Share with your friends

Payroll and the impact of the NDB scheme

Payroll and the impact of the NDB Scheme

David Sofrà and Analyn Toledo discuss the implementation of the Notifiable Data Breach (NDB) scheme from February 2018.


Also on

Hand on keyboard typing.

The Australian Information Commissioner has commenced the implementation of the Notifiable Data Breach (NDB) scheme effective 22 February 2018. This applies to agencies and organisations (entities) subject to the Privacy Act 1988 for the protection of personal information.

The NDB scheme mandates entities to notify affected individuals and the Commissioner about ‘eligible data breaches’. This occurs when:

  • there is unauthorised access to or disclosure of personal information held by an entity
  • this is likely to result in serious harm to the affected individual and
  • the entity has been unable to prevent the likely risk of serious harm with remedial action.

The notification must include recommendations about the steps individuals should take in response to the breach. Entities must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and thus require notification.

How are payroll operations affected?

The drive to improve efficiency, reprioritise resources and optimise stakeholder returns has led most entities to outsource payroll or invest in a new or improved technology. This transformation has resulted in the rapid increase of information technology reliance and operation in an online environment.

Just as it applies to any parts of the business, entities running payroll (whether outsourced or in-house) are entrusted with valuable personal information of individuals and have an obligation to protect this information by all reasonable means. The NDB Scheme is another mechanism directed at ensuring that entities are upholding this accountability particularly in a period where online activities are embraced by Australians more and more each day.

The NDB scheme is in fact another reporting obligation that entities have to comply with. But beyond being a compliance exercise, the scheme trickles down on the following:

  • Visibility of eligible data breach occurrences to the government. What will this mean forthe tightening of regulations in future?
  • Full transparency of eligible data breaches to the entities’ internal and external customers. What impact will this have on the business, on being a trusted goods/service provider and beyond?

Questions to consider

So as you go about your day to day business of running payroll, consider these questions:

  • Is the payroll information entrusted to my entity really secure?
  • What safeguards and measures does my entity really have in place to secure the integrity of payroll information?
  • Does my entity have the right governance and risk appetite for cyber security and data protection?

Do not wait until you have to report an eligible data breach. Financial and reputational damages can be devastating. Get your safeguards tight or even tighter. Now is the time to act.

Connect with us


Want to do business with KPMG?


loading image Request for proposal