As we have previously commented on in our blog post late last year, new laws are set to come into effect on 22 February 2018 which will require organisations covered by the Privacy Act 1988 (Privacy Act) to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals if an unauthorised disclosure of personal information occurs.

The OAIC has published draft resources on their website to assist organisation in understanding their compliance obligations (accessible at:

The draft resources cover:

·       Who must comply with NDB Scheme – the NDB Scheme will apply to you if you are an organisation or Australian government agency that is already covered by the Privacy Act;

·       Which data breaches are notifiable – a data breach is an ‘eligible data breach’ that requires notification if it is likely to result in serious harm to any of the individuals to whom the information relates (note that a data breach does not have to be ‘malicious’, such as a cyber-attack, for it to be an eligible data breach – accidental unauthorised disclosure may still require notification, for example);

·       How to notify – if the NDB Scheme applies to your organisation, your organisation must provide a statement to the OAIC, and notify individuals at risk of serious harm of the contents of that statement, if an eligible data breach occurs;

·       Australian Information Commissioner’s role in the NDB Scheme – the OAIC’s roles include receiving notifications of eligible data breaches, encouraging compliance with the scheme (including regulatory action in the event of non-compliance), and providing advice and guidance about the operation of the scheme.

It is important that you review your organisation’s policies, procedures and systems for securing personal information and preventing data breaches before they occur.  An effective data-breach response plan is also crucial to respond quickly if a data breach does occur, which may be the difference between averting serious harm and a breach requiring notification (which can be highly detrimental to an organisation’s reputation).

At Motus Legal, we have advised many of our clients on complying with their obligations under the Privacy Act.  Get in touch with us to prepare for the NDB Scheme before it comes into effect.