Go to top of page

Notifiable data breaches scheme

Notifiable Data Breaches scheme

On 22 February 2018, new privacy laws come into effect to regulate the reporting and notification of eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and impacted individuals.

The Notifiable Data Breaches (NDB) scheme, which applies to eligible data breaches that occur on or after 22 February 2018, is an amendment to the Privacy Act 1988 and effectively mandates a reporting and notification process that the OAIC had previously recommended as best practice.

The Tax Practitioners Board (TPB) does not administer these new provisions. Ultimately the OAIC  is responsible for the administration of the NDB scheme and further information (including recently finalised guidance) is available on the OAIC website.

General information about the NDB scheme is provided below.

Tax practitioners and the NDB scheme

Entities that are already covered by the Privacy Act must comply with the NDB scheme. This includes Australian Privacy Principle (APP) entities, as well as tax file number (TFN) recipients to the extent that TFN information is involved in a data breach.

Registered tax practitioners already have obligations to protect TFN information under Privacy (Tax File Number) Rule 2015 and the Taxation Administration Act 1953.

If tax practitioners fail to comply with the new NDB scheme there may be implications in relation to the Tax Agent Services Act 2009 (TASA). Such a failure may be considerd by the TPB in determining whether you have breached the TASA, including the Code of Professional Conduct (Code). 

In particular, Code item 6 (confidentiality) requires that a registered tax practitioner must not disclose information relating to a client's affairs to a third party without the client's permission or without a legal duty to do so.

Factors to be considered include:

  • has the tax practitioner taken reasonable steps to have sufficient IT controls in place?
  • was the practitioner reckless in their approach to cyber security?

If a practitioner has been incompetent or reckless regarding IT controls, and this has resulted in a breach of confidentiality because of a cyber incident, the TPB may impose one or more administrative sanctions for breach of the Code.

Each situation will be considered on a case-by-case basis, including the circumstances of the data breach and the steps taken to report and rectify the problem.

For futher TPB guidance read protect your practice.

Complying with the NDB scheme

According to information provided by the OAIC, the OAIC expects organisations to develop their own procedures for assessing a suspected data breach. Examples of a data breach may include:

  • data or records containing customers' personal information is lost or stolen
  • a database containing personal information is hacked
  • a cyber-attack results in personal information being disclosed
  • personal information is mistakenly provided to the wrong person.

The TPB recommends all tax practitioners review their practices, procedures and systems for securing personal information to comply with these new provisions. You should consider:

  • reviewing current information security practices, procedures and systems to ensure they are adequate, including taking steps to ensure all security software and controls are up to date, and to remove accesses from people who no longer require these accesses
  • preparing a data breach response plan (or updating a current plan) to ensure the ability to respond quickly to suspected data breaches
  • providing training to relevant staff as to any role they may have in responding to data breaches.

The OAIC provides a useful one-page flowchart that summarises what to do in the event of a data breach. Keep up to date with the latest developments by subscribing to the OAIC newsletter.

Notifying affected individuals about an eligible data breach

The NDB scheme requires organisations covered by the Privacy Act to notify any individuals likely to be at risk of serious harm by a data breach. Advice must include recommendations about the steps that should be taken in response to the data breach.

An eligible data breach occurs when three criteria are met:

  1. there is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
  2. this is likely to result in serious harm to one or more individuals, and
  3. the entity has not been able to prevent the likely risk of serious harm with remedial action.

Further guidance on this issue is available on the OAIC website

Support available in the event of a data breach

Data breaches are often a precursor for refund fraud. The ATO can help you in the event of a data breach and may apply measures to protect your business, staff and clients where necessary.

More information on data breaches and support available for tax professionals is available on the ATO website


Last modified: 14 February 2018