Privacy Amendment (Notifiable Data Breaches) Act 2017: Data, compliance and implications

This is Part 3 in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018. Click here to read Part 1: Introduction to the new legislation. Click here to read Part 2: Eligible data breaches.

AdobeStock_107692785 copy.jpeg

In previous posts, we introduced you to the basics of the NDB Act, including what makes a breach ‘eligible’ for reporting under the Act. This week we look at what kind of data the NDB Act will cover, who needs to comply, and the implications this Act will have on Australian digital security in the workplace.

What kind of data does the Act cover?

The Privacy Amendment (Notifiable Data Breaches) Act 2017 applies to all personal information collected and stored by organisations in the course of doing business. Personal information is considered sensitive, or able to cause any type of harm to an individual if it is disclosed without authority. For example, unauthorised disclosure may enable another person or people to commit fraudulent activity resulting in financial crime or identity theft, damage the reputation of an individual or their business, or involve a risk of physical harm.

Some types of information covered by the Act are listed below. Though the list is not exhaustive, it gives an indication of the nature of private or sensitive information, and is a good starting point for companies to understand the wide scope of the NDB Act. The act can cover:

  • Names;
  • Telephone numbers;
  • Postal addresses;
  • Email addresses;
  • Identification, such as drivers licence or passport information;
  • Medical records;
  • Personal opinion statements of a sensitive nature;
  • TFN numbers;
  • Online identifiers such as IP addresses; and
  • Login details for online banking and payment accounts.

Disclosure of any one of these types alone, or several types in one incident, can constitute an eligible breach. A certain number of individuals need not be at risk; the unauthorised access of a single individual’s information can constitute an eligible breach.

Who needs to comply?

The NDB Act will apply to most Australian businesses and government agencies that collect, handle, or store personal information. As an amendment to the existing Privacy Act 1988, the NDB Act will govern any organisations currently operating under that Privacy Act. This includes:

  • businesses and not-for-profit organisations with an annual turnover greater than $3 million;
  • Australian government agencies;
  • health services in the private sector including alternative medicines and fitness institutions;
  • child care centres, private schools, and other private educational institutions; and
  • businesses that sell or purchase personal information in conjunction with credit reporting bodies.

What are the key implications?

The Act will change the way organisations look at digital security, by creating a strong disincentive for businesses to allow a data breach. The new law leaves no room for a breach to occur without a penalty. If a breach occurs, organisations will be obliged to notify the OAIC and the affected individuals, essentially publicising their failure to keep data safe. Public knowledge of a breach can incur damage to reputation, along with financial costs arising from legal aid and efforts to regain customer trust.

If, however, a breach is discovered not to have been reported correctly, the financial costs rise, including legal costs, clean-up, and fines of up to $1.8 million dollars. It follows that the only solution for businesses under the NDB Act is not to allow a breach to occur.

The Act is intended to create a sense of transparency across Australian organisations, and assure Australians that businesses are taking personal digital security seriously. It should encourage organisations to inspect and improve their digital security practices prior to 22nd February 2018 and to maintain best practice for digital security into the future.


For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.


This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.