top of page

Introduction to Notifiable Data Breaches (NDB)

A notifiable data breach occurs when personal information held by an organisation is accessed, disclosed without authorisation, or lost in a manner that is likely to result in serious harm to any individual affected. These breaches are not only detrimental to the privacy rights of individuals but also pose significant risks to organisational integrity and reputation.

Examples of Common and Overlooked Data Breaches

 

Unauthorised Access

  • Staff accessing client or student records out of curiosity (“snooping”).

  • Admins accessing email or cloud storage accounts without proper authorisation.

  • Access to systems by former employees due to delayed deprovisioning.

Unintentional Disclosure

  • Sending emails to the wrong recipient (especially with attachments or sensitive info).

  • Using CC instead of BCC in mass communications (revealing personal info).

  • Publishing internal reports, documents, or spreadsheets on public websites.

 Lost or Stolen Devices

  • Lost company laptops, USBs, or portable hard drives containing personal data.

  • Mobile phones with synced email or CRM data that are not encrypted or protected.

  • Staff storing unapproved backups on personal drives or unsecure cloud services.

 

 Physical Breach or Document Exposure

  • Printed documents (e.g. enrolment forms, payslips) left unattended in public areas.

  • Unshredded paper records disposed of in general waste or recycling.

  • Visitors or contractors accessing open desks or unlocked filing cabinets.

 

 Misconfigured Systems

  • Cloud storage (e.g. SharePoint, Google Drive, AWS S3) left open or indexed publicly.

  • Firewalls or network drives exposing internal data to the internet.

  • Misconfigured permissions allowing staff to access files not relevant to their role.

 Insider Threats (Malicious or Negligent)

  • Disgruntled employees exfiltrating client or student data before resignation.

  • Staff forwarding sensitive emails to personal accounts “just in case.”

  • Employees selling data for financial gain or sharing with competitors.

 Third-Party Failures

  • Software vendors or consultants storing your customer data insecurely.

  • Data shared with marketing agencies without consent or appropriate safeguards.

  • Breaches in payroll, HR, or learning management platforms used by the organisation.

 

 Technical Vulnerabilities

  • Exploited software flaws (e.g. unpatched applications, known CVEs).

  • Ransomware attacks leading to exfiltration or destruction of data.

  • Malware or spyware capturing credentials or sensitive communications.

 

 Improper Data Handling

  • Sending Excel files without passwords or using weak protection.

  • Transferring data via unsecured USBs or using outdated encryption standards.

  • Using shared credentials across multiple staff or systems.

 

 Poor Consent and Collection Practices

  • Collecting personal or sensitive information without clear consent.

  • Storing biometric data, CCTV footage, or photos with no clear retention policy.

  • Using legacy databases that retain obsolete or excessive personal information.

 

 Monitoring and Surveillance Overreach

  • Excessive employee monitoring without adequate policy or disclosure.

  • Recording video meetings or screens without consent and storing indefinitely.

  • Tracking user activity or location data inappropriately.

 

 Cross-Border Data Transfers

  • Hosting personal data in jurisdictions with lower privacy protections.

  • Using overseas cloud services without verifying their compliance stance.

  • Transferring files internationally without contractual safeguards or privacy impact assessments.

Criteria for Notifying

Under the Australian Notifiable Data Breach (NDB) scheme, a data breach must be reported to the Office of the Australian Information Commissioner (OAIC) if:

  1. There is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity.

  2. The breach is likely to result in serious harm to one or more individuals.

  3. The entity has not been able to prevent the likely risk of serious harm with remedial action.

Reporting a Breach: Timeline and Process

Entities must assess the incident within 30 days of becoming aware of the breach. If it is determined that the breach meets the criteria above, the OAIC and affected individuals must be notified promptly. The notification must include the following information:

  • A description of the data breach.

  • The kinds of information concerned.

  • Recommendations about the steps individuals should take in response to the breach.

Penalties and Fines

Failure to comply with the NDB scheme can result in significant penalties. The OAIC can impose fines of up to $2.22 million for serious or repeated breaches. These fines are aimed at ensuring that entities take privacy obligations seriously and implement adequate security measures to protect personal information.

Take the stress out of investigating and possible reporting with https://www.notifiablebreach.com

Stay informed, join our newsletter for further updates!

Thanks for subscribing!

bottom of page