22 February 2018
Mandatory data breach notification scheme commences today
The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 was established with the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 with a commencement date of 22 February 2018.
The NDB scheme requires agencies and organisations to notify individuals and the Australian Information Commissioner where there has been an 'eligible data breach'. An eligible data breach will occur where a data breach (unauthorised access or disclosure, or loss of the information) is likely to result in serious harm to any individual affected.
The notification to affected individuals and the Commissioner must include the following information:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned
- recommendations about the steps individuals should take in response to the data breach.
Implications for clients
Agencies and organisations should have in place a data breach response plan to assist with identifying and assessing when a data breach is likely to result in serious harm and require notification.
Agencies and organisations should also think about how to manage their obligations under the NDB scheme when entering into contractual arrangements involving personal information.
AGS can assist you to develop data breach response plans and template notification letters and with your contract arrangements.
For further information please contact:
For assistance with contractual arrangements:
National Manager Commercial
T 03 9242 1290
Important: The material in Express law is provided to clients as an early, interim view for general information only, and further analysis on the matter may be prepared by AGS. The material should not be relied upon for the purpose of a particular matter. Please contact AGS before any action or decision is taken on the basis of any of the material in this message.