Notifiable Data Breaches

A data breach can have devastating consequences — not only for the individuals affected but also for the organisation responsible. The Notifiable Data Breaches (NDB) scheme ensures transparency and accountability by requiring Australian entities to report serious data breaches promptly.

What is the Notifiable Data Breaches Scheme?

The Notifiable Data Breaches (NDB) scheme is part of the Privacy Act 1988 (Cth). It mandates that organisations must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm.

This law applies to:

• Australian Government agencies
• Businesses and not-for-profits with an annual turnover of more than $3 million
• Health service providers
• Credit reporting bodies
• TFN recipients and others covered by the Privacy Act

Full details: oaic.gov.au/privacy/notifiable-data-breaches

When Must You Notify?

Notification is required when the following criteria are met:

• There is unauthorised access to or disclosure of personal information (or it’s lost in a way that is likely to result in unauthorised access or disclosure).
• The breach is likely to result in serious harm to one or more individuals.
• The entity has not been able to prevent this risk of harm through remedial action.

Examples of notifiable breaches:

• A cyberattack that exposes customer data
• Lost or stolen devices containing sensitive information without encryption
• Emailing personal records to the wrong recipient

What Must Be Included in the Notification?

If an eligible breach occurs, the organisation must provide:

• A description of the data breach
• The kind of information involved
• Recommendations for affected individuals
• Contact information for follow-up

This notification must be provided to both the OAIC and the affected individuals, usually via direct communication and a public statement if necessary.

A sample notification form is available here: oaic.gov.au/privacy/notifiable-data-breaches/notify-us-of-a-data-breach

What Happens If You Don’t Comply?

Failure to comply with the NDB scheme can result in:

• Regulatory investigation
• Reputational damage
• Civil penalties for serious or repeated non-compliance

Under recent reforms, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 increased the maximum penalties for serious breaches to $50 million, or more in certain circumstances.

Best Practices for Compliance

To prepare for and respond effectively under the NDB scheme:

• Develop and test an incident response plan that includes breach notification procedures
• Train your staff on recognising and escalating data breaches
• Encrypt sensitive data and restrict access based on need-to-know
• Conduct regular privacy impact assessments and audits

Use the OAIC’s Data Breach Preparation and Response Guide as a baseline for policy and process.

Final Thoughts

The Notifiable Data Breaches scheme plays a key role in protecting Australians’ privacy and building public trust in digital systems. For organisations, compliance isn’t just a legal obligation — it’s a vital part of cybersecurity maturity.

Understanding when and how to notify gives your organisation the agility to respond to incidents with confidence and accountability.