Australia's Notifiable Data Breaches (NDB) scheme has been a fixture of the privacy landscape since 2018, but the obligations it creates still catch many organisations off guard when an incident actually unfolds. Under the scheme, covered entities must assess, report, and respond to eligible data breaches within strict timeframes. With the Privacy Act reform process continuing to sharpen the rules around personal information handling, understanding exactly what the NDB scheme requires is no longer just a compliance checkbox: it is a core operational discipline.
What is the NDB scheme and who does it cover?
The Notifiable Data Breaches scheme sits inside Part IIIC of the Privacy Act 1988 (Cth) and is administered by the Office of the Australian Information Commissioner (OAIC). It applies to any Australian Government agency and any private sector organisation with an annual turnover of more than $3 million. Certain organisations below that threshold are also captured, including private health service providers, credit reporting bodies, and businesses that buy or sell personal information.
Critically, the scheme applies to information held in Australia regardless of where the breach occurs. A multinational with Australian customers cannot sidestep obligations simply because the data was processed or stored offshore. If your organisation handles personal information about Australians and meets the coverage criteria, the NDB scheme applies to you.
What counts as an eligible data breach?
Not every security incident triggers a notification obligation. For a breach to be "eligible" under the scheme, three conditions must all be met. First, there must be unauthorised access to, or disclosure of, personal information, or personal information must be lost in circumstances where unauthorised access or disclosure is likely. Second, a reasonable person must conclude that the breach is likely to result in serious harm to the individuals whose information was involved. Third, the organisation must not have been able to prevent the likely serious harm before it occurred.
Serious harm is assessed across a range of factors: the sensitivity of the information (health records and financial data sit near the top), the number of affected individuals, whether the information is combined in ways that increase the risk of harm, and whether protective measures such as encryption were in place at the time of the breach. A laptop theft is not automatically notifiable; whether it is depends on what was on the device, how it was protected, and whether anyone could realistically exploit it.
The 30-day assessment window
When an organisation has reasonable grounds to suspect an eligible data breach has occurred, it must carry out an assessment within 30 days. This is not a soft target. The OAIC has been clear that organisations should not wait to confirm every detail before beginning their assessment. The clock starts when there are reasonable grounds to suspect a breach, not when certainty is achieved.
The assessment process should be documented rigorously. Key questions to work through include: what information was involved and how sensitive is it; who may have accessed or received it; what harm could realistically result; and what technical or organisational controls were in place. Engaging your incident response team, legal counsel, and privacy officer in parallel from the outset is far more effective than a sequential handoff between teams. Organisations that invest in the Essential Eight maturity model as a baseline tend to have better visibility into their environment, which directly shortens assessment timelines after a suspected breach.
Notifying the OAIC and affected individuals
Once an organisation determines that an eligible data breach has occurred, it must notify the OAIC and the affected individuals as soon as practicable. The OAIC notification is submitted via the Commissioner's online portal and must include the identity and contact details of the organisation, a description of the breach, the kinds of information involved, and the steps the organisation recommends individuals take in response.
Notifying affected individuals directly is required unless the direct notification itself would be impossible or involve disproportionate effort, in which case the organisation must publish a prominent notice on its website and take reasonable steps to publicise it. The "disproportionate effort" carve-out is narrower than many organisations assume. It does not apply simply because contacting a large number of people is inconvenient or expensive.
The content of the individual notification matters. Generic boilerplate that fails to explain what happened and what the person should do is unlikely to satisfy the Commissioner and will almost certainly damage trust further. Concrete recommendations, such as changing passwords, monitoring financial accounts, or placing a credit alert, are far more useful than vague reassurances.
OAIC enforcement and recent trends
The OAIC publishes a quarterly Notifiable Data Breaches Report that provides a clear picture of where breaches are coming from and which sectors are most affected. Health, finance, and legal services have consistently appeared at the top of the sectoral breakdown. Malicious or criminal attacks remain the leading cause, with phishing and compromised credentials accounting for a significant share. Human error, particularly the misdirection of emails containing personal information, continues to feature prominently as well.
The Commissioner has enforcement powers that include issuing determinations, accepting undertakings, and seeking civil penalties through the courts. While penalty actions have historically been reserved for the most serious failures, the trajectory of Privacy Act reform points toward a more assertive enforcement posture. Organisations that delay assessments, under-notify, or fail to implement adequate post-breach remediation are the most exposed. The same reform process is also expanding the categories of information considered sensitive and tightening requirements around automated decision-making, so the overall compliance surface area is growing.
For organisations looking at the broader labour market implications of building internal privacy and security capability, the cyber security jobs market in Australia gives useful context on where skills are concentrated and what it costs to retain them.
Building a breach-ready organisation
The best time to prepare for a notifiable data breach is well before one happens. A documented incident response plan that includes specific NDB assessment steps, defined decision-makers, pre-approved notification templates, and a communication chain reaching senior leadership and the board is the minimum baseline. Tabletop exercises that walk the team through a realistic breach scenario will expose gaps in the plan far more efficiently than discovering them mid-incident.
Privacy impact assessments on new products and systems, combined with a data inventory that maps what personal information you hold and where it lives, make the 30-day assessment window far more achievable. Organisations that cannot quickly answer "what data do we hold about our customers and where is it stored?" will struggle to complete a credible assessment under time pressure.
Encryption of personal information at rest and in transit, robust access controls, and multi-factor authentication all reduce both the likelihood of a breach occurring and the severity of the harm if one does, which in turn affects whether the serious-harm threshold is met. These are not just good hygiene practices: they are directly relevant to whether a given incident becomes a notifiable one.
Key steps at a glance
- Confirm whether your organisation is covered by the NDB scheme, including any sector-specific inclusions.
- Establish a clear internal trigger for beginning a breach assessment (reasonable grounds to suspect, not confirmed certainty).
- Complete the assessment within 30 days, with thorough documentation throughout.
- If the breach is eligible, notify the OAIC and affected individuals as soon as practicable.
- Ensure individual notifications are specific, actionable, and go beyond generic statements.
- Conduct a post-incident review and update controls, policies, and training accordingly.
- Maintain records of all breaches assessed, including those assessed as not eligible, to demonstrate a credible compliance process.
The NDB scheme is ultimately a transparency mechanism designed to give individuals agency when their personal information has been put at risk. Organisations that treat it as such, rather than as a reputational threat to be managed, tend to handle both the regulatory and the human dimensions of a breach more effectively. Getting the process right before an incident happens is the clearest path to getting it right when one does.