The NDB scheme, or Notifiable Data Breach scheme, is a requirement that was developed by the Australian government for all agencies and organisations regulated under the Privacy Act 1988. These entities are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach. First commenced on 22 February 2018, the NDB scheme outlines exactly how an organisation should proceed when a breach occurs.
The Australian government has created two guides for action in the occurrence of a breach.
The NDB scheme was established by the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017. The scheme applies from 22 February 2018 to all organisations and agencies with existing personal information security obligations under the Privacy Act. It obligates these entities to notify anyone whose personal information has been involved in a data breach that is likely to cause serious harm. The notification must include recommendations about the steps individuals should take in response to the data breach. The Australian Information Commissioner must also be notified.
In order to comply with the NDB scheme, agencies and organisations must prepare themselves for the possibility of a data breach, and how to respond quickly to reduce and contain the resulting harm. To notify the Commissioner, entities should use the Notifiable Data Breach form.
Section 6 of the Privacy Amendment (Notifiable Data Breaches) Act 2017 says that the scheme applies to incidents where personal information is subject to unauthorised access or disclosure, or is lost.
Agencies and organisations that the Privacy Act requires to secure specific categories of information are required to comply to the NDB scheme. This list includes the Australian Government agencies, not-for-profit organisations and businesses with an annual turnover of $3 million or more, health service providers, credit reporting bodies, and TFN recipients.
A data breach occurs when personal information stored by an organisation is lost or subjected to unauthorised access or disclosure. Not every data breach requires compliance. Only those data breaches involving personal information that are likely to cause serious harm require NDB scheme compliance. The NDB scheme calls them “eligible data breaches.”
Examples of a qualifying data breach include:
There are a few exceptions that don’t require notification outlined in the Data breach preparation and response guide. If a data breach is suspected, agencies and organisations are required to assess quickly if it is likely to cause serious harm.
If an eligible data breach has occurred, individuals at risk of serious harm must be promptly notified. The Commissioner must also be notified as soon as practical. Notification must include the following information:
The Commission is notified using the Notifiable Data Breach form.
The Commissioner has several roles under the NDB scheme.