What Australian Organisations Need to Know About the Notifiable Data Breaches Scheme

September 28, 2023

The Notifiable Data Breaches scheme has been in operation since 2018, and organisations are still making the same mistakes. The most common one is discovering a breach, spending two or three weeks investigating it internally, and only then asking whether notification was required. By that point, the thirty-day assessment window is either closing or already closed, and the organisation is now in a more difficult position than if it had started the assessment process immediately.

The NDB scheme does not require you to notify when a breach occurs. It requires you to notify when you have reasonable grounds to believe an eligible data breach has occurred. Understanding that distinction, and building a decision process around it, is the practical work that most organisations have not done.

What Constitutes an Eligible Data Breach

An eligible data breach under the Privacy Act 1988 has three elements. First, there must be unauthorised access to, or disclosure of, personal information, or the loss of personal information in circumstances where unauthorised access or disclosure is likely to occur. Second, the breach must be likely to result in serious harm to any of the individuals whose information was affected. Third, the organisation must not be able to prevent the likely harm through remedial action.

The serious harm threshold is the element that most organisations misunderstand. It is assessed against a list of factors set out in the Privacy Act, including the nature and sensitivity of the information, the number of individuals affected, the persons who have obtained or could obtain the information, and the likelihood of harm. A database of encrypted email addresses accessed by an unknown party is different from a document containing tax file numbers and health information accessed by a specific individual. The assessment is not automatic. It requires a genuine evaluation of the circumstances.

The Thirty-Day Assessment Window and How It Works

Once an organisation is aware that there are reasonable grounds to suspect an eligible data breach may have occurred, it has thirty days to complete a reasonable and expeditious assessment. This is not thirty days to decide whether to notify. It is thirty days to conduct an assessment that should result in either notifying or concluding that no eligible breach occurred. The assessment period is not a holding pattern. It has a defined outcome and a defined timeline.

Practical implications follow from this. The organisation needs to document what it knew and when it knew it. It needs to record the steps taken in the assessment and the reasoning behind the conclusion. If the conclusion is that notification is required, notification must go to both the Office of the Australian Information Commissioner and the affected individuals, unless notifying individuals would be impractical or involve excessive resources, in which case a public notice may be appropriate. These processes need to be pre-built, not designed under time pressure.

Building Your Decision Process Before You Need It

The organisations that handle NDB obligations well are the ones that have built the decision process into their incident response procedure. That means a named person or role responsible for initiating the assessment process when a potential breach is identified, a legal or privacy advisor relationship that can be engaged quickly, documented criteria for evaluating serious harm in the context of the organisation's data holdings, and a template for OAIC notification.

The privacy team and the security team need to be operating in parallel from the moment a potential breach is identified. Security focuses on containment and investigation. Privacy and legal focus on the assessment clock, the notification threshold, and the documentation trail. In many organisations these functions are not coordinated, which is why assessments start late and notifications arrive without adequate supporting documentation. Coordination needs to be designed, not assumed.

Scope, Exemptions, and Third-Party Breaches

The NDB scheme applies to Australian Privacy Act-regulated entities, which includes organisations with annual turnover above $3 million, health service providers, and several other specified categories regardless of turnover. Some smaller organisations that have opted into the Privacy Act, or that handle specific data types, are also caught. If you are unsure whether your organisation is in scope, you should assume that it is and seek advice.

Third-party breaches are a frequently overlooked complexity. If a service provider that holds personal information on your behalf experiences a breach, the Privacy Act obligations may rest with your organisation, not theirs, depending on the contractual arrangements and the nature of the relationship. Your contracts with data processors should address this explicitly, and your incident response process should include a procedure for triaging third-party breach notifications and initiating your own assessment process where required.

To discuss NDB scheme obligations and incident response procedures for your organisation, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
Cyber Strategy
Written by
Saaim Khan
Chief Innovation Officer
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?