New data breach reporting obligations commence in Australia

As of 22 February 2018, many businesses operating in Australia must disclose certain data breaches under the Notifiable Data Breach Scheme.

The NDB Scheme applies to all Federal Government agencies, business and not for profits with a turnover greater than $3 million, as well as all other businesses who collect personal information or provide health services. This includes for example, sole medical practitioners who hold personal or sensitive information about patients.

A data breach occurs when personal information is lost, accessed or disclosed without authorisation. All ‘eligible data breaches’ must now be notified to the Office of the Australian Information Commissioner. A breach is eligible if it:

  • involves unauthorised access to or disclosure of personal information
  • is likely to result in serious harm to an individual
  • the entity has not been able to prevent the risk of harm with swift remedial action.

‘Serious harm’ is a wide ranging concept which includes financial harm, identity fraud, physical harm,  intimidation, or family violence.

Notification must also be given to all individuals who are likely to suffer serious harm from the breach, as soon as practicable after the breach has been ascertained. The notice must include recommendations about what steps individuals should take in response to the breach.

Penalties for non-compliance include fines of up to $2.1 million.

The OAIC has provided a number of resources to assist businesses with their compliance obligations, which can be found at