Privacy Amendment (Notifiable Data Breaches) Act 2017: Eligible data breaches

This is Part 2 in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018. Click here to read Part 1: Introduction to the new legislation.


In last week’s post, we introduced you to the basics of the NDB act and what it will mean for digital security in Australia. The new legislation, effective 22nd February 2018, calls for mandatory reporting of eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and the individual(s) affected by the breach. This week we discuss what makes an eligible breach ‘eligible’.

What is an eligible data breach?

If you’re familiar with the NDB scheme from our last post, you’ll be acquainted with the phrase ‘eligible data breach’. Under the new legislation, organisations are required to report a data breach if it is considered ‘eligible’. Eligibility depends on the nature of the compromised information and the potential risk that unauthorised disclosure may cause to the individual(s) whose information has been compromised.

An eligible breach occurs when there is unauthorised disclosure of personal information to external entities and the disclosure of information is likely to result in a real risk of serious harm for any of the individuals to whom the information relates.

Events that can constitute an eligible breach could include:

  • lost or stolen information in its hard form (such as in computer hard drives or paper records);
  • improperly destroyed data that is disposed of insecurely;
  • hacked databases;
  • employees accessing information that falls outside their authorisation; or
  • organisations sending data unintentionally to the wrong recipient.

In order for a potential breach to be eligible, it is not necessary for the occurrence of the breach to be proven. If there are reasonable grounds to suspect a breach has occurred, or data has been lost and can’t be retrieved, the breach is considered eligible for notification due to the potential risk of serious harm.

What is ‘serious harm’?

Serious harm is defined by the explanatory memorandum that accompanies the NDB act. It comes in many forms, and can include:

  • financial or economic harm;
  • physical harm;
  • psychological or emotional harm; and/or
  • damage to reputation.

If information has been compromised and could potentially cause any type of harm — to a single individual or to many individuals — it should be reported.

There are many situations in which serious harm can result from the disclosure of personal information, and the potential harm varies according to the information and to the individuals in question. For example, serious harm can result from the disclosure of:

  • financial information, resulting in financial fraud;
  • identity information, resulting in identity theft or fraud;
  • addresses or contact information of certain individuals, resulting in potential physical or emotional harassment and harm;
  • statements made under a confidentiality agreement, resulting in potential reputation damage; or
  • sensitive medical information, resulting in potential reputation damage.

These are only some examples of the situations in which individuals can experience serious harm as the result of a data breach. Under the new legislation, it would be prudent for organisations to ensure they report any breach presenting even a remote risk of serious harm, in order to avoid the harsh penalties that may apply for non-compliance.

When is there a real risk of serious harm?

Assessing if there is a risk of serious harm relies on factors like:

  • the nature and sensitivity of the information that has been/ may have been disclosed;
  • the security measures or encryption still protecting the compromised information;
  • the type of person or people who obtained the information; and
  • the nature of the potential harm that may result from unauthorised disclosure.

If a reasonable person, an objective bystander, would see a probable risk of harm for the individual(s) whose information has been compromised, it is considered that there is real risk of serious harm.

If an organisation has experienced a data breach in which data is lost, stolen, improperly disposed of, or accessed without authority, and the information could carry a real risk of serious harm to an individual or individuals, it is considered an eligible breach and must be reported to the OAIC within 30 days.


For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.


This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.