26th March 2018

The internet and technology have created countless opportunities and advances that few people could have imagined 30 years ago. Email has made it possible for people on opposite sides of the world to communicate in seconds, search engines have enabled people to answer nearly any question imaginable in mere minutes, and smart phones have allowed people to be connected to news, pop culture and the internet wherever they go. With all these advances also comes drawbacks. Cyberattacks, hacking and stealing of personal information have become rampant problems in this digital age. The Australian Government has recently enacted new laws to make data breaches more transparent.

The Notifiable Data Breaches Scheme: What is it?

The Australian Government summarised the Notifiable Data Breaches Scheme as the following:

The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) established requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

The NBD applies to agencies, organisations, health service providers, accountants, credit reporting bodies, and businesses and non-profits with an annual turnover of $3 million or more. If the confidential documents or database of any of these organisations is breached by an unauthorized hacker or person, the organisation must notify the individual whose personal information was accessed without permission. What’s more, the notification must recommend steps the individual should take in regards to the breach and the Australian Information Commissioner must also be notified.

It is worth noting that the Australian government points out that the notification should take place only if the breach could cause serious harm. The government therefore recommends organisations and agencies to be prepared to quickly assess the degree of harm that is likely to result from the breach.

How does this affect accountants?

Accountants store a large amount of their clients’ personal information. If a potentially harmful breach of that information occurs, the accountant will be obligated to notify all the individuals whose information was stolen. This can result in a number of negative consequences for the accountant. Not only could such a breach embarrass an accountant and damage his or her reputation, but rectifying the situation could also be costly and time consuming. A breach could occur by accidently mailing a tax return to the wrong email recipient or a hack to an accountant’s local server. Failing to meet NBD obligations can result in an $1.8 million fine.

To prevent a breach, it is recommended to offer security awareness training to all employees, perform regular security scans against every system in an organisation’s network, and keep all security software up to date.

If an organisation’s confidential files are accessed without authorisation, a statement about the breach can be lodged to the Commissioner via this Notifiable Data Breach Form.

To learn more about the Notifiable Data Breach Scheme, visit the Office of the Australian Information Commissioner’s website here.




         Chartered Accountants

Tax Institure