By Cate Cloudsdale -
Snapshot
- After five years in operation, the Notifiable Data Breaches scheme is now embedded in Australia’s privacy framework, with regulated entities expected to act quickly to notify the Australian Privacy Commissioner and affected individuals when an eligible data breach occurs.
- In the wake of large-scale data breaches impacting significant numbers of Australians, legal practitioners should review the trends highlighted in the OAIC’s most recent NDB report, note the regulatory powers available to the Commissioner, and pursue best practice approaches to privacy throughout the information life-cycle.
- The NDB scheme is the subject of a number of proposals in the Privacy Act Review Report.
The Notifiable Data Breaches scheme (‘NDB scheme’) marked its five-year anniversary earlier in 2023. Since commencing on 22 February 2018, the Office of the Australian Information Commissioner (‘OAIC’) has processed over 5,000 notifications and has published 13 reports highlighting the leading sources of data breaches, emerging issues and key risks for entities. Given the maturity of the NDB scheme, entities are expected to know their obligations and meet them in a timely manner.
Eligible data breaches – A refresher
The NDB scheme is set out in Part IIIC of the Privacy Act 1988 (Cth) (‘Privacy Act’). An eligible data breach occurs when:
- personal information is subjected to unauthorised access or unauthorised disclosure, or is lost in circumstances where unauthorised access or disclosure is likely to occur;
- a reasonable person would conclude that serious harm is likely to result from the unauthorised access or disclosure; and
- remedial action the entity has taken has not displaced the likely risk of serious harm (s 26WE).