The Notifiable Data Breaches scheme

Time to prepare for data breach notification obligations in 2018

NDBScheme1.png Australian retailers with a turnover of $3 million or more, or those that trade in personal information, will be obligated to notify individuals affected by certain data breaches involving personal information from 22 February 2018. The Australian Information Commissioner must also be notified.

The Notifiable Data Breaches scheme notification requirements are triggered when a data breach that is ‘likely to result in serious harm’ to an individual occurs. This harm could be physical, psychological, emotional, financial, reputational, or other forms of harm.

Understanding whether a data breach can result in ‘serious harm’, or whether this harm is likely or not, requires an evaluation of the context of a data breach, including the types of personal information involved, who has access to it, whether the data breach can be contained, and more.

If you are unsure if a data breach meets the threshold, you are required to undertake an assessment of the breach within a maximum of 30 days.

The Office of the Australian Information Commissioner (OAIC) has a range of resources to assist you in preparing for the Notifiable Data Breaches scheme at

The OAIC is also hosting a webinar on the scheme’s requirements on 21 November 2017. Sign-up to attend.

Example data breach scenarios

Malicious software allows attacker to intercept payment information

NDBScheme2.png An attacker installs malicious software on a retailer’s website. The software allows the attacker to intercept payment card details when customers make purchases on the website. The attacker is also able to access basic account details for all customers who have an account on the website.

Following a comprehensive risk assessment, the retailer considers that the individuals who made purchases during the period that the malicious software was active are at likely risk of serious harm, due to the likelihood of payment card fraud. Based on this assessment, the retailer also considers that those customers who only had basic account details accessed are not at likely risk of serious harm. The retailer is only required to notify those individuals that are at likely risk of serious harm.

Subscriber error results in account information being shared with the wrong person

A staff member for a retail chain store mistakenly mails a loyal customer’s $50 rewards voucher to the wrong address. The business finds out about the mistake when the customer rings to inform them that the voucher has not been delivered, despite an email telling the customer to expect it.

The business revisits their record of the rewards vouchers sent to customers, and finds that the customer’s address is incorrect. They know that it is likely the rewards voucher, and any personal information in the mail, was delivered to the wrong person.

The business quickly assesses the likelihood of serious harm to their customer. As the mail contained only the customer’s name and the retail business is not known for particular products or affiliations that could infer sensitive information about the customer (such as political opinion, religious beliefs, or health information), they determine that the requirements of the NDB scheme do not apply.



Retail Voice CEO Message: 20 September 2023

Last week, the ARA convened our inaugural Retail Crime Symposium, bringing together representatives from the nation’s top major retailers face-to-face to address this pressing issue. Distinguished speakers at the symposium

The importance of R U OK? Day

September 14 is R U OK? Day in Australia, where millions of people around Australia will take the time to check in with family, friends and peers to ask if