Reading time: 5 minutes

When running your business, you will have many privacy obligations to consider, one of these being how to handle a notifiable data breach (NDB). An NDB occurs when an individual’s data is lost or susceptible to unauthorised access. This kind of infringement requires your business to notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals. In this article, we look at:

  • what a data breach is; 
  • what makes a data breach “serious”;
  • your business’ reporting obligations; and 
  • how your business can limit the impact of a breach. 

Application of the NDB Scheme 

The OAIC introduced the Notifiable Data Breaches Scheme (NDB Scheme) in February 2018.

The NDB Scheme outlines a business’ responsibilities if a data breach occurs, and applies to: 

  • businesses with an annual turnover of over $3 million;
  • credit reporting bodies;
  • businesses that trade in personal information; 
  • health service providers; and 
  • tax file number recipients.

If the NDB Scheme applies to you, you will need to comply with its reporting obligations.

What Does a Notifiable Data Breach Look Like? 

A data breach occurs when:

  1. personal information is lost, or there is unauthorised access or disclosure of information to a third party;
  2. the loss, disclosure or access could result in serious harm; and
  3. your business is not able to reduce this harm.

The breach is notifiable if you have met all three conditions. Therefore, if the harm is not serious or if you can implement steps to reduce the harm, then it may not be notifiable.

The OAIC website has many resources to help you determine whether a data breach is notifiable.

What Makes the Harm of a Data Breach Serious? 

Whether a data breach could result in “serious harm” is based upon the perspective of a “reasonable person” in the position of your business. This will consider several factors, including:

  • whether the harm is financial, physical, psychological or reputational; 
  • whether the information lost, disclosed or accessed is sensitive;
  • who has obtained or could obtain the information; or
  • whether effective security measures were in place to protect the information.

For example, an online marketplace has been hacked by an untrustworthy third-party, revealing customers’ personal information and credit card details. This could lead to financial loss or identity theft.

Your Reporting Obligations

Once you have determined that an NDB has occurred, you must report the breach to the OAIC and any affected individuals. You should first prepare a statement of events to be submitted to the OAIC, including:

  • a summary of how the breach occurred;
  • what data was lost, disclosed or accessed;
  • the effect of the breach; and
  • your business name and contact details.

You can report a breach to the OAIC using this form.

Similarly, it is crucial to directly notify the individuals who are at risk of harm. If you cannot contact them directly, you should publish a statement on your website. The notification should:

  • summarise the events of the breach;
  • outline the potential impact; and
  • detail the actions you are taking to mitigate any risks.

Limiting the Impact of a Data Breach

Prevention is vital when it comes to data breaches. You can implement technological features to minimise the risk of breaches, including the:

  • use of reputable cybersecurity software; 
  • storage of documents and passwords in secure locations; and
  • use of email delay functions to quickly recall emails that your employees should not have sent. 

In addition, you can minimise human error by:

Regardless of any precautions you take, you should still ensure that you prepare for a data breach occurring due to factors outside your control. You can limit the impact of a breach by implementing a Data Breach Response Plan (DBR Plan). Your plan should set out:

  • who in the business is responsible for dealing with the breach; and 
  • what actions they must take if a breach occurs. 

After a breach occurs, containing the breach should be your primary focus. This involves limiting the impact of the breach by:

  • recovering lost records; 
  • remotely deleting files; 
  • shutting down the system that resulted in the breach; and 
  • removing certain individual’s access to the system.

Key Takeaways

Notifiable data breaches are a threat to every business, particularly as more and more information is transmitted electronically. If the NDB Scheme applies to your business, make sure that you are prepared for a data breach and can respond appropriately by: 

  • containing the breach; and
  • notifying the OAIC and affected individuals if necessary. 

If you are looking for advice on your privacy obligations or for a team of experts to draft your policy documents, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.


How Franchisors Can Avoid Misleading and Deceptive Conduct

Wednesday 18 May | 11:00 - 11:45am

Ensure your franchise is not accused of misleading and deceptive conduct. Register for our free webinar today.
Register Now

New Kid on the Blockchain: Understanding the Proposed Laws for Crypto, NFT and Blockchain Projects

Wednesday 25 May | 10:00 - 10:45am

If you operate in the crypto space, ensure you understand the Federal Government’s proposed licensing and regulation changes. Register today for our free webinar.
Register Now

How to Expand Your Business Into a Franchise

Thursday 26 May | 11:00 - 11:45am

Drive rapid growth in your business by turning it into a franchise. To learn how, join our free webinar. Register today.
Register Now

Day in Court: What Happens When Your Business Goes to Court

Thursday 2 June | 11:00 - 11:45am

If your business is going to court, then you need to understand the process. Our free webinar will explain.
Register Now

How to Manage a Construction Dispute

Thursday 9 June | 11:00 - 11:45am

Protect your construction firm from disputes. To understand how, join our free webinar.
Register Now

Startup Financing: Venture Debt 101

Thursday 23 June | 11:00 - 11:45am

Learn how venture debt can help take your startup to the next level. Register for our free webinar today.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer