On this page
This material is owned and prepared by the Office of the Australian Information Commissioner (OAIC) as the Digital ID privacy regulator under the Digital ID Act 2024. The materials linked below outline the privacy rules and responsibilities all accredited entities need to follow to maintain accreditation.
For support or queries related to the information below please contact the OAIC.
| Date | Version | Description of changes |
|---|---|---|
| Nov 2024 | Version 1 | Initial version |
Notifiable Data Breach (NDB) obligations
In Australia’s Digital ID System, all accredited entities providing accredited services have data breach notification obligations, including small business operators under the Privacy Act 1988 (Cth) (the Privacy Act).
These obligations arise from either the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act, or from state or territory legislation with a comparable data breach notification scheme.
A data breach occurs when personal information is accessed or disclosed without authorisation or is lost. For entities covered by the NDB scheme in the Privacy Act, it requires the entity to notify affected individuals and the OAIC when a data breach involving personal information is likely to result in serious harm to individuals.
All accredited entities providing accredited services also have obligations under the Digital ID (Accreditation) Rules 2024 (rule 4.45) to have a data breach response plan, which includes a communications plan. This plan should ensure clear lines of internal escalation and timely notifications to affected individuals and third parties in the event of a data breach. See the OAIC’s guidance on preparing a data breach response plan for further information.
The applicable data breach notification obligations for different entities are set out below.
APP entities
Accredited entities who are APP entities under the Privacy Act will need to comply with the NDB scheme in the Privacy Act in relation to data breaches affecting their accredited services. As APP entities, these entities are already subject to the NDB scheme for all their activities.
State or territory government entities
The applicable data breach notification obligations for a state or territory government entity will depend on the entity’s existing obligations.
For accredited entities that are state or territory agencies covered by a data breach notification scheme that is comparable to the NDB scheme, that state or territory scheme will apply to the entity’s provision of accredited services. Accredited entities in this category must comply with that state or territory based notification scheme and should refer to their state or territory regulator for further guidance.
For accredited entities that are state or territory agencies who are not covered by a data breach notification scheme that is comparable to the NDB scheme, section 40 of the Digital ID Act 2024 (Cth) (the Digital ID Act) extends the Privacy Act NDB scheme to apply to their provision of accredited services.
Small business operators
For accredited entities who are small business operators under the Privacy Act, section 40 of the Digital ID Act extends the Privacy Act NDB scheme to apply to their provision of accredited services.
Privacy Act NDB scheme
As outlined above, the NDB scheme applies to the following entities in connection with their provision of accredited services:
- APP entities
- small business operators
- State or Territory government agencies that are not already subject to a comparable data breach notification scheme.
These State or Territory government agencies and small business operators, who have not previously been subject to the NDB scheme, must ensure their systems and procedures comply with the NDB scheme.
The OAIC has detailed guidance on managing data breaches and complying with the NDB scheme, including a data breach preparation and response guide. See https://www.oaic.gov.au/privacy/notifiable-data-breaches for a range of resources.
Additional notification obligations
The Digital ID Act creates additional notification obligations where an accredited entity is required to notify the OAIC or a State or Territory regulator of a data breach.
For entities covered by the NDB scheme in the Privacy Act who are required under s 26WK of the Privacy Act to notify the OAIC of a data breach, the Digital ID Act requires the entity to give a copy of that statement to the Digital ID Regulator at the same time as the notification is given to the OAIC (ss 39(2) and 40(4) of the Digital ID Act).
For entities covered by a comparable State or Territory scheme who are required to notify their State or Territory regulator of a data breach, the Digital ID Act requires the entity to give a copy of that statement to both the OAIC and the Digital ID Regulator at the same time as the notification is given to their regulator (s 41(2) of the Digital ID Act).
Following accreditation, providers will be advised on how data breach notifications to the Digital ID Regulator are to be made.
Table: applicable privacy and NDB obligations for accredited entities
|
|
General privacy obligations (when providing accredited services) |
Additional privacy safeguards (Digital ID Act: sections 44 – 56) |
NDB scheme obligations (when providing accredited services)* |
General privacy obligations (for all other non-accredited services the entity provides) |
|---|---|---|---|---|
|
Accredited entity – Commonwealth Government entity
|
APPs |
Additional privacy safeguards apply |
Privacy Act 1988: Part IIIC scheme |
APPs |
|
Accredited entity – State and Territory government entity
|
Relevant state/territory privacy law (providing comparable protection to APPs) |
Additional privacy safeguards apply |
Comparable state/territory notifiable data breach scheme |
Relevant state/territory privacy law where applicable |
|
Accredited entity – private sector APP entity
|
APPs |
Additional privacy safeguards apply |
Privacy Act 1988: Part IIIC scheme |
APPs |
|
Accredited entity – privacy sector non-APP entity (small business operator)
|
APPs (treated as organisations as set out in section 35A of the Digital ID Act) |
Additional privacy safeguards apply |
Privacy Act 1988: Part IIIC scheme (see section 40 of the Digital ID Act) |
Nil (only treated as organisations to the extent they are providing accredited services – section 33 of the Digital ID Act) |
*In addition to the applicable data breach notification scheme, the Digital ID Act creates an additional obligation for accredited entities to give a copy of a data breach notification statement to the Digital ID Regulator at the same time as the statement is provided to the relevant privacy regulator – see ss 39, 40 and 41.
