Notifiable Data Breaches: A Plain-English Guide for Australian Small Businesses

Data breaches happen to businesses of every size. A phishing email that compromises a staff email account, a laptop left on a train, a cloud storage folder accidentally set to public — any of these can result in personal information being accessed by someone who shouldn't have it. When that happens, you may have legal obligations under Australia's Notifiable Data Breaches (NDB) scheme.

This guide explains what the NDB scheme is, whether it applies to your business, what you need to do if you suspect a breach, and how to stay compliant.

What Is the Notifiable Data Breaches Scheme?

The Notifiable Data Breaches scheme is part of the Privacy Act 1988 and has been in operation since February 2018. It requires covered organisations to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm to those individuals.

The scheme exists to ensure that people whose personal information has been compromised can take steps to protect themselves — such as monitoring for identity theft, changing passwords, or alerting their financial institution. Regulators around the world have found that businesses left to their own devices often prefer to keep breaches quiet; mandatory notification requirements change that calculus.

Does the NDB Scheme Apply to Your Business?

The scheme applies to organisations covered by the Privacy Act. This generally includes:

• Businesses with an annual turnover of more than $3 million
• Health service providers regardless of size (including sole-trader practitioners)
• Businesses that trade in personal information
• Businesses related to Australian Government agencies
• Credit reporting bodies and certain financial service providers
• Operators of certain online services that collect personal information from children

If your business currently sits below the $3 million turnover threshold and doesn't fall into one of the above categories, you may not be covered by the Privacy Act today — but this is changing. The Australian Government has signalled its intention to extend Privacy Act coverage to more small businesses as part of ongoing reforms, so it's worth understanding the scheme now regardless of your current status.

What Is an "Eligible Data Breach"?

Not every incident involving personal information triggers a notification obligation. An eligible data breach has three elements:

1. Unauthorised access, disclosure, or loss of personal information held by your organisation
2. The breach is likely to result in serious harm to one or more affected individuals
3. You have not been able to prevent the likely serious harm through remedial action

The "serious harm" test is important. Not every data breach meets this threshold. Examples of incidents that are more likely to constitute eligible data breaches include:

• Unauthorised access to financial or health records
• Exposure of identity documents such as passports or drivers licences
• Compromise of credentials that could enable identity theft or fraud
• Ransomware attacks that expose customer databases

What Are Your Obligations When a Breach Occurs?

The 30-Day Assessment Window

When you become aware of an incident that may be an eligible data breach, you have 30 days to complete an assessment of whether it meets the threshold for notification. This assessment should be documented — you need to be able to demonstrate that you assessed the breach systematically and reached a reasoned conclusion.

During this 30-day window, you should:

• Contain the breach (stop further unauthorised access or disclosure)
• Identify what information was involved and who is affected
• Assess whether the breach is likely to result in serious harm
• Determine whether remedial action can prevent that harm

Notifying the OAIC

If the breach is assessed as eligible, you must notify the OAIC using the Notifiable Data Breach form available at oaic.gov.au. The notification must include:

• Your organisation's contact details
• A description of the breach (what happened, when, and how)
• The types of personal information involved
• What steps you have taken in response
• Recommendations for affected individuals on how to protect themselves

Notifying Affected Individuals

In most cases, you must also notify the individuals whose information was involved — as soon as practicable. The notification must include the same key information you provided to the OAIC, plus specific recommendations for what affected individuals should do. Where it's not practicable to notify individuals directly (for example, because you don't have their current contact details), you may instead publish a notice on your website.

What to Do Before a Breach Happens

The businesses that handle data breaches best are those that have prepared for them in advance. Before an incident occurs, your business should have:

• A data register — knowing what personal information you hold, where it is, and who has access to it
• An incident response plan — a written procedure for who does what when a breach is suspected, including who is responsible for the assessment
• Contact details for the OAIC and your legal adviser on hand
• Staff awareness — your team should know how to recognise and report a potential breach, and understand that swift reporting internally is critical to meeting the 30-day window
• Technical controls that reduce the likelihood and impact of a breach — including MFA, access controls, and encryption of sensitive data

The ACSC's guidance on data breach response, available at cyber.gov.au, provides a practical framework for building your incident response process.

Recent Enforcement in Australia

The OAIC has become increasingly active in enforcing the NDB scheme. High-profile investigations into Medibank, Optus, and other organisations have resulted in regulatory action and, in some cases, significant penalties. The Privacy Act amendments introduced in recent years have also strengthened the OAIC's enforcement powers and increased maximum penalties substantially.

Even for smaller businesses, a failure to assess and report an eligible breach — or to notify affected individuals — can result in an investigation, a public determination, and reputational damage that far exceeds any cost of compliance.

Key Takeaways

• The Notifiable Data Breaches scheme requires covered organisations to notify the OAIC and affected individuals when a data breach is likely to cause serious harm.
• The scheme currently applies mainly to businesses with turnover above $3 million and health service providers, but reforms may extend this to more businesses.
• You have 30 days to assess whether an incident is an eligible breach — this window starts when you become aware of the incident.
• Preparation is key: a data register, an incident response plan, and staff awareness training are essential before a breach occurs.
• The OAIC has strengthened its enforcement capability, and penalties for non-compliance have increased significantly.

Concerned about your business's readiness to handle a data breach? Take the free cyber risk assessment at flagged.com.au to identify gaps in your data protection controls and incident response capability before you're put to the test.