The Notifiable Data Breaches scheme

Time to prepare for data breach notification obligations in 2018

NDBScheme1.png Australian retailers with a turnover of $3 million or more, or those that trade in personal information, will be obligated to notify individuals affected by certain data breaches involving personal information from 22 February 2018. The Australian Information Commissioner must also be notified.

The Notifiable Data Breaches scheme notification requirements are triggered when a data breach that is ‘likely to result in serious harm’ to an individual occurs. This harm could be physical, psychological, emotional, financial, reputational, or other forms of harm.

Understanding whether a data breach can result in ‘serious harm’, or whether this harm is likely or not, requires an evaluation of the context of a data breach, including the types of personal information involved, who has access to it, whether the data breach can be contained, and more.

If you are unsure if a data breach meets the threshold, you are required to undertake an assessment of the breach within a maximum of 30 days.

The Office of the Australian Information Commissioner (OAIC) has a range of resources to assist you in preparing for the Notifiable Data Breaches scheme at

The OAIC is also hosting a webinar on the scheme’s requirements on 21 November 2017. Sign-up to attend.

Example data breach scenarios

Malicious software allows attacker to intercept payment information

NDBScheme2.png An attacker installs malicious software on a retailer’s website. The software allows the attacker to intercept payment card details when customers make purchases on the website. The attacker is also able to access basic account details for all customers who have an account on the website.

Following a comprehensive risk assessment, the retailer considers that the individuals who made purchases during the period that the malicious software was active are at likely risk of serious harm, due to the likelihood of payment card fraud. Based on this assessment, the retailer also considers that those customers who only had basic account details accessed are not at likely risk of serious harm. The retailer is only required to notify those individuals that are at likely risk of serious harm.

Subscriber error results in account information being shared with the wrong person

A staff member for a retail chain store mistakenly mails a loyal customer’s $50 rewards voucher to the wrong address. The business finds out about the mistake when the customer rings to inform them that the voucher has not been delivered, despite an email telling the customer to expect it.

The business revisits their record of the rewards vouchers sent to customers, and finds that the customer’s address is incorrect. They know that it is likely the rewards voucher, and any personal information in the mail, was delivered to the wrong person.

The business quickly assesses the likelihood of serious harm to their customer. As the mail contained only the customer’s name and the retail business is not known for particular products or affiliations that could infer sensitive information about the customer (such as political opinion, religious beliefs, or health information), they determine that the requirements of the NDB scheme do not apply.



MST Marquee – The impact of migration on retail

Retail businesses setting budgets and forecasting are understandably finding it difficult to navigate the uncertain economic conditions. Our research can help educate retailers about industry profitability benchmarks, wage growth and inventory levels, so that businesses can better prepare for the future.

Now more than ever

If business, and retail especially, must reflect the zeitgeist in order to remain relevant, then in this unique inflection point in history, the rights of Indigenous people must be incorporated

Retail Voice CEO Message: 8 May 2024

Achieving a unified voice for retail has been a compelling focus for our industry for many years. It is in the spirit of this endeavour that we are delighted to

Retail Voice CEO Message: 1 May 2024

Yesterday, the Australian Bureau of Statistics released retail trade data for March, with a modest increase of just 0.8% compared to the same month last year, despite being bolstered by