No one wants to deal with a data breach, but if it happens, you need to know what to do—fast.
In Australia, the law is clear: if your business suffers a data breach, you may be legally required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC).
But what does this mean for your business?
What is the Notifiable Data Breaches (NDB) scheme?
The NDB scheme is Australia’s data breach notification law, which came into effect in 2018. It requires businesses and organisations that are subject to the Privacy Act 1988 to notify individuals if their personal information is involved in a data breach that’s likely to cause serious harm. The idea behind the law is simple: people have a right to know if their personal data has been compromised so they can take steps to protect themselves.
Who does it apply to?
The NDB scheme applies to any business or entity that has an annual turnover of $3 million or more, but it also covers some smaller businesses if they handle sensitive information like health data or provide a service that involves personal information. In short, if you collect, store, or use personal data in Australia, it’s worth knowing where you stand under this law.
What counts as a data breach?
A data breach occurs when personal information held by your business is lost or accessed without permission. This could be anything from an email being sent to the wrong person, to a hacker gaining access to your customer database. The breach is “notifiable” if it’s likely to result in serious harm—whether that’s financial, reputational, or even psychological harm.
What do you have to do if a breach occurs?
If you suspect a data breach, the first step is to assess the situation. You have 30 days to figure out whether the breach is serious enough to require notification. If it is, you must inform the individuals whose data was compromised, as well as the OAIC. Your notification needs to include details of the breach, what data was involved, and what you’re doing to address the issue.
Can you get in trouble if you don’t comply?
Yes. Failure to comply with the NDB scheme can result in hefty fines and penalties, not to mention a serious hit to your reputation. On top of that, if you don’t notify affected individuals, you could leave them vulnerable to identity theft, fraud, or other harm—which is exactly what the NDB scheme is designed to prevent.
Conclusion:
Australia’s data breach notification laws are there to protect individuals’ personal information, but they also place a big responsibility on businesses.
Understanding your obligations under the NDB scheme is crucial for staying compliant and maintaining trust with your customers.
If you’re not sure where to start, or need help getting your data security in order, we’re here to help.
