Notifiable Data Breaches Scheme.

What is the NDB Scheme?

The NDB Scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act of 1988.

This scheme is effective as of the 22nd of February 2018, covering breaches on or after this date.

The scheme was introduced as an obligation to notify individuals whose personal information is involved in a data breach, that is likely to result in serious harm.

Notification must include recommendations about the steps individuals should take in response to a breach.

The Australian Information Commissioner must also be notified of these data breaches.

Which data breaches require notification?

All breaches that result in serious harm to any individuals.

A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

Examples are:

  • A device containing customers personal information is lost or stolen.
  • A data base containing personal information is hacked.
  • Personal information is mistakenly provided to the wrong person.

Why is this Scheme Important?

The NDB is important because it supports greater community confidence that personal information is being protected and respected and encourages a higher standard of personal information security across Australian industries.

It also minimises damage that can result from a data breach.

Who must comply?

This will apply to all agencies / businesses / organisations and not for profit organisations with an annual turnover of 3 million or more, credit reporting bodies, health service providers and TFN recipients and others.



Web: Https://                          Contact:

Brisbane - 07 3054 4312 | Sydney - 02 8123 3003 | Melbourne - 03 8672 2974



Steps to follow if a breach is suspected

Ensure Personal Information is Secure in Accordance with APPs.

If suspected data breach – Contain suspected breach where possible. Limit further access of affected personal information. For more information contact the following: 1300 363 992

OAIC suggests a three-stage process –

1.       Initiate – plan the assessment and assign a team person.

2.       Investigate – gather relevant information to determine what has occurred.

3.       Evaluate – Make an evidence based decision – Is serious harm likely?

The OAIC recommends this to be documented within 30days.

Assess- Does the breach result in serious harm?        If yes- You Must Notify.

Remedial Action –

Take steps to reduce harm to any individuals.

Take action to recover lost information before unauthorised action can occur.

Notify – When Serious Harm is Likely – Prepare statement for commissioner that contains – the following information.

·         Identity and contact details.

·         A description of the breach.

·         The kinds of information concerned.

Recommend steps for individuals.

·         Notify affected Individuals.

·         Notify affected individuals only at risk.

·         Publish a statement on the entity’s website and publicise it.

·         Notify commissioner where necessary.

·         You can include an apology and explanation of the breach to those affected.


If remedial action is successful and serious harm is no longer likely – then notification is not required.

Review – Review and take action to prevent future breaches.

·         Investigate cause of breach.

·         Develop a prevention plan

·         Conduct Audits – implement a plan. Update security response plan.

·         Consider changes to policies and procedures.

·         Revise staff training practices.

·         Report – report to relevant bodies – Police, ASIC, APRA, ATO, The Australian Cyber Security Centre, Professional bodies and Your financial advisor.

Then progress to the review stage.                 

Layer 8 Security is helping many organisations to become prepared for the legislation changes and to reduce their exposure and risk profile.

This has added benefits to organisations in that these organisations receive lower premiums for cyber insurance.

The legislation has already raised awareness of the need for Cyber Risk Insurance, which has become the fastest growing commercial segment of Australia’s insurance market.

The new rules are sent to change organisations attitudes towards how they report cyber-attacks and what they regard as a cyber-attack.

Under the Australian legislation, organisations that have a turnover of more than A$3m, as well as government agencies must notify the Privacy Commissioner and individuals affected by a data breach.

These new laws are enforceable from the 22nd of February 2018 and civil penalties are in place for not complying. These range up to A$360,000 for individuals and A$1.8m for corporate bodies.

You ask, what is Serious Harm? Or what constitutes a breach.

Serious harm is the disclosure of any Personal identifiable information about a company or individual or organisation.

This information is to assist you in ensuring your readiness and compliance for the National Data Breach Scheme, or for more information on our Security Awareness Program, please contact; Layer 8 Security at

Article written by Michelle de Haan, Director, Layer 8 Security. She can be contacted via: