The Notifiable Data Breaches (NDB) legislation was passed as an Amendment to the Australian Privacy Act (1988), with the new regime coming into effect on 22 February 2018. The data breach notification scheme aims to help people whose personal information has been breached, to regain some control sooner rather than later.

The NDB scheme requires businesses to notify both the Office of the Australian Information Commissioner (OAIC) and any affected individuals if the company experiences any unauthorized access, disclosure, or loss of personal information, if a reasonable person would conclude that this access, disclosure, or loss would be likely to result in serious harm.

Some businesses have expressed a concern that admitting to a security breach could make it easier for customers to launch a lawsuit, while most organizations agree that disclosing the breach is good business practice. The act makes it clear that serious harm isn’t necessarily only related to financial losses, but could also include the public disclosure of private information such as a medical condition.