The New Payments Platform (NPP) and Notifiable Data Breaches (NDB) are both starting in early 2018. It’s now time to assess your readiness and update your policies, procedures and documentation.


If you are participating in the NPP, you will have to amend your account and payment facility terms and conditions and your mobile app terms.

NPP will let customers make and receive near real-time payments. Most consumer payments will be through Osko, an NPP “overlay service” operated by BPAY.

NPP will enable payments using a customer PayID as well as by using BSB and account number. Your terms and conditions should cover both Osko and PayID and may also need to cover non-Osko NPP payments.

When updating terms and conditions, remember to factor in any notice period required for changes to take effect.

To participate in the NPP you also have to meet requirements set by the operator, NPP Australia Limited (NPPA). The NPPA has minimum standards for participants. You should have processes in place to confirm that you comply with those standards.


From 22 February 2018, the law will require data breaches to be notified to the Information Commissioner and the affected individuals.

Organisations required to report Notifiable Data Breaches should have in place policies and procedures to meet their NDB obligations.

Data breaches include unauthorised access to, or disclosure of, personal information, and loss of personal information. Generally the breach will have to be notified if it is likely to result in serious harm to the individuals affected. However in some cases the breach will not have to be notified if remedial action is taken before serious harm occurs.

The obligation to notify is triggered when the organisation is aware of reasonable grounds to believe that there has been an NDB. Before this happens, if the organisation only suspects an NDB has occurred, it must conduct an assessment.

Some of the things that an organisation might want to address in its privacy policies and procedures to deal with NDB include:

  • A statement of the notification obligation.
  • Definition of a Notifiable Data Breach.
  • Definition of serious harm.
  • Procedure for internal reporting, assessment and management of an NDB.
  • Procedure for notification of an NDB to the Information Commissioner and individuals.
  • Procedures for when other organisations are also involved in the data breach.

We can help you with the legal aspects of NPP and NDB. To talk about these changes please contact Patrick Dwyer on (02) 8912 2503.

Click here to subscribe to our email list for news, comment and analysis