Amendments to the Privacy Act introducing the Notifiable Data Breaches (NDB) scheme commences today, 22 February 2018.

The NDB scheme will apply to all organisations currently required to take steps to secure personal information, including but not limited to businesses and not-for-profit organisations with an annual turnover of $3 million, health service providers, TFN recipients etc.

If your organisation is currently required to secure personal information under the Privacy Act, including compliance with the Australian Privacy Principles under the Act, it will need to comply with the NDB scheme on and from 22 February 2018.

The NDB scheme applies to data breaches of personal information likely to result in serious harm to individuals affected.  Consider the following three questions when assessing a data breach:

  1. Is there an unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that your organisation holds?
  2. Is this likely to result in serious harm to one or more individuals?
  3. Was your organisation not able to prevent the likely risk of serious harm with remedial action?

If the answer is “yes” to all of the above, then a notifiable data breach has occurred.

If a notifiable data breach has occurred you need to notify the effected individual(s) and the Office of the Australian Information Commissioner.  Significant legal penalties of up to $1.8 million could apply for not complying with the NDB scheme.

What your organisation should do:

  • Understand the requirements of the NDB scheme. There are resources and guidelines available on the OAIC website.
  • Carry out an audit of your organisation from a privacy perspective. Consider asking yourself questions such as:
    * Does your staff understand your organisation’s obligations in respect of privacy and do you have an adequate policy in place?
    * How are you securing personal information and what might need to be done to better secure such information?
    * Where are the vulnerabilities in your organisation that could lead to a data breach?
  • Have a data breach response plan drafted and tailored to the needs of your organisation and the personal information it holds.
  • Train your staff as to the requirements of NDB scheme and your organisation’s data response plan.

Should you require any further information or specific advice in relation to the NDB scheme or if you have any other privacy-related questions, please do not hesitate to contact our office.

In our third issue of “Legal Questions for Every Charity and Not-For-Profit Organisation” we deal with the topic of Privacy. The update forms part of our series of short summaries of legal issues that we have noticed during the course of advising our clients are common and important to charities and not-for-profit (NFP) organisations.


Do you know whether your organisation is required to comply with the Privacy Act? Does your organisation have a compliant Privacy Policy and other measures in place to ensure compliance with privacy legislation?

Generally speaking, small businesses or not-for-profit organisations with a turnover of $3 million a year or less are exempt from having to comply with the “Australian Privacy Principles” under the Privacy Act and therefore are not required by law to have a privacy policy. However, there are a number of exceptions to this rule.

Even if you are not required to have a Privacy Policy, it is a good idea to have an up-to-date Privacy Policy in place, particularly if your organisation collects and uses personal information.

We recommend you consider the following:

Do you have a Privacy Policy? When was it last reviewed?

Does your policy accurately reflect how your organisation collects and uses personal information?

Is personal information safely and securely stored?

Is there someone in the organisation who can take on the role of a privacy officer, to deal with complaints and other privacy concerns from the public?

Please do not hesitate to contact us with any queries related to the Privacy Act or to discuss your Privacy Policy.

Bill d’Apice, Partner | +61 2 9233 9013 |
Belinda Marsh, Senior Associate | +61 2 9233 9083 |

Businesses including Not-for-Profit entities should review their privacy policies and procedures to ensure that they comply with the new Australian privacy principles before they commence on 14 March 2014.

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 is the most significant privacy reform since the Privacy Act was introduced over 25 years ago. The new privacy principles will regulate the handling of personal information by businesses and Australian government agencies.

Continue Reading Privacy Act Amendments to Regulate Businesses and Government Agencies