This report looks back on the last 12 months of the Notifiable Data Breaches scheme (NDB scheme). The NDB scheme introduced new obligations for Australian Government agencies and private sector organisations (entities) that have existing information security obligations under the Privacy Act 1988 (Cth) (the Privacy Act). For a little over a year, it has been a legal requirement for entities to carry out an assessment whenever they suspect that there may have been loss of, unauthorised access to, or unauthorised disclosure of personal information that they hold. If serious harm is likely to result, they must notify affected individuals so they can take action to address the possible consequences. They must also notify the Office of the Australian Information Commissioner (OAIC).

The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity—transparency and accountability. Being ready to assess and, if appropriate, notify of a data breach provides an opportunity for entities to understand where privacy risks lie within their operations, to address the human and cyber elements that contribute to data breaches and to prevent or minimise harm to individuals and the community. And, of course, prevention is better than cure. The requirements under the NDB scheme incentivise entities to ensure they have reasonable steps in place to secure personal information.

This report examines the trends that have emerged under the NDB scheme in its first full year of operation. The NDB scheme commenced in February 2018, and this report draws on the four complete quarters of data collected since that time, from 1 April 2018 to 31 March 2019. It highlights practices of regulated entities over this period and looks to where the opportunities for improvement lie. It is intended that this report will assist entities and others to understand the common causes of data breaches and to implement proactive strategies for better prevention into the future.

The report also presents an opportunity to reflect on the purposes of the NDB scheme and how these purposes have been served in the first year.