New data breach rules that came into effect from 22 February 2018 will impact organisations that handle personal information on their clients.

The Notifiable Data Breaches (NDB) scheme, applies to all agencies and organisations that collate personal information about their clients.

Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person. Any organisation that experiences a data breach that is likely to result in serious harm are required to notify individuals whose personal information is involved. This notification must include recommendations about the steps individuals should take in response to the breach.

The Australian Information Commissioner must also be notified of eligible data breaches as soon as practicable.

Who must comply?

The NDB scheme applies to Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.

When to notify

A data breach is an unauthorised access or disclosure of personal information, or loss of personal information. The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’.

Assessing breaches

If a business is aware that there are reasonable grounds to suspect that there may have been a serious breach, which is likely to result in serious harm to any individual affected, it must complete a reasonable and expeditious assessment into the relevant circumstances within 30 calendar days.

Responding to data breaches

An effective data breach response generally follows a four-step process – contain, assess, notify, and review. Data breaches can have serious consequences, so it is important that entities have robust systems and procedures in place to identify and respond effectively.

For detailed information on the Notifiable Data Breaches Scheme please refer to Australian Government Office of the Information Commissioner website at