The Privacy Amendment (Notifiable Data Breaches) Act 2017 is effective from 22 February 2018. The amendment establishes the notifiable data breaches (NBD) scheme in Australia and requires organisations covered by Australia’s Privacy Act 1988 to notify individuals that will likely be at risk of serious harm by a data breach and recommend the steps that can be taken for those individuals to respond to the data breach. The scheme also requires organisations to notify the Australian Information Commissioner of a data breach.
Prior to the assent of the amendment, data breach notifications were voluntarily provided to the Australian Privacy and Information Commissioner. In 2015-2016, the Office of the Australian Information Commissioner (OAIC) received 107 voluntary data breach notifications, predominately from the Australian Government, the finance and superannuation sector, health service providers, retail and online service providers.
The NBD scheme renders it mandatory to provide notification in these circumstances, in an effort to strengthen data protection.