What the Notifiable Data Breaches Scheme is

The Notifiable Data Breaches (NDB) Scheme operates under Part IIIC of the Privacy Act 1988 (Cth) and has been in force since 22 February 2018. It requires certain organisations to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm.

Before the scheme existed, organisations could quietly manage data breaches internally without telling anyone. The NDB Scheme changed that. The underlying logic is straightforward: if your data has been compromised, the people whose data it is have a right to know so they can take steps to protect themselves.

The scheme does not require notification for every breach, only those meeting a specific threshold. Understanding that threshold is the key to understanding your obligations.

Who it applies to

The NDB Scheme applies to any entity covered by the Privacy Act. That includes:

  • Australian Government agencies
  • Businesses and not-for-profits with an annual turnover of more than $3 million
  • Health service providers of any size
  • Credit reporting bodies and credit providers
  • Tax file number recipients
  • Businesses that sell or purchase personal information
  • Entities providing accredited services under the Digital ID scheme
Important for early-stage startups
If your annual turnover is under $3 million, you may not currently be covered by the Privacy Act and therefore not subject to the NDB Scheme. But this exemption disappears the moment you cross that threshold, and some activities - like handling health information or trading in personal data - bring you into scope regardless of turnover. It is worth checking your position early, not after a breach.

The Australian Government has signalled its intention to remove the small business exemption entirely as part of broader Privacy Act reforms. If those reforms pass, the NDB Scheme will apply to significantly more businesses than it does today.

What triggers a notification obligation

Not every data breach requires notification. The trigger is an eligible data breach, a specific term with a specific legal meaning.

A data breach occurs when personal information held by your organisation is subject to:

  • Unauthorised access - someone who should not have access to the information gains access to it
  • Unauthorised disclosure - information is shared with someone who should not receive it
  • Loss - information is lost in circumstances where unauthorised access or disclosure is likely to occur

Common real-world examples include a hacking or ransomware attack, an employee emailing a client list to the wrong recipient, a laptop containing customer data being stolen, a misconfigured cloud storage bucket exposing personal information, or a third-party vendor suffering a breach that exposes your customers' data.

What makes a breach "eligible"

A data breach only becomes an eligible data breach and therefore notifiable if it meets two conditions:

  1. There has been unauthorised access to, unauthorised disclosure of, or loss of personal information
  2. The breach is likely to result in serious harm to one or more individuals whose information was involved

The serious harm test is the critical filter. It requires an objective assessment from the perspective of a reasonable person in the organisation's position with knowledge of the incident. Importantly, this is not assessed from the perspective of the affected individual. Serious harm includes physical, psychological, emotional, financial, and reputational harm.

The word "likely" in this context means more probable than not, not merely possible.

Factors relevant to the serious harm assessment

The legislation sets out a non-exhaustive list of factors relevant to assessing whether serious harm is likely:

  • The kind and sensitivity of the information involved - health, financial, and identity documents carry higher risk than basic contact details
  • Whether the information is protected by security measures, and how likely those measures are to be overcome - including whether the encryption method meets an industry-recognised standard and whether the encryption key was also compromised
  • Who accessed or could access the information, and whether they are likely to intend harm
  • Whether the information could be combined with other data to enable harm
  • The number of individuals affected - a high volume generally increases the likelihood that at least one person suffers serious harm
  • The period of time the information was accessible
  • The nature of the harm that could flow from the breach, including identity theft, financial loss, reputational damage, or physical safety risks
Breach type Likely eligible? Notes
Ransomware attack - customer personal information encrypted and exfiltrated Very likely Absence of evidence of exfiltration is not enough to rule it out. OAIC guidance confirms a formal assessment is generally required.
Email sent to wrong recipient - includes full customer records Likely Depends on the sensitivity of the data and the recipient
Laptop stolen - contains encrypted customer data May not be Encryption to an industry-recognised standard may negate serious harm risk, provided the encryption key was not also compromised
Third-party vendor breach - your customer data exposed Likely The entity that disclosed the data to the vendor retains the notification obligation
Internal access by former employee to HR records Likely Unauthorised access to sensitive employment data
Accidental deletion of data - no external exposure Unlikely No unauthorised access or disclosure - generally will not meet the threshold

The 30-day timeline explained

Once you become aware that there are reasonable grounds to suspect an eligible data breach may have occurred, the clock starts. You have 30 days to complete an assessment and determine whether you are in fact dealing with an eligible data breach.

The 30-day clock starts when you have reasonable grounds to suspect a breach, not when you confirm one. An organisation should not strategically avoid receiving information or delay its awareness to push back that clock.

If your assessment confirms an eligible data breach, you must notify as soon as practicable. There is no additional grace period after the assessment concludes. The Federal Court found in AIC v Australian Clinical Labs Ltd that it was practicable to provide a statement to the Commissioner within two to three days of forming the reasonable belief that an eligible data breach had occurred.

1
Day 0
Breach discovered or suspected
Your organisation becomes aware of facts that give reasonable grounds to suspect an eligible data breach may have occurred. The 30-day assessment window opens immediately.
2
Days 1 to 30
Conduct your assessment
Investigate whether an eligible data breach has occurred. Document your process. Determine the kind and volume of information involved, who was affected, and whether serious harm is likely. The assessment must be reasonable and expeditious.
3
As soon as practicable
Notify the OAIC and affected individuals
If your assessment confirms an eligible data breach, notify the OAIC by submitting a statement online, and notify affected individuals directly or via a public statement where direct notification is not practicable.
4
Ongoing
Remediate and document
Take steps to contain the breach and prevent further harm. Document everything. The OAIC may follow up, and your documentation will be central to any investigation.

What your notification to the OAIC must include

The statement you submit to the OAIC must include:

  • Your organisation's identity and contact details
  • A description of the eligible data breach, including when it occurred or the date range, when you detected it, the circumstances of the breach, and what steps you have taken to contain or remediate it
  • The specific kinds of information involved - not a general reference to "ID documents" but the particular types, such as passport numbers or driver's licence numbers
  • The number of individuals affected, or an estimate if the exact number is not known
  • Recommendations about the steps affected individuals should take in response

The OAIC provides an online notification form. The quality of what you put in it matters. A vague or incomplete notification can invite further scrutiny, and the recommendations to individuals are assessed for whether they are genuinely useful rather than performative.

What you must tell affected individuals

You must notify affected individuals as soon as practicable after completing your statement to the OAIC. The scheme gives you three options depending on what is practicable in the circumstances:

  • Notify all affected individuals - this may be the simplest approach where a high volume of individuals are affected and it is not possible to assess which specific individuals are at risk of serious harm
  • Notify only those at risk of serious harm - a targeted approach that avoids notifying individuals who are not at risk, and may reduce cost
  • Publish a statement on your website - available where direct notification is not practicable, for example because individuals are unknown or contact information is out of date. The OAIC recommends keeping the statement live for at least six months

Where direct notification is used, you can notify using the methods you normally use to communicate with the individual - email, text, mail, or phone. The notification must include your organisation's identity and contact details, a description of the breach, the kind of information involved, and the steps you recommend affected individuals take to protect themselves.

Practical note
The recommended steps for individuals matter more than most entities treat them. If you are telling someone their financial information has been exposed, "monitor your accounts and consider placing a credit alert" is useful. "We apologise for any inconvenience" is not. The OAIC pays attention to whether notifications are genuinely informative or just compliance theatre.

When you do not have to notify

There are a limited number of circumstances where notification is not required. The list is exhaustive. If your situation does not fit one of these exceptions, the obligation to notify applies.

Remedial action taken before harm occurs

If you take action before the unauthorised access or disclosure results in serious harm, and a reasonable person would conclude the breach is no longer likely to result in serious harm, the incident is taken never to have been an eligible data breach. This is a narrow exception. It does not apply simply because you have patched the vulnerability or revoked access after the fact, and the burden of establishing it rests with you.

Another entity has already notified

Where an eligible data breach affects more than one entity - for example in an outsourcing or shared services arrangement - only one entity needs to notify. The Act does not specify which entity is responsible, so this should be addressed in contracts. Generally the entity with the most direct relationship with the affected individuals is best placed to notify.

An enforcement body exception applies

Where the affected entity is an enforcement body and its CEO reasonably believes that notifying individuals would prejudice enforcement-related activities, notification to individuals is not required. A statement to the OAIC is still required. This exception does not apply to breaches unrelated to enforcement activities.

A Commonwealth secrecy provision applies

An entity is not required to comply with the notification obligations where doing so would be inconsistent with a Commonwealth law that prohibits or regulates the use or disclosure of information. This exception applies only to the extent necessary to avoid the inconsistency.

The Commissioner grants an exemption or delay

An entity can apply to the Commissioner for an exemption from, or delay in, the notification obligations. This requires a formal written application to the OAIC with a detailed description of the breach and the reasons why notification should not occur or should be delayed. The Commissioner then decides whether to grant the declaration. This is not something the OAIC initiates on its own.

Penalties for non-compliance

Failing to comply with the NDB Scheme is an interference with the privacy of an individual and subject to enforcement action by the OAIC. The Commissioner can investigate on its own initiative, accept complaints from individuals, issue compliance notices and infringement notices, seek enforceable undertakings, and apply to the Federal Court for civil penalty orders.

Following amendments introduced by the Privacy and Other Legislation Amendment Act 2024 (POLA Act 2024), which received Royal Assent on 10 December 2024, the penalty framework now includes three tiers:

  • Serious interference with privacy - for corporations, the greater of $50 million, three times the value of any benefit obtained, or 30% of adjusted turnover in the relevant period
  • Interference with privacy (mid-tier) - up to 10,000 penalty units for a body corporate
  • Administrative breaches - up to 1,000 penalty units for a body corporate, including for non-compliant eligible data breach statements
A real example
In Australian Information Commissioner v Australian Clinical Labs Ltd, the Federal Court ordered Australian Clinical Labs to pay $5.8 million in civil penalties following a ransomware attack on its Medlab Pathology business. The court found that ACLL failed to conduct a reasonable and expeditious assessment and failed to notify the Commissioner as soon as practicable. Critically, ACLL relied solely on a third-party cybersecurity provider's limited assessment to conclude no eligible data breach had occurred. That was not enough. This was the first civil penalty ever ordered under the Privacy Act. Similar contraventions are now subject to significantly higher penalties under the POLA Act 2024.

Beyond regulatory penalties, the reputational cost of a poorly managed breach notification is often the more immediate commercial risk for a growing business.

How to prepare now

The businesses that handle data breaches well are almost always the ones that prepared before the breach happened. At a minimum, your organisation should have:

A data breach response plan

A documented process for identifying, assessing, containing, and notifying a breach. It should name who is responsible for each step, how decisions are escalated, and what the containment process looks like. The Federal Court's findings in ACLL highlighted inadequate cyber incident playbooks, insufficient testing, and poor staff training as contributing factors to the contravention. A plan that exists only on paper is not enough.

A data register

A clear picture of what personal information you hold, where it is stored, who has access, and which third parties process it on your behalf. You cannot assess the impact of a breach if you do not know what data you hold.

Contractual protections with vendors

If a third-party vendor suffers a breach that exposes your customers' data, you still carry the notification obligation. Your contracts with those vendors should require them to notify you promptly of any breach, give you the information you need to assess it, and cooperate with your response. This is what allows you to meet your 30-day window when the breach is not on your own systems.

A privacy policy that reflects reality

Your privacy policy should accurately describe the personal information you collect, why you collect it, how you hold it, and what happens in the event of a breach. A policy that has not been reviewed since the business launched is a liability, not a protection.

The bottom line
The NDB Scheme is not a compliance exercise for large enterprises. If you hold personal information and your turnover exceeds $3 million - or you handle health data, trade in personal information, or provide accredited digital ID services - it applies to you. The 30-day assessment window sounds reasonable until you are in the middle of a breach, managing a PR situation, and trying to work out what you are legally required to do. Prepare now.
Get fixed-fee legal advice on your privacy obligations

We help Australian founders and scale-ups with privacy policies, data breach response plans, and vendor contracts. Plain English. Fixed fees. No surprises.

Speak with a Plumlaw lawyer →
This article is general information only and does not constitute legal advice. The law is complex and fact-specific. For advice specific to your circumstances, get in touch with a lawyer at Plumlaw.