Privacy Amendment (Notifiable Data Breaches) Act 2017: When an eligible breach occurs

This is Part 4 in our 6 part series on the new Privacy Amendment (Notifiable Data Breaches) Act 2017, coming into effect in Australia on 22nd February 2018. Click here to read the whole series.

AdobeStock_41908523 copy.jpeg

So far, we’ve covered the basics of the NDB Act, what the act involves and who needs to comply, as well as what this legislative change might mean for Australian businesses. This week, we look at what happens in the case of an eligible breach, and how non-compliance will be penalised.

What happens if an eligible breach occurs?

If an organisation experiences a breach, it will be the responsibility of that organisation to ensure it is dealt with correctly and quickly. Organisations have a duty of notification to the Office of the Australian Information Commissioner (OAIC), as well as to the individuals whose information was compromised. If there are reasonable grounds to believe a breach has occurred, notification should be given as soon as practicable, within 30 days.

To notify correctly, the organisation should prepare a statement, including:

  • the identity and contact details of the organisation that experienced the breach;
  • a description of the breach;
  • a description of the type of information involved in the breach; and
  • recommendations for possible steps to be taken in response to the breach.

All parties at risk of serious harm must be notified. If it isn’t possible to separately notify only those who are at risk, the organisation should notify all the individuals whose information was involved (or potentially involved) in the breach, even if some may not be at risk of serious harm. If neither of these options is practicable, notification must be published on the organisation’s website (if it has one). The website notice must be publicised sufficiently, so that the individuals are likely to see it and to know that their data has been compromised. 

What are the penalties of non-compliance?

The NDB scheme calls for strict compliance, with non-compliance attracting heavy financial penalties and other consequences. While monetary consequences are the most obvious, there are some serious practical ramifications for businesses that choose not to report an eligible breach. In some cases, the financial cost is only one aspect of a larger problem, such as business interruption and loss of customer trust.

The ramifications of non-compliance and failure to report can include:

  • fines of up to $360,000 for individuals;
  • fines of up to $1.8 million for organisations;
  • legal aid costs;
  • costs incurred by business interruption; and
  • costs incurred by incident response and efforts to repair customer trust.

It’s important to remember that even correctly reporting a breach is likely to carry lower, though still significant, financial and practical consequences, including:

  • damage to reputation and a loss of customer trust (and the cost of repairing reputation);
  • financial costs incurred by business interruption; and
  • financial costs incurred by incident response.

These consequences are disincentives for businesses to allow a breach to occur, and especially discourage businesses from hiding a breach if it does occur. This is in line with the goals of the NDB Act, which should increase digital security and decrease the instance of data breaches in Australia.

The consequences of reporting a breach, and the penalties for non-compliance, mean that businesses will have a strong incentive to tighten all aspects of digital security. The new consequences of a data breach should spark a systematic change of attitude for many organisations. Data security poses a growing risk with increasing ramifications, and needs to be elevated to boardroom level as the NDB Act is introduced this month.


For more information, click here to download our white paper all about the new Act, including our tips and advice on meeting your data security obligations.


This blog post is intended for informational purposes only. Although every effort has been made to present accurate and current information, accuracy cannot be guaranteed. Please note that the information within this blog post does not constitute legal advice and should not be relied upon as such. For legal or professional advice, contact a solicitor.