Notifiable Data Breaches: What Australian Businesses Need to Know
Back to Blog
privacydata-breachnotifiable-breachesaustralian-lawcomplianceprivacy-actcybersecurity

Notifiable Data Breaches: What Australian Businesses Need to Know

Claudio W.22 April 20268 min read

In March 2018, the Australian Government introduced the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988. If you've been ignoring it, now's the time to pay attention.

A data breach can destroy customer trust, trigger regulatory action, and land your business in the media for all the wrong reasons. And under the NDB scheme, when a serious breach happens, you may be legally required to tell people—and if you don't, the consequences are real.

This article breaks down what the NDB scheme means for Australian businesses, when you need to notify, what to say, and how to prepare.

What Is the NDB Scheme?

The NDB scheme establishes a clear obligation: when an eligible data breach occurs, the organisation or agency responsible must notify affected individuals and the Office of the Australian Information Commissioner (OAIC).

It's not optional. It's the law.

The scheme applies to all Australian businesses, government agencies, and other organisations that are bound by the Australian Privacy Principles (APPs). That means you if you:

  • Have an annual turnover of more than $3 million, or
  • Trade in personal information as a core part of your business, or
  • Are a health service provider, or
  • Are a prescribed credit reporting body

Even if none of the above apply, you may still have obligations under the Privacy Act more broadly.

What Is an "Eligible Data Breach"?

An eligible data breach occurs when there is:

  1. 1.Unauthorized access to or disclosure of personal information held by your organisation, and
  2. 2.That access/disclosure is likely to result in serious harm to any of the affected individuals, OR
  3. 3.Information is lost and your organisation is unlikely to be able to recover it

"Personal information" means any information about an identifiable individual—name, email address, financial details, health records, even IP addresses.

"Serious harm" isn't defined precisely, but the OAIC considers factors like:

  • The sensitivity of the information involved
  • What a malicious actor could do with that information
  • Whether the information is protected by security measures
  • The nature of the harm that could result

Examples of Eligible Data Breaches

  • A hacker steals a database of customer names, emails, and passwords
  • An employee accidentally sends a file containing customer financial details to the wrong organisation
  • A lost USB drive containing unencrypted personal records
  • A cyberattack encrypts your customer database with ransomware and you can't restore from backup

Not an Eligible Breach (Usually)

  • A business email is sent to the wrong internal recipient but contains no sensitive data
  • Spam is sent to customers from a compromised account (if no personal data was accessed)
  • A data centre experiences brief downtime with no breach of data

When Must You Notify?

You must notify as soon as practicable once you become aware that an eligible data breach has occurred.

There's no strict deadline (the law says "as soon as practicable"), but the OAIC expects timely notification—typically within 30 days is considered reasonable in most circumstances. The moment you have reasonable grounds to believe a breach has occurred, the clock starts.

The Three-Step Assessment Process

When you suspect a breach, assess it systematically:

Step 1: Contain Take immediate steps to contain the breach. Stop the unauthorised access, secure the system, change passwords, isolate affected systems.

Step 2: Assess Evaluate the breach. What information was accessed? Who is affected? Is the information sensitive? Could it cause serious harm?

Step 3: Notify If the assessment confirms an eligible data breach, notify affected individuals and the OAIC. If in doubt, the OAIC has guidance and you can also seek legal advice.

What Must Your Notification Include?

Your notification to affected individuals must include:

  • A description of the breach
  • The kinds of information involved
  • Recommendations for what the individual should do in response
  • Your organisation's contact details for further information
  • The date or period the breach occurred
  • How the breach occurred
  • Your organisation's steps taken in response

Don't bury the notification. Use clear, plain language. Affected individuals need to understand what happened and what they should do next—typically changing passwords, being vigilant for scams, or monitoring their accounts.

What Happens If You Don't Notify?

The OAIC has investigative powers and can:

  • Find that an interference with privacy has occurred
  • Make a declaration that you must notify
  • Accept enforceable undertakings
  • Seek civil penalties in serious cases

Penalties for serious or repeated interferences with privacy can reach:

  • $50 million for corporations (as of 2024, following updates to the Privacy Act)
  • $2.5 million for individuals

Beyond the OAIC, there's the court system. Individuals can also seek compensation for harm caused by a failure to protect their information.

And then there's reputational damage. Data breaches get reported. The Australian media covers them. Customers leave. The damage extends far beyond the regulatory fine.

Recent Enforcement Trends

The OAIC has been increasingly active. In recent years, organisations across healthcare, finance, telecommunications, and retail have faced investigation and enforcement action for data breaches.

High-profile cases have included:

  • Medibank (2022/2024): A breach affecting 9.7 million Australians — one of the largest in Australian history — led the OAIC to commence civil penalty proceedings against Medibank in June 2024 for failing to protect sensitive customer health data.
  • Optus (2022): The 2022 breach affecting up to 10 million Australians triggered a joint investigation by the OAIC and the Australian Communications and Media Authority, with significant regulatory scrutiny.
  • MediSecure (2024): Australia's largest on-record health data breach, with 12.9 million Australians affected. The OAIC received 527 data breach notifications in the first half of 2024 alone.
  • Australian Clinical Labs (2024): Found to have breached privacy obligations following a ransomware attack, with the OAIC pursuing penalties.
  • Latitude Financial (2023): The OAIC also investigating the 2023 breach that affected 14 million customer records.

The message is clear: the OAIC is watching, and they're enforcing.

How to Prepare

The best time to prepare for a data breach is before one happens. Here's what you should have in place:

1. A Data Breach Response Plan

Document, test, and maintain a clear process for responding to breaches. It should cover:

  • Who is responsible for what in the response
  • How breaches are identified and escalated
  • The assessment process
  • Notification procedures
  • Communication templates

2. Staff Training

Your people need to know how to spot potential breaches and who to report them to. Delayed reporting is one of the most common failures—people don't report because they're not sure whether it counts as a breach.

3. Data Inventory

You can't protect what you don't know about. Maintain a current inventory of the personal information you hold, where it's stored, who has access, and what protections are in place.

4. Security Controls

Prevention is better than notification. The NDB scheme doesn't excuse organisations that didn't breach—but it does look favourably on organisations with strong security in place. Essential Eight alignment, access controls, encryption, backup—these reduce both the likelihood of a breach and the severity if one occurs.

5. Legal Advice on Standby

Have a lawyer you can call quickly when a breach occurs. Notifiable Data Breaches are time-sensitive and legally complex. Getting advice early can save significant pain later.

The Business Case for Getting This Right

Beyond compliance, there's a business case:

  • Trust: Customers who trust you with their data stay customers
  • Competitive advantage: Security and privacy can be differentiators
  • Insurance: Cyber insurance policies often require breach response plans
  • M&A readiness: Buyers scrutinise data practices during due diligence

Treat privacy and data protection as a business asset, not a compliance burden.

Key Takeaways

  1. 1.The NDB scheme is law—non-compliance carries real penalties
  2. 2.An eligible data breach requires notification to affected individuals AND the OAIC
  3. 3.Serious harm to individuals is the trigger—assess carefully
  4. 4.Notification must be timely and contain specific information
  5. 5.Preparation now makes all the difference when a breach occurs
  6. 6.The OAIC is active and enforcement is increasing

If you're unsure about your obligations, the OAIC's website has detailed guidance. If you've experienced a breach or suspect one has occurred, seek advice immediately.

---

Need help assessing your privacy obligations or data breach response capabilities? [Contact us](/) for a practical security assessment.

Share this article

Related Articles

Essential Eight Series: Regular Backups - Your Last Line of Defense

Essential Eight Series: Regular Backups - Your Last Line of Defense

29 January 2026 · 5 min read

Essential Eight Series: Multi-Factor Authentication - Beyond Passwords

Essential Eight Series: Multi-Factor Authentication - Beyond Passwords

27 January 2026 · 5 min read