Reading time: 5 minutes

When running your business, you will have many privacy obligations to consider, one of these being how to handle a notifiable data breach (NDB). An NDB occurs when an individual’s data is lost or susceptible to unauthorised access. This kind of infringement requires your business to notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals. In this article, we look at:

  • what a data breach is; 
  • what makes a data breach “serious”;
  • your business’ reporting obligations; and 
  • how your business can limit the impact of a breach. 

Application of the NDB Scheme 

The OAIC introduced the Notifiable Data Breaches Scheme (NDB Scheme) in February 2018.

The NDB Scheme outlines a business’ responsibilities if a data breach occurs, and applies to: 

  • businesses with an annual turnover of over $3 million;
  • credit reporting bodies;
  • businesses that trade in personal information; 
  • health service providers; and 
  • tax file number recipients.

If the NDB Scheme applies to you, you will need to comply with its reporting obligations.

What Does a Notifiable Data Breach Look Like? 

A data breach occurs when:

  1. personal information is lost, or there is unauthorised access or disclosure of information to a third party;
  2. the loss, disclosure or access could result in serious harm; and
  3. your business is not able to reduce this harm.

The breach is notifiable if you have met all three conditions. Therefore, if the harm is not serious or if you can implement steps to reduce the harm, then it may not be notifiable.

The OAIC website has many resources to help you determine whether a data breach is notifiable.

What Makes the Harm of a Data Breach Serious? 

Whether a data breach could result in “serious harm” is based upon the perspective of a “reasonable person” in the position of your business. This will consider several factors, including:

  • whether the harm is financial, physical, psychological or reputational; 
  • whether the information lost, disclosed or accessed is sensitive;
  • who has obtained or could obtain the information; or
  • whether effective security measures were in place to protect the information.

For example, an online marketplace has been hacked by an untrustworthy third-party, revealing customers’ personal information and credit card details. This could lead to financial loss or identity theft.

Your Reporting Obligations

Once you have determined that an NDB has occurred, you must report the breach to the OAIC and any affected individuals. You should first prepare a statement of events to be submitted to the OAIC, including:

  • a summary of how the breach occurred;
  • what data was lost, disclosed or accessed;
  • the effect of the breach; and
  • your business name and contact details.

You can report a breach to the OAIC using this form.

Similarly, it is crucial to directly notify the individuals who are at risk of harm. If you cannot contact them directly, you should publish a statement on your website. The notification should:

  • summarise the events of the breach;
  • outline the potential impact; and
  • detail the actions you are taking to mitigate any risks.

Limiting the Impact of a Data Breach

Prevention is vital when it comes to data breaches. You can implement technological features to minimise the risk of breaches, including the:

  • use of reputable cybersecurity software; 
  • storage of documents and passwords in secure locations; and
  • use of email delay functions to quickly recall emails that your employees should not have sent. 

In addition, you can minimise human error by:

Regardless of any precautions you take, you should still ensure that you prepare for a data breach occurring due to factors outside your control. You can limit the impact of a breach by implementing a Data Breach Response Plan (DBR Plan). Your plan should set out:

  • who in the business is responsible for dealing with the breach; and 
  • what actions they must take if a breach occurs. 

After a breach occurs, containing the breach should be your primary focus. This involves limiting the impact of the breach by:

  • recovering lost records; 
  • remotely deleting files; 
  • shutting down the system that resulted in the breach; and 
  • removing certain individual’s access to the system.

Key Takeaways

Notifiable data breaches are a threat to every business, particularly as more and more information is transmitted electronically. If the NDB Scheme applies to your business, make sure that you are prepared for a data breach and can respond appropriately by: 

  • containing the breach; and
  • notifying the OAIC and affected individuals if necessary. 

If you are looking for advice on your privacy obligations or for a team of experts to draft your policy documents, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.


Innovation Nation: How to Make the Most of Australia’s Business Innovation and Investor Visas

Thursday 18 November | 11:00 - 11:45am

Want to expand your business into Australia? You need the right visa. Register for our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer