The Notifiable Data Breaches (NDB) scheme was established to improve consumer protection and promote better security standards to safeguard personal information in Australia. The NDB scheme applies to all agencies and organisations who are protected by the Privacy Act 1988 (Cth) (Act) and required to take personal steps to secure personal information.
The Australian Information Commissioner (OAIC) publishes reports on notifications received under the NDB scheme to track the leading causes and sources of data breaches, and to draw attention to potential issues and areas that entities regulated under the Act need to have ongoing awareness of. This article summarises the findings of the NDB Report for the period from 1 January to 30 June 2020.
Key findings of the report
- The OAIC was notified of 518 breaches by eligible entities. This figure is down 3% from 532 in the previous six months, but up 16% on the 447 notifications received between January and June 2019;
- Although malicious or criminal attacks remain the leading cause of data breaches, there was a 7% reduction in attacks over the past 6 months. Malicious or criminal attacks now constitute 61% of all notifications;
- Data breaches resulting from human error have increased by 7% compared to the previous 6 months. These now account for 34% of all breaches;
- The health sector is the highest reporting sector, notifying 22% of all breaches;
- Finance is the second highest reporting sector, notifying 14% of all breaches; and
- 64% of data breaches affected less than 100 individuals, 46% of notifications involved breaches affecting between 1 and 10 individuals.

Types of personal information involved in data breaches
Contact information was involved in 84% of the data breaches notified under the NDB scheme, making it the most common type of personal information involved in a data breaches during this period. Contact information includes home address, phone number or email address. Importantly, this must be distinguished from ‘identity information’, which refers to information which may be used to establish a person’s identity, such as passport number, driver license number or other government identifiers. Identity information was involved in over a third of data breaches during this period.
Other types of personal information included:
- tax file numbers (17%);
- financial details such as bank account or credit card numbers (37%); and
- health information (26%).

Industry sectors involved in data breaches
From January to June 2020, health service providers reported 115 data breaches, which equated to 22% of the total reported breaches for that period. The second largest source of NDBs was the financial sector at 15%, followed by education (8%), insurance (7%) and legal, accounting and management services (5%).
Does the OAIC publish the details of reported data breaches?
The OAIC does not publish the details of individual reported data breaches. Instead, it regularly publishes NBD statistics reports to give an overview of how the scheme operates.
The OAIC’s role in the NDB scheme is to:
- receive notifications of eligible data breaches;
- encourage compliance with the NDB scheme, including by handling complaints, conducting investigations and taking other regulatory action;
- offer advice and guidance to regulated organisations; and
- provide information to the community about the operation of the NDB scheme.
Takeaways
The NDB Report provides insight into the trends associated with data breaches, and encourages regulated entities to take a proactive approach to reduce harm arising from these breaches by actively engaging with the OAIC.
Links and further references
Legislation
Other links
The Notifiable Data Breaches Report: January – June 2020
Further information about data breach obligations
If you need a lawyer to advise on compliance with the data breach obligations under the Privacy Act, please contact us for an obligation free and confidential discussion.

Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au

Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.