Privacy Amendment (Notifiable Data Breaches) Act 2017: Introduction to the new legislation

This is Part 1 in our new 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018.


Australians will see changes in digital security practices in 2018 in the face of new privacy protection laws. The Privacy Amendment (Notifiable Data Breaches) Act 2017 ("NDB") is an important new addition to legislation that will change the nature of digital security for Australian businesses, and ultimately for all Australians. The NDB Act is an amendment to the Privacy Act 1988, and introduces mandatory reporting in the case of an eligible data breach.

Under the new law, if a known or suspected data breach involves a real risk of serious harm to one or more individuals, the breach must be reported to the Office of the Australian Information Commissioner (OAIC) and to the affected individual(s).

How will the NDB increase privacy protection?

The NDB scheme is designed to encourage organisations to increase digital security by creating strong disincentives for data holding entities to allow a security breach.

The NDB is therefore a principles-based approach to increasing privacy protection. It functions as a self-regulating system by increasing the potential consequences of weak digital security. Businesses don’t want to publicise data breaches; doing so involves an expensive cleanup and inevitable loss of confidence from customers. However, unreported breaches could now incur penalties up to $1.8 million in fines, as well as negative publicity and legal aid costs.

With organisations soon obliged to report a breach, they will increase digital security in order to avoid one. Under the new law, data holding entities will be inclined to take data security more seriously than ever before.

Who is affected by the NDB?

The NDB Act, as an amendment to the Privacy Act 1988, is applicable to all entities operating under the Privacy Act, including:

  • entities deemed to hold information disclosed to overseas recipients;
  • credit reporting bodies and credit providers;
  • organisations that hold tax file information;
  • government organisations, health providers, and educational institutions; and
  • businesses or not-for-profits with an annual turnover greater than $3 million.

The NDB directly affects organisations, but all Australians stand to benefit from the scheme. Because of the heavy penalties and reputation risk involved, and the wide scope of the NDB in business, Australians can assume that this new digital security legislation will reduce the incidence of data breaches. Additionally, it will promote transparency in privacy protection; it will offer affected individuals the opportunity to mitigate the negative effects of compromised personal data.

What are the key changes to current legislation?

The current Privacy Act leaves data breach notification at the discretion of data holding organisations. A business can decide whether or not it wishes to report data breaches to the OAIC, or to individuals whose personal information has been exposed by a data breach. Often, individuals are not warned when their data is accessed by potentially malicious parties, meaning they may be unable to take preventative action.

When the NDB scheme commences next month, this will change. If an eligible data breach occurs, organisations will be legally obliged to report to the OAIC and to individuals at real risk of serious harm. Not to do so will incur heavy financial penalties and a likely loss of trust from the Australian public and partner organisations.

Under current legislation, there is no time limit within which a breach must be handled. Under the NDB, if an organisation experiences a confirmed breach, or has reasonable grounds to suspect a breach has occurred, it must conduct an expeditious assessment within 30 days.

When does the NDB come into effect?

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the House of Representatives in February 2017. The key amendments will commence on 22nd February 2018. Any organisation that experiences an eligible data breach from this date will be required to follow the reporting procedures of the NDB.

Regulatory bodies and data security experts suggest businesses take immediate steps to safeguard their digital security in preparation for the change. For some tips on how to strengthen your organisation’s digital security, see our post 10 Tips to Secure Your Company’s Data Against Cyber Threats


For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.


This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.