What is the Notifiable Data Breaches (NDB) scheme?

The NDB scheme requires specific entities to notify individuals whose personal information has been involved in a breach that may result in serious harm. Affected individuals must also be informed if any steps are required on their behalf in response to the breach. Further, the Australian Information Commissioner must also be notified through the Notifiable Data Breach statement form www.oaic.gov.au/NDBform.

Who needs to comply?

All agencies and organisations with existing personal information security obligations under the Australian Privacy Act. Namely, this tends to include Australian Government agencies, business and not-for-profit agencies with an annual turnover of AUD $3 million or more, credit reporting bodies, health service providers, and TFN recipients. If you are unsure whether your entity needs to comply, please visit the following OAIC resource.

When does the scheme come into effect?

The NDB scheme comes into effect on February 22nd, 2018.

Where to go for more information

The OAIC has a dedicated page to the NDB scheme with a large number of resources that will guide you and your organisation through the new processes.