August 2018 | Scott Freidman

On 22 February 2018, significant amendments to the Commonwealth Privacy Act 1988 came into effect establishing the Notifiable Data Breaches (NDB) scheme in Australia. Prior to these amendments, there was no legal requirement for entities (private or otherwise) to notify individuals whose personal information had been breached. The statutory changes are a positive step towards the protection of personal information. But what do they mean for business owners?

What are the changes?           

The amendments require entities to notify both compromised individuals and the Australian Information Commissioner where an ‘eligible data breach’ (“EDB”) has occurred. There are also statutory requirements in cases of a suspected EDB.

What is an ‘eligible data breach’?

An EDB occurs if both of the following conditions are satisfied:

  • there is unauthorised access to, or unauthorised disclosure of, information; and
  • a reasonable person would conclude that access to or disclosure of that information would likely result in serious harm to those to whom the information relates.

In a similar vein, an EDB is taken to have occurred when personal information is lost (as opposed to actively breached) and where unauthorised access/disclosure is likely to occur.

Who do the changes apply to?

The Privacy Act amendments apply to:

  • entities that already have obligations under the Privacy Act;
  • entities that have an annual turnover of more than $3 million; and
  • other credit/health providers and TFN recipients.

What to do if an EDB occurs?

If you suspect an EDB has occurred you must take all steps to ensure a ‘reasonable and expeditious’ assessment is made within 30 days.

If, following the assessment, you decide an EDB has in fact occurred; you must prepare an official notification for the Australian Information Commissioner as well as those individuals affected by the breach.

Official notification must be done online at the following link:

What preventative steps should you take as a business owner?

  1. You must have a reasonable Notifiable Data Breach strategy and communication plan in place.
  2. Be prepared to take action and notify affected customers and the Commissioner if an EDB occurs.
  3. Update your internal Privacy Policy.
  4. Ensure the ongoing security and effectiveness of your ICT system.

If you require further information or if you suspect an Eligible Data Breach may have occurred please contact me on (02) 9231 2466 or email