The Notifiable Data Breaches scheme

Time to prepare for data breach notification obligations in 2018

NDBScheme1.png Australian retailers with a turnover of $3 million or more, or those that trade in personal information, will be obligated to notify individuals affected by certain data breaches involving personal information from 22 February 2018. The Australian Information Commissioner must also be notified.

The Notifiable Data Breaches scheme notification requirements are triggered when a data breach that is ‘likely to result in serious harm’ to an individual occurs. This harm could be physical, psychological, emotional, financial, reputational, or other forms of harm.

Understanding whether a data breach can result in ‘serious harm’, or whether this harm is likely or not, requires an evaluation of the context of a data breach, including the types of personal information involved, who has access to it, whether the data breach can be contained, and more.

If you are unsure if a data breach meets the threshold, you are required to undertake an assessment of the breach within a maximum of 30 days.

The Office of the Australian Information Commissioner (OAIC) has a range of resources to assist you in preparing for the Notifiable Data Breaches scheme at

The OAIC is also hosting a webinar on the scheme’s requirements on 21 November 2017. Sign-up to attend.

Example data breach scenarios

Malicious software allows attacker to intercept payment information

NDBScheme2.png An attacker installs malicious software on a retailer’s website. The software allows the attacker to intercept payment card details when customers make purchases on the website. The attacker is also able to access basic account details for all customers who have an account on the website.

Following a comprehensive risk assessment, the retailer considers that the individuals who made purchases during the period that the malicious software was active are at likely risk of serious harm, due to the likelihood of payment card fraud. Based on this assessment, the retailer also considers that those customers who only had basic account details accessed are not at likely risk of serious harm. The retailer is only required to notify those individuals that are at likely risk of serious harm.

Subscriber error results in account information being shared with the wrong person

A staff member for a retail chain store mistakenly mails a loyal customer’s $50 rewards voucher to the wrong address. The business finds out about the mistake when the customer rings to inform them that the voucher has not been delivered, despite an email telling the customer to expect it.

The business revisits their record of the rewards vouchers sent to customers, and finds that the customer’s address is incorrect. They know that it is likely the rewards voucher, and any personal information in the mail, was delivered to the wrong person.

The business quickly assesses the likelihood of serious harm to their customer. As the mail contained only the customer’s name and the retail business is not known for particular products or affiliations that could infer sensitive information about the customer (such as political opinion, religious beliefs, or health information), they determine that the requirements of the NDB scheme do not apply.



The rich tapestry of neurodiversity

There is a slow shift towards incorporating design aspects that create more inclusive shopping experiences for customers of all neurotypes. Retailers willing to explore this hidden customer segment can deliver a more easy, engaging and inclusive experience both in-store and online.

Retail Voice CEO Message: 15 March 2023

Retail crime continues to be a concern with many businesses recording an increase in shoplifting. 
In the latest Bureau of Crime Statistics and Research data coming out of New South Wales, retail theft increased 23.7% year-on-year.  

Retailers have an important role to play in closing the gap

Today is National Closing the Gap Day, a day of action to pledge support for achieving indigenous health equality by 2030. As part of the ARA’s reconciliation journey, we have made a commitment to use our reach to raise awareness with our members about days of significance for First Nations communities, like Closing the Gap Day.