The new Notifiable Data Breaches Scheme arrives 22 February 2018. Your business must comply with this scheme if it also has to comply with the Privacy Act. However, not every business needs to comply. Businesses that must comply include:

  • those with an annual turnover of more than $3 million;
  • credit reporting bodies,
  • health service providers; and
  • those that receive tax file numbers from people.

If your business fits into one of these categories, you will need to report a notifiable data breach to both the affected individuals and the Office of the Australian Information Commissioner (OAIC). This article explains when your business needs to report a data breach.

What is a Notifiable Data Breach?

You need to report a data breach if:

  • there is unauthorised access to, or unauthorised disclosure of, personal information, or a loss of personal information, that your business has collected;
  • the access or disclosure is likely to result in serious harm to one or more individuals; and
  • your business has not been able to prevent the likely risk of serious harm with remedial action.

However, all factors must be present. For example, if you quickly act to contain the data breach, you do not need to report.

Identifying a Data Breach

Broadly, a data breach is:

  • unauthorised access to personal information;
  • unauthorised disclosure of personal information; or
  • loss of personal information.

The new laws do not define these situations. However, OAIC has provided some guidance on what a data breach may look like.


Type of Data Breach Explanation
Unauthorised access of personal information Where the information is accessed by someone who is not permitted to have access including employees, contractors and external third parties.
Unauthorised disclosure of personal information Where the information becomes visible to external third parties but in a way that is not permitted under the Privacy Act.
Loss of personal information Where the information is lost and that loss may result in unauthorised access or disclosure.


Personal information is information that identifies a person. For example, their name or address.

Identifying Serious Harm

Your business only needs to report a data breach if it is likely to result in serious harm. ‘Likely’ means to have at least a 50% chance. ‘Serious harm’ can include psychological, physical, emotional, financial or reputational harm to the individuals involved.

You judge this from the perspective of a person in your business’ position. This means that your business must consider many different factors when determining if serious harm has occurred:


Serious Harm Factor Explanation
Type of information A release of names only would likely not cause serious harm.
The sensitivity of the information Some types of information, such as medical records, are sensitive.
Whether you protected the information with security measures If you protected the information with passwords, it may indicate that release of the information could cause serious harm.
Whether you removed personal details from the information or made it unintelligible If you made the information unintelligible, for example by removing important details or encoding the information, this could help the information stay secure even after a  breach, preventing serious harm.
Who obtained the information The breach is more likely to cause serious harm if the information was widely distributed.
The likelihood that people who obtained the information could cause harm to the individuals If criminals obtained the information, the breach is more likely to cause serious harm.
The likelihood that any security measures could be overcome If the security measures were not strong enough, this would indicate that serious harm was likely to occur.
If your business could have obtained any security technology to minimise the risk of the harm If your business could have stopped the breach, but did not, serious harm is more likely.

Key Takeaways

To prepare for the NDB scheme, you need to be able to identify:

  • when a data breach occurs;
  • when it is a data breach that could result in serious harm; and
  • ways to take remedial action for these data breaches.

By taking action, you can prevent serious harm, avoiding the need to report a data breach.

If you need assistance in complying with the NDB scheme, call LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Sam Auty

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at

View Privacy Policy