As data security breaches become more frequent and impacts more severe, the Office of the Australian Information Commissioner has legislated mandatory reporting of data breaches for entities.

The Notifiable Data Breach Scheme (NDB) came into effect on 22 February 2018. The Scheme is mandated under The Privacy Act 1988 and outlines the obligations that organisations have in responding to data breaches, and mandatory reporting to the Office of the Information Commissioner.


The NDB Scheme is a positive initiative for Australians as it strengthens the protection of personal data.

Is your organisation NDB compliant?

Do you need answers around:

  • What is the Notifiable Data Breach Scheme law and does it apply to my business?
  • What does breach notification involve? What type of breaches are required to be reported?
  • What should my organisation be doing to prepare for the new regulations to remain compliant?
  • What type of data breach requires notification?
  • What actions does my organisation need to undertake to secure personal information?
  • Does my organisation require a data breach response plan?
  • What is a “Notifiable Data Breach Form”?
  • What happens if my organisation is not compliant?

If you do, then you may need professional help to ensure processes are in place to ensure you conform to the law and avoid unnecessary penalties.

Who must comply?

While the Scheme mandates that Australian Government agencies, businesses and not-for profit organisations that have an annual turnover of more than $3 million must comply, any small business who collects and stores personal information - no matter what the turnover –  must also comply. Think private sector health service providers, credit providers and reporting bodies, and even recruitment and human resource management organisations.

Safeguard your business and your customers data

Depending on the size of your organisation and what type of personal information you collect and store, pulling together a Data Breach Response Plan can be a simple or complex exercise dependent on whether you have good practices implemented and ‘hygienic’ cybersecurity.

For more information or to be notified of our next breakfast briefing, complete the enquiry form or contact our Technology Risk team.

← Back

^Top