Notifiable Data Breaches Scheme – One Month On

/, Privacy Law/Notifiable Data Breaches Scheme – One Month On

March 2018

Since our December brief (posted again below, for convenience), and since the Notifiable Data Breaches Scheme (NDBS) came into effect on 22 February 2018, there have been some relevant developments regarding personal information data breaches.


Unless you have been hiding under a rock over this past week, you would have heard about the catastrophic privacy breaches suffered by Facebook users not only in Australia, but worldwide.  Over 50 million Facebook users’ private details were harvested by an app for data, which was then obtained and used without permission by Cambridge Analytica, a company which combines data mining, data brokerage, and data analysis with strategic communication for electoral processes.  A now suspended chief executive of Cambridge Analytica was secretly recorded admitting that their online campaign played a decisive role in Donald Trump’s 2016 US Presidential election victory.

After news of the scandal broke, Facebook’s CEO, Mark Zuckerberg, published a statement on his Facebook page, including an acknowledgement that Facebook ‘have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you”.  In a separate interview with CNN, Mr Zuckerberg offered an apology by saying “this was a major breach of trust and I’m really sorry that this happened”.  He added that it was Facebook’s “responsibility now to make sure that this doesn’t happen again”.

Notably, and presumably in response to the scandal, Facebook’s shares fell by 1.6% as investors woke up to the risks of investing in the company.  This came as a shock, considering the company has risen more than 550 percent in value in the past 5 years alone.

On 20 March 2018, the Australian Information and Privacy Commissioner released the following statement on the OAIC website with respect to the scandal:

I am aware of the reports that users’ Facebook profile information was acquired and used without authorisation.  My Office is making inquiries with Facebook to ascertain whether any personal information of Australians was involved.

I will consider Facebook’s response and whether any further regulatory action is required.  The Privacy Act 1988 confers a range of privacy regulatory powers which include powers to investigate an alleged interference with privacy and enforcement powers ranging from less serious to more serious regulatory action, including powers to accept an enforceable undertaking, make a determination, or apply to the court for a civil penalty order for a breach of a civil penalty provision.

If anyone has concerns about how their personal information has been collected or managed they can get in touch with my office at or on 1300 363 992.

The scandal is ongoing.

First Reported Breaches

In the month following the commencement of the NDBS on 22 February 2018, Accountants Daily ( reported that the OAIC has received at least 31 notifications of eligible breaches from businesses and not-for-profit organisations with an annual turnover of $3 million or more.

Whilst specific details relating to the industries of the organisations reporting the breaches and the breaches themselves are not yet publicly available, it is understood that more comprehensive details of the breach reporting will be released towards to the end of March.

How we can help your organisation

If you are concerned that your workplace Privacy Policies are not up to date, or would like further information or staff training on the Australian Privacy Principles and the Notifiable Data Breaches Scheme, contact us today on 1300 88 33 92 to speak with one of our Partners or to arrange a seminar for your employees.

Craig Higginbotham and Lynette Prichard

28 March 2018


[Previous Insight]

December 2017

All businesses covered by the Australian Privacy Principles (APP) will have new obligations, including an obligation to report breaches under the Notifiable Data Breaches Scheme (NDBS).  The obligations arise in cases where an individual’s personal information is breached and the breach is likely to result in “serious harm”.  An assessment of the breach must be completed within 30 days and if a breach is confirmed, a statement must be provided to each individual whose information is breached.  Further, a copy of the statement must be provided to the Office of the Australian Information Commissioner (OAIC).

Businesses should prepare or update their Data Breach Response Plan to ensure they are able to respond quickly to suspected data breaches, and conduct an assessment as required under the NDBS.  If a breach does occur, Businesses will be able to notify the breach by completing a form on the website of the OAIC (  There are significant penalties for a failure to comply with the APP and all businesses should be aware of and plan for these changes.

Craig Higginbotham
30 December 2017

By | 2018-03-28T15:15:59+10:00 March 28th, 2018|Business, Privacy Law|Comments Off on Notifiable Data Breaches Scheme – One Month On