From 22th February 2018, the Notifiable Data Breaches scheme (NDB) comes into effect in Australia. Does your company have to comply with the requirements?

Australian privacy act

The NDB Scheme – Executive summary in layman's terms

If your company or your employer stores sensitive information about it's customers in a database or on a computer they are going to have to be very careful with that information or face the consequences.

Employers need to increase their IT security to minimise the chances of being hacked and having that sensitive data fall into the wrong hands.

If a security breach DOES happen, from 22 February 2018, the company needs to assess the breach and possibly notify each customer of that breach along with the Office of the .

The is an extension of the Australian Act 1988 () and failure to comply may mean a breach of the Act.


See also ABC News Article here: Breaches

The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act)

What is the Notifiable Data Breaches scheme?

The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in . The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.

Who must comply with the NDB scheme

The NDB scheme will apply to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes:

  • Australian Government agencies
  • All businesses and not-for-profit organisations with an annual turnover of $3 million or more
  • plus some small operators such as:
    + entities that provide any health services or private sector health service providers. Organisations providing a health service include:
    + traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professional
    + complementary therapists, such as naturopaths and chiropractor
    + gyms and weight loss clinic
    + child care centres,
    + private schools
    + private tertiary educational institutions.
  • entities that trade in personal information – that is, entities that disclose personal information about individuals to anyone else for a benefit, service or advantage; or entities that provide a benefit, service or advantage to collect personal information about another individual from anyone else (Brokers)
  • credit reporting bodies
  • Tax File Number (TFN) recipients (if annual turnover is below $3 million, the NDB scheme will apply only in relation to TFN information) applies to Accountants
  • Organisations providing services to the Commonwealth under a contract.
  • Credit providers (Banks, Mortgage Brokers, Finance Brokers)
  • entities operating a residential tenancy data base ie Real Estate or Rental Agencies

Does my small business need to comply with the Australian Privacy Principles?

Penalties for non-compliance

Penalties for not notifying affected parties and the OAIC of a notifiable breach include fines of $360,000 for individuals and $1.8 million for organisations.

Preventing Data Breaches

To prevent a data breach occurring in the first place there are a number of recommended steps as provided by the Office of the Australian Information Commissioner.

This link provides on ICT Security including:

, , , , , and Security.

Data Breach Response Plan

All eligible companies require a Data Breach Response Plan  To meet your obligations under the Privacy Act — an entity must take reasonable steps to protect the personal information that it holds; those reasonable steps include having a data breach response plan.

and Compliance Auditing

The IT Guys can perform auditing of your ICT systems to you comply with the Australian Privacy Act and develop policies, procedures and increase your cyber-security to reduce the likelihood of a data breach but also respond and deal with such breaches should they occur.

Please call and speak to John or Tim to arrange a meeting.



2 comments to “The Notifiable Data Breaches (NDB) scheme (Australia) starts 22 Feb 18. Is your company affected?”

You can leave a reply or Trackback this post.
  1. Mark - February 22, 2018 Reply

    Finance and Mortgage brokers are technically not captured here as they are credit assistant providers and not credit providers. As for trading in personal information, brokers don’t do that for profit…so again technically an exemption based on the strict interpretation of the inclusion criteria (brokers collect information and most have their own consent for collection and retention of personal information). Most brokers (about 99% of brokers) don’t meet the profit / revenue benchmarks either.

    The only reason that brokers abide by existing NPP guidance is due to marketing being a secondary activity of a mortgage brokers business and by association, generate leads which may or may not lead to profit….but they certainly do not trade in personal information.

    Having said that it s a great article and its fantastic that you post these messages.

Leave a Reply

Your email address will not be published.