The Notifiable Data Breach Scheme (NDB Scheme) came into force on 22 February 2018.  It has resulted in changes to Australia’s privacy law in relation to notification obligations on individuals and organisations that experience a data breach.  In this post, we look at the first quarterly report issued by the Office of the Australian Information Commissioner (OAIC) in relation to data breaches notified under the NDB Scheme.

The Report

Now that notification of data breaches that meet the threshold tests of the NDB Scheme is a legal requirement, there has – as expected – been a significant increase in notifications to the OAIC.

The OAIC report states that they were notified of 63 data breaches in the first 6 weeks of the operation of the NDB Scheme, compared to a total of 114 voluntary notifications in 2016/2017. We expect this trend to continue for the remainder of 2018.


The report states the industry sectors that reported the most data breaches to the OAIC were:

  1. Health service providers (24 percent);
  2. Legal, accounting and management services (16 percent);
  3. Finance (13 percent);
  4. Private education (10 percent); and
  5. Charities (6 percent).

The OAIC’s report also notes that 78 percent of reported data breaches involved contract information, 33 percent involved health information and 30 percent involved financial details.

51 percent of data breaches were caused by human error, while 44 percent were a result of malicious or criminal attack.

The graph below highlights that 59 percent of data breach notifications involved the personal information of up to nine individuals. More broadly, the graph states that 90 percent of the breaches involved the personal information of less than 1,000 people.

Importance of understanding the NDB Scheme

The results of the OAIC report indicate that the majority of data breaches involve a relatively small number of individuals. Whether that remains the case is something we will keep an eye on. Either way, the notification obligations remain the same for organisations affected by a data breach, whether the number of affected individuals is 100 or 10,000.

Given the likelihood that the number of data breaches will continue to rise, it is important that organisations understand their obligations under the NDB Scheme and actions they can take to reduce risk. With the results now published, it is a timely reminder to seek legal assistance if you or your organisation believe they may have been subjected to a data breach.

For readers looking for more information on the NDB Scheme, we have prepared a series of blogs on different aspects of the new law to assist you understand how it works and what your obligations may be in the case of a data breach. Our previous blogs can be accessed at the following links: