the TFNs to be compromised.

So, if you are not yet an APP entity, but have hired or are close to hiring others, you will need to be aware of the NDB scheme below.

What is a Data Breach?

The NDB scheme places additional obligations on APP entities to report data breaches to the Office of the Australian Information Commissioner (OAIC). A data breach occurs when personal information held by your startup is accessed or disclosed without authorisation. It also occurs if you lose this personal information.

“Personal information” is information about an identified individual or an individual who is able to be reasonably identified. Some common examples are:

  • name;
  • date of birth;
  • email;
  • address;
  • occupation;
  • gender; and
  • health information.

When you hear the term “data breach”, you might immediately think of a computer hack. It is crucial to note that a data breach does not need to involve malicious or criminal intent. It may also arise by human error or a failure in your IT system. Some examples of data breaches include:

  • losing physical devices like laptops, hard drives or paper forms that contain personal information;
  • unauthorised access by an employee;
  • sending an email to the wrong person by mistake;
  • selecting cc instead of bcc in an email; or
  • accidentally forwarding information to unauthorised parties.

If a data breach occurs, the next step is to determine whether it is eligible for mandatory notification to the OAIC.

Eligible Data Breach

An eligible data breach arises when:

  1. there has been unauthorised access to, or unauthorised disclosure of, personal information;
  2. a reasonable person would conclude that this breach would likely result in serious harm to any of the individuals that the information relates. This includes physical, psychological, emotional, financial or reputational harm; and
  3. the entity has not been able to prevent the likely risk of serious harm with remedial action.

For example, you leave your company phone on the train on the way to work. You immediately realise this upon getting to the office and request your IT team to wipe the phone remotely.

You had both a passcode and fingerprint scanner on the phone so you are confident the phone’s contents could not have been accessed in the period between you leaving the train and wiping the phone. Therefore, reporting the breach is likely not necessary.

How to Assess if the Data Breach Has Occurred

If you suspect that a data breach has occurred, but are uncertain, then you will need to take all reasonable steps to complete an assessment. You must do this within 30 calendar days of becoming aware of the suspected data breach. You should treat this 30 day period as the maximum time limit, and try to complete the assessment as soon as possible.

However, if you cannot reasonably complete the assessment within that time, you should have documented evidence which outlines:

  • that all reasonable steps have been taken to complete the assessment within 30 days;
  • the reasons for the delay; and 
  • that the assessment was reasonable and efficient.

There are three recommended steps for assessing whether a data breach has occurred. You must:

  1. decide whether an assessment is necessary and assign the person or team that will be responsible for completing it;
  2. gather all relevant information immediately, focusing on key questions like:
    • who was involved in the suspected breach;
    • what information may have been compromised;
    • where, when and why did the breach occur; and
    • what is the likely impact of the breach? and
  3. evaluate the information and decide whether the identified breach is an eligible data breach.


If you have reasonable grounds to believe that an eligible data breach has occurred, you will need to notify both the affected individuals and the OAIC.

There are three options available when notifying affected individuals. You should consider each option in light of what is practicable for your startup. Whatever option you choose, your notification should include the following information:

  • your startup’s business and contact details;
  • a description of the eligible data breach;
  • the type of personal information that was involved in the data breach; and
  • a recommended way of responding to the data breach. For example, cancelling credit cards or changing online passwords.

1. Notify All Individuals

If practicable, you can notify all the individuals whose personal information was part of the data breach.

This option may be the simplest method. It may also be appropriate when more than one person’s information has been breached and you are unable to assess which individuals are at risk of serious harm.

2. Notify Only Those at Risk of Serious Harm

If it is practicable, you can choose to notify only those individuals who are at risk of serious harm from the data breach.

However, the eligible data breach may have involved multiple people’s personal information. Therefore, you are unable to identify who is actually at risk of harm. If so, you should exercise option one.

3. Publish Notification

While options one and two are the preferred methods of notification, in some circumstances, they may not be practicable. If so, then you must publish a statement on your website that outlines relevant information on the breach. Further, you must proactively publicise the statement and its contents.

For example, you may ensure that the data breach is advertised in the news or on social media.

Notifying the OAIC

If you are aware of a potential data breach that has a risk of serious harm, you must notify the OAIC. For your convenience, the OAIC has an electronic form that you can submit to notify the breach. You should include the same information as you would when notifying individuals.

Key Takeaways

Most early-stage startups will be exempt from the NDB scheme as they are not APP entities. However, if you are looking to grow rapidly, it may only be a matter of time before you become an APP entity and compliance with the NDB scheme becomes mandatory. Alternatively, you may have chosen to become an APP entity voluntarily. The key considerations of the NDB scheme for your startup are:

  1. whether you are an APP entity or TFN recipient;
  2. if you know what a data breach and eligible data breach are;
  3. if you know how and when to conduct an assessment to confirm whether a data breach has occurred; and
  4. if you know how and when to notify affected individuals and the OAIC.

If you need assistance confirming how the NDB scheme may affect your startup, get in touch with one of LegalVision’s startup lawyers today on 1300 544 755 or fill out the form on this page.


Redundancies and Restructuring: Understanding Your Employer Obligations

Thursday 7 July | 11:00 - 11:45am

If you plan on making a role redundant, it is crucial that you understand your employer obligations. Our free webinar will explain.
Register Now

How to Sponsor Foreign Workers For Your Tech Business

Wednesday 13 July | 11:00 - 11:45am

Need web3 talent for your tech business? Consider sponsoring workers from overseas. Join our free webinar to learn more.
Register Now

Advertising 101: Social Media, Influencers and the Law

Thursday 21 July | 11:00 - 11:45am

Learn how to promote your business on social media without breaking the law. Register for our free webinar today.
Register Now

Structuring for Certainty in Uncertain Times

Tuesday 26 July | 12:00 - 12:45pm

Learn how to structure to weather storm and ensure you can take advantage of the “green shoots” opportunities arising on the other side of a recession.
Register Now

Playing for the Prize: How to Run Trade Promotions

Thursday 28 July | 11:00 - 11:45am

Running a promotion with a prize? Your business has specific trade promotion obligations. Join our free webinar to learn more.
Register Now

Web3 Essentials: Understanding SAFT Agreements

Tuesday 2 August | 11:00 - 11:45am

Learn how SAFT Agreements can help your Web3 business when raising capital. Register today for our free webinar.
Register Now

Understanding Your Annual Franchise Update Obligations

Wednesday 3 August | 11:00 - 11:45am

Franchisors must meet annual reporting obligations each October. Understand your legal requirements by registering for our free webinar today.
Register Now

Legal Essentials for Product Manufacturers

Thursday 11 August | 11:00 - 11:45am

As a product manufacturer, do you know your legal obligations if there is a product recall? Join our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Justin Ocsan
Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards