Australian Notifiable Data Breach Scheme, Explained

Cindy Ng looks at the detail of Australia’s new data breach scheme and what the new rules mean for organisations. 

A third time is a charm, in life and in data breach notifications laws. On 13 February, 2017, the Australian Government, in its third attempt, passed the Notifiable Data Breaches scheme, which finally came into effect on 22 February this year.

While we all have a conceptual idea of what a data breach notification means, but when it comes to required action, we have to look at the nitty gritty details. Let’s start with how a data breach is defined down under.

Australia’s Definition of a Data Breach

Australia defines a breach broadly enough to include unauthorized disclosure or access of personal information, which means that a ransomware attack that encrypts but does not exfiltrate data can constitute a reportable breach.

Like the GDPR, Australia broadly considers personal data to be any information about an identified individual or that can be reasonably linked to an individual.

In real-world terms, it means that if hackers get phone numbers, bank account data, or medical records, then it’s considered a breach. For more examples on the kinds of data that may increase the risk of serious harm if there is a data breach, click here.

Australia’s Data Breach Notification Rules

The rules will apply to any organisation with an annual turnover of more than $3 million, but small businesses under that threshold will still be subject to compliance if they handle sensitive health documents or government contracts.

The new Australian amendment also has a harm threshold that has to be met for the breach to be reportable. This is not unusual–we’ve seen these same harm thresholds in US states breach notification laws, and even the EU’s GDPR and the NIS Directive.

In the Australian case, the language used is that the breach will “likely to result in serious harm.”  While not explicitly stated, the surrounding context in the amendment says that breach would have to cause serious physical, psychological, emotional, economic, reputational, and financial harm or other effect that a “reasonable” person would agree.

Continue reading this post on the Varonis blog

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter