Notifiable Data Breaches scheme

Strengthen protections on personal info

From February 22, 2018 the Privacy Act is changing. This will probably change the way you do business.

What changes?

Organisations that hold personal information will be required to 1. Take reasonable steps to secure this information. 2. Notify individuals whose information is involved in a data breach that is likely to result in serious harm. The Australian Information Commissioner must also be notified of eligible data breaches.

In English?

If you hold personal data and there is a possibility that it has been lost, stolen or even accessed by somebody, you MUST notify the affected individual/s AND the government.

Who does this apply to?

Any organisation that holds personal information AND has a turnover of more than $3 million dollars, ALL Health Service Providers, Credit Reporting Agencies and TFN Recipients.

When does this apply?

The scheme comes into place on February 22nd, 2018.


This scheme strengthens protections to personal information. It’s similar to schemes already in place in the US and the UK and in the opinion of security professionals, long overdue.

What do I have to do?

  • You must take reasonable steps to ensure the security of the data you hold.
  • You need a Data Breach Response Plan < here’s one you can use for free.
  • You should have a Network and Security Audit done at least annually or after significant change.
  • If you suspect a data breach, you must conduct an assessment within 30 days.
  • You must notify both affected individuals and the government if there is a breach that is “likely to result in serious harm”.
  • You must take remedial action and enhance your security measures to prevent further loss.

How can Health IT help?

Health IT provide a layered approach to security which includes:

1.       People Security (Training, common sense)
2.       Physical Security (Server accessibility, screen locks etc.)
3.       Network Security (Managed Firewall, Spam protection)
4.       Endpoint Security (Managed Anti-virus, anti-spyware)
5.       Application Security (Appropriate permissions, Principle of least privilege)
6.       Data Security (Backup and Disaster Recovery)

If I ignore this will it go away?

No. Failure to take reasonable steps before or after a breach can result in penalties of up to $360,000 for individuals and $1.8 million for organisations.

Where can I find more information?

Talk to us or see the Office of the Australian Information Commissioner –

“Security is a process, not a product”
Adam Kostanski, OzDoc Solutions