Are You Privacy Ready?

Are You Privacy Ready?

Government, Industry, Practice


The long-awaited commencement of the notifiable data breach scheme (NDB Scheme) is just around the corner. Prior to the introduction of the NDB Scheme in Australia, notification of a data breach to the Australian Information Commissioner was not mandatory under the Privacy Act 1988 (Cth) (Privacy Act).

From 22 February 2018, an entity that is bound by the Australian Privacy Principles, as well as credit reporting bodies, credit providers and file number recipients, will be required to comply with this new scheme. Entities will also need to notify the Commissioner and affected individuals when a data breach is likely to result in serious harm to those affected individuals.

This is relevant to members who are owner-operators as you are delivering a health service.

Small business operators

A small business operator (SBO) is an individual (including a sole trader), body corporate, partnership, unincorporated association, or trust that has not had an annual turnover of more than $3 million in any financial year since 2001 (s 6D).
Generally, SBOs do not have obligations under the APPs unless an exception applies (s 6D(4)).
If an SBO falls into one of the following categories they are not exempt and must comply with the APPs, and therefore with the NDB scheme, in relation to all of their activities:

  • entities that provide any health services
  • entities related to an APP entity
  • entities that trade in personal information – that is, entities that disclose personal information about individuals to anyone else for a benefit, service or advantage; or entities that provide a benefit, service or advantage to collect personal information about another individual from anyone else
  • credit reporting bodies
  • employee associations registered under the Fair Work (Registered Organisations) Act 2009, and
  • entities that ‘opt-in’ to APP coverage under s 6EA of the Privacy Act.

If an SBO carries on any of the following activities it must comply with the APPs, and therefore must comply with the NDB scheme, but only in relation to personal information held by the entity for the purpose of, or in connection with, those activities:

  • providing services to the Commonwealth under a contract
  • operating a residential tenancy database
  • reporting under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
  • conducting a protected action ballot, and
  • information retained under the mandatory data retention scheme, as per Part 5-1A of the Telecommunications (Interception and Access) Act 1979.

More information about how to determine whether a business or organisation is an APP entity or subject to the APPs for some of its activities is available at ‘Privacy business resource 10: Does my small business need to comply with the Privacy Act?’.

Further Information >