Thought you were prepared for a data breach? New rules could catch you out.


If your business handles personal information, then from 22nd February 2018 you may be required to comply with the new Notifiable Data Breaches scheme (NDB Scheme).

The Australian Information Commissioner (Commissioner) has published a variety of resources to assist businesses in complying with the NDB Scheme. Some key takeaways from the guidance include that you should:

  • review and assess the ways in which your business handles personal information, as well as your contracts with business partners and suppliers;
  • have a tried and tested ‘data breach response plan’ in place prior to the commencement of the NDB Scheme; and
  • develop and implement a procedure to assess any possible breaches so that the assessment can be done in a way that is ‘reasonable and expeditious’.

It is advisable to be well-prepared when it comes to handling personal information, as despite using best efforts to deal with a breach and comply with the notification requirements after the event, the Commissioner may still investigate and take regulatory action against you.  The likelihood of regulatory action depends on your privacy law compliance, the nature of the breach, how your business handles the breach and the harm caused to the individuals affected by the breach.

Whilst the legislation allows some lead time in circumstances where you suspect that a data breach has occurred, the period to respond adequately to a breach might automatically be reduced to zero in certain circumstances.  That means you need to prepare now. Blueprint Law has set up a Data Breach Response Service to assist clients in preparing for the NDB Scheme and to respond to a data breach.

The NDB Scheme at a glance

Under the NDB Scheme, you must notify the Commissioner and affected individuals when an ‘eligible data breach’ has occurred; this is a breach where ‘personal information’ held by your business is lost or is subjected to unauthorised access or disclosure and the breach is likely to result in ‘serious harm’ to the affected individual(s).

Personal information is information or an opinion about an individual, whether true or not, from which an individual is reasonably identifiable. Examples include an individual’s name, address, telephone number, date of birth, medical records, financial details or commentary or opinion about that person.

If you suspect there has been an eligible data breach but haven’t yet determined its seriousness or the veracity of the claims being made about the breach, then within 30 days you must take all reasonable steps to assess whether there are reasonable grounds to believe the breach will result in ‘serious harm’ to the affected individuals. In determining whether the breach would be likely to cause harm you need to consider a range of factors, including the kind of information, its sensitivity, whether the information is protected by security measures, if those measures could be thwarted and the types of harm that could be suffered. ‘Serious harm’ could include physical, psychological, emotional or economic harm, or harm to an individual’s reputation.

If, at any time in the course of assessing the breach, you make the determination that the breach will result in serious harm to any of the affected individuals, then ‘as soon as practicable’ you must prepare and give a statement to the Commissioner regarding the breach, determine which affected individuals to notify, and then notify those individuals. It is also possible for a business to apply to the Commissioner for a declaration that notification is not required for the breach.

If the Commissioner is aware there are reasonable grounds to believe there has been an eligible data breach, then the Commissioner also has the power to direct a business to prepare a statement to the Commissioner about the breach and notify affected individuals.

If a business fails to:

  • undertake a reasonably expeditious assessment of a breach and take all reasonable steps to complete that assessment within 30 days after suspecting a breach; or
  • notify affected individuals; or
  • comply with a direction from the Commissioner;

then this can lead to a range of regulatory action, including enforceable undertakings, an investigation by the Commissioner and fines.

Does the NDB scheme apply to my business?

Some businesses that handle personal information may benefit from certain exceptions; for example, eligible small businesses may not be subject to the Privacy Act and the NDB Scheme. That said, businesses that might believe they can rely on the small business exception may be prevented from doing so, particularly if they handle health information or trade in personal information. Eligible small businesses may nonetheless want to adopt ‘best practice’, such as for reputational or governance reasons. 

If the NDB Scheme applies to my business, are there exceptions?

Notification is not required where a business has taken action to remedy the data breach. However, the decision not to notify is one that should only be taken if you are certain that a reasonable person would conclude that, as a result of that remedial action, the loss, unauthorised access or disclosure would not likely result in serious harm to any of the affected individuals. Clearly, making this determination can require some detailed analysis of what a ‘reasonable person’ might conclude in the circumstances.

For now, there are some other practical steps businesses can take. For example, data breaches by two entities in respect of the same data may only require one entity to notify. If you work with business partners in transferring data between you and them, then you should think about agreeing contractually which entity is responsible for notifying any breaches under the NDB Scheme. Businesses should also review their insurance policies for the extent of cover for data breaches.

Preparation is key to ensure that your business can comply with the NDB Scheme. For some businesses, the question may be whether they are required to comply with the NDB Scheme at all. Businesses that wait until a breach occurs before ensuring they are compliant with the NDB Scheme will be at risk of significant regulatory scrutiny by the Commissioner: at absolute worst this could mean as much as $2.1m in fines for a business, but any investigation and adverse report from the Commissioner will be damaging and costly for any business.

At Blueprint Law, we pride ourselves on providing advice which makes sense of these complex areas of law, and love to help clients navigate a path to avoid the various pitfalls. Between us, we have years of varied in-house experience, so our commercial acumen is always brought to bear on our deep understanding of legal issues like these. We have prepared an NDB Toolkit to assist businesses prepare for the scheme, so if you’re interested in receiving a copy of it, please do get in touch.

Blueprint Law
T: 02 9300 3100

For further information or if you have any questions please contact:
Gary Rogers:
02 9300 3101

Andre Castaldi:
02 9300 3112