Which Australian businesses are affected by the Notifiable Data Breaches scheme?

The recently implemented Notifiable Data Breaches scheme imposes an obligation for entities to notify individuals whose personal information was exposed in a data breach if they’re at risk of serious harm.

If you don’t comply with the requirements of the scheme, the penalties can be quite severe. The Office of the Australian Information Commissioner can impose fines of up to $1.8 million for organisations, and $360 000 for company directors.

To find out how to assess a breach, as well as how to correctly notify any affected individuals, see this resource on the OAIC Website .

Which businesses need to comply?

While all businesses should take the privacy and security of customer data seriously, not every one needs to adhere to the NDB scheme.

If your business meets any of the following criteria, you’ll need to make sure you’re aware of the new requirements. Please note that this is not an exhaustive list. See the OAIC website for more information.

• Any business with an annual turnover over $3 million dollars
• Entities that are Tax File Number recipients, such as:
  • solicitors
  • tax agents
  • accountants
  • share registries and agents of ESS providers
• Entities that provide any health services, such as:
  • traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals
  • gyms and weight loss clinics
  • complementary therapists, such as naturopaths and chiropractors
  • child care centres and private schools.
• Organisations or small businesses that provide credit, such as:
  • a bank
  • a building society, finance company or a credit union
  • a retailer that issues credit cards in connection with the sale of goods or services
  • an organisation or small businesses that supplies goods and services where payment is deferred for seven days or more, such as telecommunications carriers, and energy and water utilities
  • certain organisations or small busineses that provide credit in connection with the hiring, leasing, or renting of goods.
• Entities related to an APP (Australian Privacy Principles) entity.
• Entities that trade in personal information. These are businesses buy or sell personal information for a benefit, service or advantage.
• Employee associations registered under the Fair Work (Registered Organisations) Act 2009

How to make sure your business is protected

If your organisation is covered by the Notifiable Data Breaches scheme, it’s important to make sure you are taking appropriate steps to protect your customers data.

Our Security First Managed Services offering is designed to help address the requirements of the NDB and the incoming EU General Data Protection Regulation. Find out how.