follow us
Planning your next holiday? Find an ATAS accredited agent here » ATAS Logo


If you're a new user and do not yet have a username/login.

Register Now

Participant Zone

Accredited ATAS participants click here for access to the secure business support area.


Returning users log in to commence or access your ATAS application.

My AFTA Login

News Hub

« Back

New Privacy Laws - does it affect you?

The new Notifiable Data Breaches (NDB) scheme kicks in on the 22nd February 2018 which places new reporting obligations for when a data breach is likely to result in serious harm to any individual whose personal information is involved in a breach.

So you might not be Ashley Madison and holding the sensitive information of 36 million people looking to have an affair, but travel agents and tour operators may hold sensitive personal information such as passport information, financial information or medical/health information.

Who does it apply to?

Generally, businesses with an annual turnover of $3 million or more. Small business operators with an annual turnover of less than $3 million generally do not have obligations unless an exception applies. AFTA recommends however that it is best practice for all businesses to comply with the Australian Privacy Principles (APP) and the NDB scheme.

What is an ‘eligible data breach’?

An eligible data breach arises when the following three criteria are satisfied:

  1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;

  2. This is likely to result in serious harm to one or more individuals; and

  3. The entity has not been able to prevent the likely risk of serious harm with remedial action.

What is serious harm?

‘Serious harm’ is not defined in the Privacy Act. In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

STEPS to take:

  1. Contain – take immediate steps to limit any further access or distribution.

  2. Assess – see the link below for an easy workflow guide.

  3. Take Remedial Action – if successful notification may not be required.

  4. Notify – where serious harm is likely, the affected individuals must be notified via any reasonable method, and the Commissioner must be notified via the required form available here.

  5. Review - review the incident and take action to prevent future breaches.

Need more information?

The Office of the Australian Information Commissioner conducted a webinar that is available for viewing on their website or download their flowchart for a great summary of what to do if a breach occurs and when below.

NDB Scheme Flowchart.

Want to know more? Contact Naomi Menon – AFTA Head of Compliance and Operations via email at