Timely introduction of the Notifiable Data Breaches Scheme
By Georgia Adams
• 23 May 2018 • 2 min readThe Scheme applies to organisations and agencies with existing obligations to protect personal information under the Privacy Act
The Notifiable Data Breaches scheme under the Privacy Act 1988 came into force on 22 February 2018.
The Scheme applies to certain organisations and agencies with existing obligations to protect personal information under the Privacy Act. These entities are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of eligible data breaches, being breaches that are likely to result in serious harm.
The OAIC has released the first quarterly report on the scheme, which provides a snapshot of data breaches received by the OAIC from Australian entities.
Key statistics
The total number of data breaches reported to the OAIC under the scheme was 63. The largest proportion was from health service providers (24 per cent). The personal information that was predominantly involved in a breach was contact information, such as an individual’s name, email address or phone number (78 per cent). This was followed by health information (33 per cent), financial details such as bank account numbers (30 per cent), then identity information, such as a passport number (24 per cent).
Malicious or criminal attacks and human error, such as sending a document to the incorrect recipient, were the two largest causes of eligible data breaches (28 per cent and 32 per cent respectively). The OAIC was notified that 59 per cent of data breaches involved between one and nine individuals' personal information and 73 per cent involved under 100 individuals' personal information.
Takeaway
The report is a timely reminder of the need to be vigilant when handling personal information, especially as human error was the reason for the majority of eligible data breaches. You should check the address of a recipient before sending personal information to ensure it is being sent to the correct individual. A proper assessment of a breach is important to determine if notification is required as compliance with the scheme is mandatory. The next quarterly report will provide further insights and a more complete picture of the scheme as this report only outlines statistics for part of the quarter.
View the full report.
Need advice on your data breach obligations?
Contact the Cyber & Data Resilience team.
By Georgia Adams
Keep up to date with our legal insights and events
Sign upRecent articles
Reform to Australia’s merger clearance regime
By Ron Smooker, Shaun Temby, Jacqueline Picone, and Oliver Wahlstrom
A new mandatory, suspensory merger review system conducted by the ACCC comes into effect in Australia on 1 January 2026.
What all Victorian Government personnel need to know about OVIC’s recent statement on ChatGPT
By Robert Gregory, Georgia Hunt, and Jack Curran
Generative AI, including ChatGPT is becoming common in all facets of personal, professional and public life.
Important changes to the Workplace Injury Rehabilitation and Compensation Act 2013 concerning workers’ compensation in Victoria
By Catherine Dunlop, Jessica Mourney
From 31 March 2024, amendments to the Victorian workers’ compensation scheme took effect
A step closer to mandatory climate-related disclosure
By Ron Smooker, Rosamond Sayer, Samantha Murphy, and Joseph Fox
The Treasurer introduced the Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Bill 2024.
Partner
Melbourne