Emil Ford Lawyers

Data breaches and not-for-profits: What the Notifiable Data Breach laws mean for you

In October 2017, the personal details of over half a million Red Cross Blood Service donors were leaked from the organisation and resulted in what is described as Australia’s largest security breach. By all accounts the breach was not an act of malice but an accident, a moment’s oversight that led to the sensitive files of over half a million donors being placed on an unsecured computer which was then accessed by an unauthorised person.  

The details were both personal, including the names and addresses of the donor, and sensitive, including the answer to the question of whether the donor had engaged in ‘at-risk sexual behaviour’ in the preceding 12 months. Malicious use of donor data as a result of the breach could have caused serious harm to donors.

The data breach of the Red Cross Blood Service serves as a reminder to all organisations that the more they collect and retain client data the more they run the risk of a data breach.  As a result of the increasing risk of data breaches, whether through human error or malicious intent, the Commonwealth government has responded by introducing the Notifiable Data Breaches (NDB) scheme.

The NDB will come into effect in Australia from 22 February 2018 and applies to all organisations covered by the Privacy Act, including most Australian Government agencies, some private sector and not-for-profit organisations, and all private health service providers. These organisations will be required to report data breaches to the Australian Information Commissioner and to affected individuals.

Coincidentally, the European Union’s General Data Protection Regulation (GDPR) comes into effect in May 2018 and will introduce a whole new regulation with global implications, replacing the existing EU Data Protection Directive that has been in place since 1995. For the first time, there will be one uniform data protection law in place across Europe. And, if an Australian organisation has a website that allows people in the EU to use its products or services, that organisation must also submit to the GDPR regulations.

Not-for-profits should prepare themselves for these new laws and should also have an action plan in place in case they do come under a cyber-attack.  If you have any questions about data breaches, or would like to discuss the obligations your charity or not-for-profit has under these new legislative changes, please contact or

Suite 4 Level 5
580 George Street
Sydney NSW 2000
Phone: +61 2 9267 9800
Fax: +61 2 9283 2553