Notifiable Data Breach Legislation: Update

5 months ago | by Jayde Austin

Read time: 4 minutes

The Privacy Amendment (Notifiable Data Breaches) Act 2017 came into full effect on 22nd February 2018, and the first quarterly report including the new legislation was released this month – with interesting insights.


Just to re-cap, the new legislation requires that all businesses with an annual turnover of at least $3 million, as well as smaller organisations who handle personal data, will be required to notify the office of the Australian Information Commissioner (OAIC), and any impacted clients, when a significant data breach occurs. This is in an effort to formalise the Australian population’s expectations for transparency when a serious data breach occurs. According to the 2017 Australian Community Attitudes to Privacy Survey, 94 per cent of Australians believe they should be told when personal information is lost by a business.

Businesses affected by this legislation include:

  • Australia government agencies,
  • Businesses with an annual turnover of at least $3 million,
  • Any small organisations that handle health data,
  • Any for-profit, government, or not-for-profit organisations dealing with any of the following:
    • Credit reporting or building data
    • Personally identifiable information, or
    • Tax data.

It’s said that this scheme provides individuals with the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts that have been exposed. This can reduce the overall impact of a breach. More broadly, the transparency provided by the NDB scheme reinforces Australian Government agencies’ and businesses’ accountability for personal information protection and encourages a higher standard of security (source).

In the 2016 – 2017 financial year, the OAIC received a total of 114 data breach notifications on a voluntary basis. Since the new notification requirements were enforced in February, the OAIC reported a total of 63 data breach notifications in just 6 weeks. And although we understand that businesses wouldn’t necessarily want to look incompetent by admitting to a data breach, we’re glad this latest legislation enforces transparency, as it’s a way for businesses to access their current cyber security, data storage and backups, and workplace education. Here’s why:

The breaches reported since the new legislation shows human error to cause the largest number of data breaches that were eligible for reporting to the OAIC. Human error could involve something as simple as sending emails with sensitive information to the wrong people, however once it’s in the wrong hands, there’s no way of getting it back. This is why considering sensitivity in regards to data storage, and also workplace education are so important. Storing sensitive data in an area with administrative protection is important in safeguarding the data, not only with respect to the location of the data and knowing it’s secure, but also by seeing what teams are accessing such data, and if any breaches occur, where you need to be putting effort in to teach employees the do’s and don’t’s of data safety and communication involving sensitive data. We have created some free guides for general end-user cyber security education tips. Be sure to check them out and share them with colleagues (part 1 | part 2).

Malicious or criminal attacks unsurprisingly came in at a close second; that’s where companies needing to consider their cyber security protection comes into play. Cyber security is imperative to all businesses, particularly those handling sensitive data. We always recommend that companies focus on protection at each vulnerable point in their technology environment, in fact we outlined how protection can be implemented within these areas in our blog post last week – view it here with reference to Healthcare Practices if you’d like to have a better understanding of a comprehensive cyber security solution. Whether cybercrime occurs through attacks that attempt to infiltrate your systems to steal information, or security incidents from unauthorised access, comprehensive protection will help business remain secure here, with the end goal of keeping data safe from breaches such as these (and other disasters) taking place.

Here are the top 5 industries who reported breaches during the six weeks following the implementation of the new legislation:

Backups are obvious considerations when thinking about data breach legislation. If for some reason, data is accidentally given away, stolen or lost, backups are essential in getting that data back and stored safely. We always recommend that businesses should have an automated backup system in place. This system should incorporate an automated process for getting a copy of the backup data offsite for safe storage, as well as testing the integrity of the backups created. Frequent incremental backups taken throughout the day will keep your backups up-to-date so you know that your business livelihood is safe should anything happen. Here’s some further information about backups for your reference. We’ve also created secure backup guides for industries most impacted by this legislation. Download your free guide below:

For any business still unsure of whether or not they’re doing all they can to brace themselves for occurrences that involve this legislation, we encourage you to visit our preparedness post here. It details what companies are affected by this legislation, steps to take to prepare yourself, and what to do if a data breach occurs. To view this quarters official OAIC report, head here.


If you would like to speak to us about your current data safety measures, keeping your business safe, or helping you prepare for the worst case scenario of a data breach occurring, please feel free to touch base with our team through the form below.

We provide solutions that are tailored to your business.

Want to know what your best fit solutions are?

Our team is waiting…