Privacy Amendment (Notifiable Data Breaches) Act 2017: Tips for best practices

This is the final part in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia today, 22nd February 2018. Click here to read the rest of the series.

Over the last 5 weeks, we’ve discussed the NDB Act in detail, covering the basics, what qualifies as a breach under the scheme, penalties, implications, and our thoughts on the NDB Act. This week, we look closer at how you can best prepare your business for the new legislation.


Best practice for compliance

In the face of the changes to privacy law this month, every Australian business needs to inspect and assess the standard of their data protection practices. Organisations should be reviewing and renewing their data handling policies, retraining staff, rewriting data breach response plans, and elevating data security to boardroom level. The steps in this post act as a guide to help businesses properly assess their protection practices. This list is not exhaustive, but is a solid starting point for businesses preparing for the NDB Act to come into effect.

1. Policies

  • Conduct a Privacy Impact Assessment (PIA) or an assessment of information security risk. The OAIC website can help you to determine if you require a PIA or an information security risk assessment.
  • Redraft data protection and security policies and standards relating to data collection, data residency and retention, and data destruction.
  • Review agency agreements and candidate policies, outsourcing agreements, and third party contracts.

2. Staff

  • Involve senior management in the digital security process.
  • Consider appointing a steering committee to ensure your practices will stand up to the new legislation.
  • Consider appointing a dedicated data protection officer.
  • Educate your staff on good cyber-security workplace habits.
  • Review the code of conduct for all employees.
  • Ensure your staff complies with strict policies regarding sensitive data.
  • Ensure all contractors and suppliers with access to personal information comply with your policies.

3. Practice

  • Equip all hard drives with digital security safeguards and software.
  • Keep all programs updated and patched.
  • Ensure that your information handling practices include privacy protection measures.
  • Work with a reputable data destruction company to dispose of digital copies of personal information safely and permanently.

4. Response procedures

  • Install appropriate monitoring and alarm systems so that immediate action can be taken in the case of a breach.
  • Introduce a data breach response plan that includes reporting to the Office of the Australian Information Commissioner.
  • Consider insurance as a means of covering losses in the case of an eligible data breach.

The correct policy, practice, education, and response procedures will minimise the risk of experiencing a data breach. At the same time, these steps will help your business fulfil the legal requirements of the Privacy Act 1988 and the Privacy Amendment (Notifiable Data Breaches) Act 2017. By employing best practice and keeping all your procedures up to date, you will safeguard yourself, your reputation, and your customers against the potential risks of an eligible data breach.


For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.


This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.