Understanding the Notifiable Data Breaches Scheme

data breach september 2018

Understanding the Notifiable Data Breaches Scheme


On 22nd February 2018 mandatory data breach notification (Notifiable Data Breaches Scheme) obligations came into effect. This scheme, arising out of amendments to the Privacy Act 1988 (Cth), requires organisations to notify individuals whose personal information is involved in data breach and recommend the steps they should take in response to the breach. Therefore, as individuals and business owners it is vital to ensure that you understand your rights and responsibilities under this new scheme. 

It’s easy to think that data breaches relate only to computer “hacking” situations or the like, but that’s not always the case. A data breach can occur simply from leaving confidential papers on your desk, not collecting your printed documents from the printer, losing your mobile phone, ipad or a USB or by misplacing a hard copy document.

Any business with a turnover greater than $3 million per annum is subject to the scheme and must have in place a documented Data Breach Response Plan which clearly sets out the procedures to be followed in the event that a data breach has, or has likely, occurred. The Plan should also be consistent with and complimentary to an organisation’s Privacy Policy.

A data breach occurs when personal information is lost or subjected to unauthorised access or disclosure. Personal information is that which identifies or is about an individual person. If the personal information is likely to result in serious harm, the Office of the Australian Information Commission (OAIC) must be notified as well as the individual affected.

Having a documented plan enables an organisation to quickly respond to a data breach, decrease the impact on the affected individual(s), reduce costs in dealing with a breach and reduce the potential reputational damage to the organisation itself.

The OAIC suggests an organisation adopt a risk-based approach to the evaluation and assessment of a breach and undertake four basic steps:

1. Contain the breach and make a preliminary assessment

2. Evaluate the risks for individuals associated with the breach

3. Consider breach notification ie whether serious and therefore necessary to advise OAIC

4. Review the incident and take action to prevent a similar breach occurring in the future

The European Union (EU) has introduced what many experts believe is a more stringent regime in the General Data Protection Regulation (GDPR) which is effective from 25 May 2018. As the law is extraterritorial any Australian entity must comply if it has an establishment in the EU, offers goods or services to EU subjects or monitors the behaviour of EU subjects. The penalties for non-compliance are substantial.

As you would expect ESV has experience in the development of Data Breach Response Plans. Please contact your ESV engagement partner 02 9283 1666.  if you require further information or assistance in complying with the Notifiable Data Breaches Scheme.