The notifiable data breaches scheme: what you need to know

Technology, automation and artificial intelligence (AI) seeks to cut out the very work that professional service advisors do.

By Demetrio Zema, Founder & Director and Bea Stathy, Special Counsel



Businesses collect large amounts of information and, to some extent, this is driven by their participation in the digital economy. The information collected is both useful and a burden, and businesses covered by the Privacy Act 1988 (Cth) must be prepared to meet their obligations under the incoming Notifiable Data Breaches Scheme (“Scheme”). The Scheme commences today.

The Scheme requires Australian Privacy Principle (“APP”) entities to notify individuals, and the Australian Information Commissioner (“Commissioner”), if they have reasonable grounds to believe the personal information they hold has been breached and the breach amounts to an “eligible data breach”.


An eligible data breach is a serious data breach. It occurs when personal information is accessed or disclosed without authority, or is lost, and a reasonable person would conclude that this breach would likely result in “serious harm” to an individual affected by it.

APP entities will therefore need to assess data breaches on their likelihood of causing harm, and this assessment will require an examination of the specific facts of a matter. For example, it will draw in a consideration of the kind of information affected, whether it is sensitive, the resilience of any security measures protecting the information, and an assessment of the persons who have obtained the information.

The Scheme is also flexible, in that appropriate remedial action taken by an APP entity to prevent serious harm will remove the data breach from the scope of the Scheme, and it will not be taken to be an eligible data breach.

However, if an eligible data breach is suspected and, following a “reasonable and expeditious assessment”, it is determined that an eligible data breach has occurred, the APP entity will need to follow the notification obligations of the Scheme.


Not all businesses are covered by the Scheme. Small businesses with an annual turnover of $3 million or less are ordinarily spared the compliance obligations of the Privacy Act. Nevertheless, there are exceptions. For example, businesses that are health service providers are placed in a different position because they provide a health service and (consequently) hold health information.

Health information includes information or an opinion about a person’s mental or physical health, and covers any disability or injury suffered. Generally speaking, health information is a sensitive category of personal information and the Privacy Act applies to private sector health service providers, no matter the annual turnover of the organisation.

Other categories of businesses caught by the Scheme include organisations trading in personal information, employee associations, and contracted service providers for a Commonwealth contract (regardless of whether or not they are a party to the contract).

4. What happens if your business fails to notify?

Under the Scheme, a failure to comply will be considered an “interference with the privacy of an individual” and the Commissioner has broad powers to ensure APP entities remedy their failures, including by directing them to prepare a statement and to notify affected individuals. In cases of serious or repeated non-compliance, the Commissioner can issue a fine of up to $2.1 million for businesses.  The Scheme is therefore designed to encourage businesses to improve their data management practices, and the Privacy Act also contains pecuniary penalties with an objective of deterring flagrant breaches.

5. What to do

Businesses must have contingencies in place to prevent and resolve eligible data breaches. Most importantly, they must act swiftly in the face of a serious breach. Businesses should therefore create and maintain a data breach response plan and ensure this area of responsibility is situated with a person qualified to manage communications with the regulator, and with affected individuals.

Given the Scheme’s commencement, it is timely for businesses (specifically boards) to review and obtain advice on their:

  • Privacy Policy;

  • Data management processes; and

  • Data breach insurance,

to determine whether these are adequate.

It is not too late to take steps to ensure your business complies with the Scheme. Failing to consider your preparedness can lead to your organisation breaching the requirements of the Scheme and suffering both civil fines and reputational harm.


About the Authors:

Demetrio Zema is the founder of Law Squared, a new gen law firm named “Australia’s most innovative Law Firm”. Law Squared takes an entrepreneurial approach to the provision of legal services working with clients, across their Melbourne, Sydney and Brisbane offices from small businesses, not for profits to ASX-listed clients.

Bea Stathy is a Special Counsel at Law Squared and has a particular interest in privacy and data law issues, as well as the regulatory challenges posed by new technologies (such as artificial intelligence). Bea is a pragmatic and responsive lawyer with experience across a variety of sectors including fintech, biotech, healthcare, defence, software, IT, water and renewable resources, and industrial manufacturing. 


At Law Squared, we partner with passionate entrepreneurs and businesses who need our technical help and expertise. We’d love to have a chat with you, so feel free to drop us an email hello@lawsquared.co.



Demetrio Zema

An accomplished entrepreneur and lawyer, Demetrio is the founder and director of Law Squared.


0417 679 007


Bea Stathy

As a special counsel at Law Squared, Bea has a particular interest in privacy and data law issues, and the regulatory challenges posed by new technologies.


0449 228 556


Meet the rest of the Law Squared team!


Stay in the know

Sign up with your email address to receive news and updates.

Name *