Australia's Notifiable Data Breaches Scheme Explained

In February 2018, Australia introduced the Notifiable Data Breaches (NDB) scheme — a law that requires certain organisations to notify both the Office of the Australian Information Commissioner (OAIC) and the individuals affected when a "serious" data breach occurs. For many small business owners, this law flies well under the radar. But the consequences of not knowing about it — or ignoring it — can be severe. Here's a plain-English guide to what the NDB scheme means for your business.

What Is the NDB Scheme?

The Notifiable Data Breaches scheme is part of the Privacy Act 1988 and is administered by the OAIC. It applies to organisations that are required to comply with the Australian Privacy Principles (APPs) — which means organisations with an annual turnover of more than $3 million, as well as certain smaller organisations in specific sectors (health service providers, credit reporting bodies, businesses that trade in personal information, and some others).

The scheme requires these organisations to notify the OAIC and affected individuals when an eligible data breach occurs. But what counts as an eligible data breach? Not every incident will trigger the notification requirement.

What Is an "Eligible Data Breach"?

A breach is "eligible" (and therefore must be notified) when three things are all true:

1. There has been unauthorised access to, or disclosure of, personal information — or personal information has been lost in circumstances where such access or disclosure is likely
2. The breach is likely to result in serious harm to one or more individuals whose information was involved
3. You haven't been able to prevent the likely serious harm through remedial action taken after the breach

"Serious harm" can include identity theft, financial harm, physical harm, serious psychological harm, serious reputational harm, or other serious consequences. Factors the OAIC considers include the nature and sensitivity of the information, who might access it, and what they could do with it.

Examples of Likely Eligible Breaches

• A laptop containing unencrypted customer financial records is stolen
• A hacker accesses your customer database and exfiltrates names, email addresses, and credit card numbers
• A staff member accidentally emails a customer list to the wrong person
• A ransomware attack encrypts files containing sensitive client data

Examples That May NOT Be Eligible

• A staff member accesses a file they shouldn't have, but the file contained only non-sensitive business information
• A device is lost but was fully encrypted and remotely wiped before any access could occur
• An email with non-sensitive information is sent to the wrong address

The key question is always: could this realistically cause serious harm to any individual?

What Are Your Obligations If a Breach Occurs?

If you believe an eligible data breach has occurred, the NDB scheme sets out a clear process:

1. Assess the Situation (Within 30 Days)

If you suspect a breach but aren't certain, you have 30 days to carry out a "reasonable and expeditious" assessment of whether an eligible data breach has occurred. This means acting promptly — not waiting weeks before you start investigating.

2. Notify the OAIC

Once you've confirmed an eligible data breach, you must notify the OAIC as soon as practicable. You do this by submitting a Data Breach Notification Form through the OAIC's online portal at oaic.gov.au. The notification must include:

• Your organisation's details
• A description of what happened
• The kinds of information involved
• The number of individuals affected (or a best estimate)
• Recommendations for what affected individuals should do to protect themselves

3. Notify Affected Individuals

You must also notify the individuals whose information was involved — or, if that's not reasonably practicable, publish a notice on your website. The notification should be clear, in plain language, and include the same core information you provided to the OAIC, plus specific recommendations for protective steps those individuals can take.

What Happens If You Don't Comply?

Failing to notify when required is a serious breach of the Privacy Act. The OAIC can investigate, and in serious or repeated cases, penalties can be significant. Following the Privacy Act amendments that came into force in 2023, the maximum penalty for a serious or repeated privacy breach is $50 million for companies (or a formula based on turnover or benefit obtained, if higher) and $2.5 million for individuals. While these maximum penalties are aimed at larger cases, the reputational and regulatory risk for small businesses is real.

Beyond formal penalties, failing to notify individuals of a breach can cause them ongoing harm that could have been mitigated — which creates additional legal exposure through civil action.

Even If You're Currently Exempt — Read This

Many small businesses with a turnover under $3 million are currently exempt from the NDB scheme. However, there are important caveats:

• The Australian Government has been considering extending the Privacy Act to cover more small businesses. Legislative changes could affect you.
• If you hold any health information (even just employee health records), you may already be covered as a "health service provider."
• If you provide services to organisations that are covered by the NDB scheme, your contracts may impose notification obligations on you anyway.
• Even if you're not legally required to notify, doing so voluntarily is often the right thing to do for your customers — and better for your reputation in the long run.

Practical Steps to Prepare Now

You shouldn't wait for a breach to happen before you know what to do. Prepare in advance by:

• Knowing whether your business is currently covered by the NDB scheme
• Having a written incident response plan that includes NDB notification steps
• Making sure someone in your business has the OAIC's contact details and knows the 30-day assessment requirement
• Keeping a record of any security incidents, even minor ones — this shows the OAIC you're taking your obligations seriously
• Encrypting personal data where possible, so that device theft doesn't automatically trigger a notification obligation

Key Takeaways

• The NDB scheme requires covered organisations to notify the OAIC and affected individuals of eligible data breaches.
• A breach is "eligible" if it involves unauthorised access to personal information and is likely to cause serious harm to individuals.
• You have 30 days to assess whether a suspected breach is eligible, then must notify as soon as practicable.
• Penalties for non-compliance can be substantial — and the reputational damage is often worse.
• Even if you're currently exempt (turnover under $3 million), exemptions may change — and contractual obligations may already apply.
• Prepare an incident response plan now, before you need it.

Understanding your data breach obligations starts with understanding what data you hold and how well it's protected. The free assessment at flagged.com.au helps you map your data risks and identify gaps that could leave you exposed — and unprepared — if a breach occurs.