Notifiable Data Breaches in Australia: What Businesses Must Report and When

Managed IT & Cybersecurity

Notifiable Data Breaches in Australia: What Businesses Must Report and When

When something goes wrong with personal data — a ransomware attack, a misconfigured cloud server, a stolen laptop — there is a legal framework that determines what you must do and how quickly you must do it.

That framework is the Notifiable Data Breaches (NDB) scheme. If your business is covered by the Privacy Act 1988 (Cth) and an eligible data breach occurs, you are legally required to notify both the Office of the Australian Information Commissioner (OAIC) and the individuals affected. Getting this right matters. Getting it wrong can attract penalties of up to $50 million for corporations, and reputational damage that no marketing budget can undo.

This article explains who is covered, what constitutes an eligible data breach, what the 30-day assessment window actually means, how to notify the OAIC, and what you should be doing now to prepare — before a breach happens.

What Is the Notifiable Data Breaches Scheme?

The Notifiable Data Breaches scheme is established under Part IIIC of the Privacy Act 1988 (Cth). It came into effect in February 2018, requiring entities that are subject to the Privacy Act to notify the OAIC and affected individuals whenever an eligible data breach occurs.

The scheme exists to give Australians meaningful visibility when their personal information has been compromised. Before 2018, there was no mandatory obligation to disclose a breach — businesses could handle incidents internally without ever informing the people whose data was exposed. The NDB scheme changed that, bringing Australia into line with international standards and giving the OAIC enforcement teeth.

The scheme applies to any entity that must comply with the Australian Privacy Principles (APPs) under the Privacy Act. Any entity bound by the APPs is also bound by the NDB scheme's notification obligations when an eligible breach occurs.

The OAIC is the regulatory body responsible for overseeing compliance. Its guidance is published at oaic.gov.au/privacy/notifiable-data-breaches and updated regularly as enforcement practice evolves.

Does the NDB Scheme Apply to Your Business?

Not every Australian business is automatically covered by the Privacy Act — but more are than many business owners realise, and the threshold categories have expanded.

Businesses with annual turnover of more than $3 million are covered by the Privacy Act as a general rule. This turnover threshold applies to the business's aggregate Australian group turnover, not just the revenue of a single entity in a corporate group.

However, turnover alone does not determine coverage. A number of entities are covered by the Privacy Act regardless of their turnover, including:

  • Health service providers — general practices, allied health clinics, pharmacies, gyms that hold health information, and aged care providers, among others
  • Tax file number (TFN) recipients — any entity that holds, uses, or discloses TFN information under a TFN rule
  • Credit reporting bodies and credit providers — including entities that have entered into a consumer credit contract or provided trade credit arrangements
  • Commonwealth government contractors — businesses that enter into contracts with Commonwealth agencies that require them to handle personal information
  • Businesses that opt in voluntarily — entities below the $3 million threshold can choose to opt in to Privacy Act coverage

Additionally, some businesses below the $3 million threshold may still have obligations in specific circumstances — for instance, if they operate in sectors with industry-specific requirements or hold particularly sensitive categories of personal information.

The Privacy and Other Legislation Amendment Act 2024, passed in December 2024, expanded the Privacy Act's reach in meaningful ways. The most significant change for businesses was the introduction of a statutory tort for serious invasions of privacy — giving individuals a direct right of action against entities regardless of whether the entity is otherwise covered by the Privacy Act. This operates independently of the NDB scheme but signals the direction clearly: privacy accountability is increasing.

If you are uncertain whether your business is covered, consult a legal advisor or review the OAIC's eligibility guidance at oaic.gov.au. The consequences of incorrectly concluding you are exempt are considerably worse than the cost of getting proper advice.

What Is an "Eligible Data Breach"?

Not every security incident or data loss event is an eligible data breach under the NDB scheme. The definition is specific, and understanding it precisely determines whether your notification obligations are triggered.

An eligible data breach occurs when all three of the following criteria are met:

1. There has been unauthorised access to or disclosure of personal information — or personal information has been lost in circumstances where unauthorised access or disclosure is likely.

"Personal information" under the Privacy Act is information or an opinion about an identified individual or an individual who is reasonably identifiable — covering names, contact details, financial information, health information, employee records, and many other categories businesses routinely hold. "Unauthorised access" means access by someone not authorised to have it. "Unauthorised disclosure" means personal information is made available to another person without consent or lawful authority. Loss of a device counts if unauthorised access or disclosure is likely to result.

2. A reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any individual whose information was involved.

The test is objective: would a reasonable person, in full possession of the facts, conclude that serious harm to at least one individual is likely? "Serious harm" includes physical, psychological, financial, and reputational harm. The type of information involved is highly relevant. Categories whose exposure is likely to cause serious harm include:

  • Health and medical records (particularly in a mental health, reproductive health, or addiction context)
  • Financial account credentials, credit card numbers, or banking access codes
  • Identity documents (passport numbers, driver licence numbers, Medicare numbers)
  • Contact information about individuals in a domestic violence or personal safety context
  • Combinations of information that, taken together, enable identity fraud

3. The entity has not been able to prevent the likely occurrence of serious harm through remedial action.

If an entity takes remedial action that effectively prevents serious harm from occurring, the breach may not be eligible. The critical word is "prevents" — remedial action must actually stop the harm, not merely reduce its likelihood.

Examples of eligible data breaches

  • A ransomware attack that exfiltrates customer records containing names, contact details, and payment information before encrypting the server
  • An employee laptop stolen from a vehicle, containing unencrypted client files with health information and financial account details
  • An email sent to the wrong recipient containing a spreadsheet of client personal information — particularly if the recipient is unknown or the email cannot be recalled before being read
  • A contractor's database exposed publicly due to misconfigured cloud storage, containing records of thousands of individuals
  • A business email compromise attack that results in sensitive personal information being disclosed to a threat actor impersonating a trusted party

Examples that may not be eligible data breaches

  • A laptop lost in transit that was encrypted with full-disk encryption and was remotely wiped before any unauthorised access could have occurred — remedial action prevented likely harm
  • An accidental internal access event (for example, an employee viewing a file they should not have accessed) that was immediately discovered, remediated, and where there is no indication the information was copied, used, or disclosed externally

The distinction between these examples is not always clean. Real incidents often involve facts that cut both ways, and a careful assessment — not a snap judgment — is required.

The 30-Day Assessment Window

This is the single most common misunderstanding about the NDB scheme, and getting it wrong can itself create a compliance breach.

You do not have 30 days from the date of a breach to notify the OAIC. You have 30 days to complete an assessment of whether a breach is eligible.

The notification obligation runs on a different timeline: once you have concluded (through assessment) that a breach is eligible, you must notify the OAIC and affected individuals as soon as practicable.

Here is how the process works in practice:

Step 1 — Become aware of a potential data breach. The 30-day clock for assessment starts when your organisation becomes aware that there are reasonable grounds to suspect that an eligible data breach may have occurred. "Aware" applies to the organisation, not just specific individuals within it — so internal knowledge shared up a chain of command still counts.

Step 2 — Conduct an assessment. The assessment must be reasonable and expeditious. Investigate what happened, what data was involved, how many individuals are affected, and whether serious harm is likely. Document the process carefully — the OAIC expects proper investigations, not perfunctory ones.

Step 3 — Reach a conclusion. If the assessment concludes the breach is eligible, notification follows as soon as practicable. If not eligible, document the reasons and retain those records. Regulators may later review your reasoning.

What if you need more time? The 30-day window is not a safe harbour. If your assessment runs past 30 days without good reason, you may already be in breach of your NDB obligations. Where a breach is complex and forensic investigation is required, seek legal guidance and consider notifying the OAIC proactively even while the full scope is being determined.

OAIC-directed assessments. The OAIC can direct an entity to conduct an assessment if it receives a complaint or credible information suggesting a breach may have occurred. If directed, the entity must investigate and report its findings to the OAIC — meaning that even if your business opts not to investigate, the regulator can compel you to.

How to Notify the OAIC

If your assessment concludes that an eligible data breach has occurred, you must submit a notification statement to the OAIC. This is done through the online breach notification form available at oaic.gov.au.

The statement must include:

Required elementWhat to include
Entity detailsYour organisation's name, ABN or ACN, and contact details
Description of the breachWhat happened, how it happened, when it occurred and when it was discovered
Kinds of personal information involvedCategories of data affected (e.g. names, financial details, health records)
Individuals at riskHow many individuals are affected and what groups they belong to
Recommendations for individualsSteps affected individuals should take to protect themselves

The OAIC publishes guidance on what constitutes a complete and compliant notification. Incomplete notifications are not treated as having satisfied the requirement — so take care to address all required elements.

What to Include in Notification to Affected Individuals

At the same time you notify the OAIC (or as soon thereafter as practicable), you must also notify the affected individuals directly. The notification must be given by the most practicable means, which will typically be email if you hold email addresses, or mail if you do not.

A compliant individual notification must include:

  • The name and contact details of your organisation, including a point of contact for further enquiries
  • A clear description of what occurred — what happened, what data was involved, and when
  • The kinds of personal information involved in the breach
  • Specific steps you recommend each individual take to protect themselves, for example:
    • Changing passwords for accounts that may have been compromised
    • Monitoring bank and credit card statements for unusual activity
    • Contacting their financial institution if banking credentials were exposed
    • Placing a credit alert with a credit reporting body if identity documents were involved
    • Contacting relevant authorities if safety is a concern

The notification should be clear, plain-language, and actionable. It should not be defensive or legalistic. Affected individuals need to understand what happened and what they should do — not absorb a wall of legal qualifications.

In some circumstances, the OAIC may agree that direct notification to individuals is not required or should be delayed — for example, where notification would interfere with a law enforcement investigation. These exceptions are narrow. If you believe one applies, seek legal advice and engage with the OAIC directly.

Penalties for Non-Compliance

The OAIC has substantial enforcement powers, and the trend since 2022 has been toward more active use of them.

The most serious enforcement tool is civil penalties. Under the Privacy Act (as amended), serious or repeated interferences with privacy can attract penalties of up to $50 million for corporations and $2.5 million for individuals. These are maximum figures — actual penalties depend on severity, whether the entity cooperated, and whether the conduct was systemic or isolated.

Beyond civil penalties, the OAIC can make determinations, accept enforceable undertakings, name entities publicly in its annual NDB statistics reports, and refer serious matters to the Australian Federal Police.

High-profile enforcement has raised the bar. The Optus breach in September 2022 (9.8 million Australians affected) and the Medibank Private breach in October 2022 (9.7 million individuals, including sensitive health claims data) fundamentally shifted regulatory expectations. Both attracted regulatory action, class actions, and prolonged media scrutiny. Australian businesses can no longer treat data breach response as a quiet, internal matter.

The Privacy and Other Legislation Amendment Act 2024 increased maximum penalties further and added the statutory privacy tort. Cumulative exposure from regulatory penalties, civil litigation, and reputational damage makes proactive compliance the only sensible commercial position.

Preparing for a Breach Before It Happens

The businesses that handle data breach events best are the ones that have prepared for them before they occur. Preparation does not guarantee you will avoid a breach — no controls are perfect — but it determines how quickly you can detect, contain, assess, and notify, which in turn determines both legal compliance and practical harm minimisation.

Know what personal information you hold and where it lives. You cannot assess a breach involving data you did not know you held. Conduct a personal information audit: map what categories of personal information your business collects, where it is stored (cloud platforms, local servers, endpoint devices, third-party systems), who has access, and how long it is retained. This is the foundation of any meaningful data governance posture.

Implement a data breach response plan before you need one. A cyber incident response plan is not a luxury for large enterprises — it is a basic operational requirement for any business that holds personal information. The plan should define roles and responsibilities, internal escalation paths, external notification obligations, and communication templates. When a breach occurs at 11pm on a Friday, you do not have time to work out who to call first.

Train staff to identify and escalate potential breaches immediately. Many breaches are discovered by employees — a suspicious email, a missing laptop, a customer who calls to say they received someone else's information. Staff need to know what a potential breach looks like and how to escalate it. Delayed internal escalation is one of the most common causes of NDB compliance failures.

Appoint a privacy officer or designate clear responsibility. Someone needs to own data breach response. In larger businesses, this may be a formal Privacy Officer role. In smaller businesses, a designated person is sufficient — but the designation must be explicit, documented, and backed by the authority to act. Without clear ownership, incidents get referred sideways until 30 days have passed.

Ensure your IT systems make breaches detectable. You cannot assess a breach you never knew about. Logging, security monitoring, and endpoint detection tools are not just cybersecurity investments — they are NDB compliance infrastructure. Implementing the Essential Eight controls (the Australian Signals Directorate's baseline framework) will both reduce breach likelihood and improve your ability to detect and investigate any incident that does occur.

Review your supply chain. Third-party vendors who handle personal information on your behalf can create NDB obligations for your business. If a contractor suffers a breach involving your customers' data, notification obligations may still fall on you. Review contracts to ensure suppliers have adequate security controls and clear obligations to notify you of any breach.

How Pickle Helps with Data Breach Prevention and Response

Meeting your NDB obligations is not just a legal exercise — it depends fundamentally on the quality of your IT security infrastructure. You cannot detect a breach if you have no monitoring. You cannot assess one quickly if your systems have no logging. You cannot prevent one without endpoint protection and access controls in place.

Pickle's managed IT services for Australian SMBs, strata buildings, and commercial properties are built around the controls that matter most for both breach prevention and breach response.

Endpoint protection. Pickle deploys and manages endpoint detection and response (EDR) tooling that monitors device activity in real time, flags anomalous behaviour, and contains threats before they spread — the layer most likely to catch a breach in progress before it becomes a disclosure event.

Security monitoring. Knowing that something happened is the first condition of the 30-day assessment window. Pickle's monitoring services give you that awareness — when an alert fires, your team knows about it, and so does ours. Faster detection means more time for assessment and remediation within the NDB compliance timeline.

Backup and recovery. In a ransomware event, whether notification is required depends in part on forensic evidence about what data was accessed. Robust backup architectures, combined with proper logging, help establish the scope of an incident and ensure business continuity even when data has been compromised.

Multi-factor authentication (MFA) deployment. A significant proportion of data breaches involve compromised credentials. MFA breaks the attacker's path: a stolen password alone is not enough. Pickle deploys and manages MFA across cloud platforms, remote access, and business applications.

Response support. When an incident occurs, Pickle's team works alongside you to contain it, preserve forensic evidence, and establish what data was accessed. Faster containment and clearer incident timelines directly support your ability to complete an assessment within the 30-day window.

If you are not confident your current IT setup gives you visibility into what is happening on your systems, talk to us.

Call 1300 688 588 or email [email protected] to speak with the Pickle team.

Frequently Asked Questions

Q: Does the NDB scheme apply to my small business if our turnover is under $3 million?

A: Possibly. The Privacy Act and NDB scheme apply to businesses with annual turnover above $3 million as a general rule, but a number of categories are covered regardless of turnover — including health service providers of any size, tax file number recipients, credit providers, and Commonwealth government contractors. Even below the threshold, state and territory privacy laws or industry-specific obligations may apply, and businesses can voluntarily opt in. If you are unsure, consult a legal advisor or the OAIC's eligibility guidance.

Q: What is the difference between a data breach and an eligible data breach?

A: A data breach is any incident involving unauthorised access to, disclosure of, or loss of personal information. An eligible data breach is a specific legal category that additionally requires the access or disclosure to be likely to result in serious harm to any affected individual, and that the harm cannot be prevented by remedial action. Not all data breaches are eligible — the assessment process is how you determine which category applies.

Q: Can we avoid notifying individuals if we fix the problem quickly?

A: Remedial action can prevent a breach from becoming an eligible data breach — but only if it actually prevents the likely occurrence of serious harm, not merely reduces it. If data has already been accessed, exfiltrated, or disclosed, remediation after the fact does not eliminate the notification obligation. The test is whether harm is prevented, not whether the breach itself is contained. This assessment must be honest and documented.

Q: What happens if we don't notify the OAIC when we should have?

A: Failing to notify constitutes an interference with privacy under the Privacy Act. The OAIC can investigate, make determinations, pursue civil penalties (up to $50 million for corporations), name your organisation publicly, and accept enforceable undertakings. The reputational consequences of being identified as an entity that failed to notify are also significant. The correct path is always to assess carefully and notify when the assessment requires it.

Q: Does a ransomware attack always trigger NDB notification obligations?

A: Not automatically — but in many cases, yes. The key question is whether personal information was accessed or exfiltrated, and whether that access is likely to result in serious harm. Modern ransomware attacks increasingly involve data exfiltration before encryption: the attacker copies your data out of your environment before locking it. If that has occurred, notification obligations are very likely triggered. If the attack was purely an encryption event and forensic evidence confirms no data was copied or accessed, the picture is less clear. Do not assume that because you paid a ransom or restored from backup that no notification is required — careful forensic investigation and legal advice should inform the conclusion.