The NDB scheme, or Notifiable Data Breach scheme, is a requirement that was developed by the Australian government for all agencies and organisations regulated under the Privacy Act 1988. These entities are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach. First commenced on 22 February 2018, the NDB scheme outlines exactly how an organisation should proceed when a breach occurs.
The Australian government has created two guides for action in the occurrence of a breach.
- Data breach preparation and response guide – Provides guidance for entities to prepare and respond to data breaches
- Data breach guidance for individuals – Provides information for individuals in the case of a data breach, lost or hacked personal information
History and Overview
The NDB scheme was established by the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017. The scheme applies from 22 February 2018 to all organisations and agencies with existing personal information security obligations under the Privacy Act. It obligates these entities to notify anyone whose personal information has been involved in a data breach that is likely to cause serious harm. The notification must include recommendations about the steps individuals should take in response to the data breach. The Australian Information Commissioner must also be notified.
In order to comply with the NDB scheme, agencies and organisations must prepare themselves for the possibility of a data breach, and how to respond quickly to reduce and contain the resulting harm. To notify the Commissioner, entities should use the Notifiable Data Breach form.
Section 6 of the Privacy Amendment (Notifiable Data Breaches) Act 2017 says that the scheme applies to incidents where personal information is subject to unauthorised access or disclosure, or is lost.
Who Must Comply?
Agencies and organisations that the Privacy Act requires to secure specific categories of information are required to comply to the NDB scheme. This list includes the Australian Government agencies, not-for-profit organisations and businesses with an annual turnover of $3 million or more, health service providers, credit reporting bodies, and TFN recipients.
When is Compliance Required?
A data breach occurs when personal information stored by an organisation is lost or subjected to unauthorised access or disclosure. Not every data breach requires compliance. Only those data breaches involving personal information that are likely to cause serious harm require NDB scheme compliance. The NDB scheme calls them “eligible data breaches.”
Examples of a qualifying data breach include:
- A database with personal information is hacked
- Personal information is provided to the wrong person by mistake
- A device containing customers’ personal information is stolen or lost
There are a few exceptions that don’t require notification outlined in the Data breach preparation and response guide. If a data breach is suspected, agencies and organisations are required to assess quickly if it is likely to cause serious harm.
How to Notify
If an eligible data breach has occurred, individuals at risk of serious harm must be promptly notified. The Commissioner must also be notified as soon as practical. Notification must include the following information:
- Name and contact details of the organisation
- Description of the data breach
- Types of information affected
- Recommendation of steps that individuals should take in response to the data breach
The Commission is notified using the Notifiable Data Breach form.
Role of the OAIC
The Commissioner has several roles under the NDB scheme.
- Receiving notifications of data breaches
- Encouraging compliance through handling complaints, taking regulatory action and conducting investigations
- Offering guidance to organisations, and information to the public about the scheme