facebook-pixel
L
Lunyb

Australian Data Breach Notification Scheme: Complete 2026 Guide

L
Lunyb Security Team
··10 min read

The Australian Data Breach Notification Scheme — formally known as the Notifiable Data Breaches (NDB) scheme — is one of the cornerstone obligations under the Privacy Act 1988. Since taking effect in February 2018, the scheme has reshaped how Australian organisations detect, assess, and disclose data breaches involving personal information. With penalties now reaching up to $50 million per breach following the 2022 reforms, understanding your obligations is no longer optional.

This comprehensive guide explains who the NDB scheme applies to, what counts as a notifiable breach, the strict 30-day assessment timeline, how to notify the Office of the Australian Information Commissioner (OAIC), and the practical steps your business should take in 2026.

What Is the Notifiable Data Breaches (NDB) Scheme?

The NDB scheme is a mandatory data breach notification regime established under Part IIIC of the Privacy Act 1988 (Cth). It requires organisations covered by the Privacy Act to notify affected individuals and the OAIC when a data breach is likely to result in serious harm to any individual whose personal information is involved.

The scheme has three core objectives:

  • Protect individuals by giving them the information needed to mitigate harm after a breach.
  • Improve transparency and accountability for organisations handling personal data.
  • Drive better security practices across Australian industry and government.

Who Must Comply With the Australian Data Breach Notification Scheme?

The NDB scheme applies to all entities subject to the Privacy Act 1988. This is broader than many businesses realise.

Entities covered by the scheme

  • Australian Government agencies (federal departments and statutory bodies).
  • Businesses and not-for-profits with an annual turnover of more than A$3 million.
  • Health service providers of any size, including GPs, dentists, allied health, gyms, and childcare centres holding health information.
  • Credit reporting bodies and credit providers.
  • Tax File Number (TFN) recipients.
  • Small businesses that trade in personal information, are contracted to provide services to the Commonwealth, or have opted in to the Privacy Act.

Importantly, the 2022 amendments expanded extraterritorial reach: foreign organisations carrying on business in Australia must comply, even without an Australian establishment, if they collect or hold personal information of Australians.

What Counts as an "Eligible Data Breach"?

Not every security incident is a notifiable breach. Under section 26WE of the Privacy Act, three conditions must all be met for an eligible data breach:

  1. Unauthorised access, unauthorised disclosure, or loss of personal information held by the entity has occurred.
  2. The breach is likely to result in serious harm to one or more individuals.
  3. Remedial action has not prevented the likely risk of serious harm.

Examples of personal information at risk

  • Names, addresses, dates of birth combined with identifiers
  • Driver licence, passport, or Medicare numbers
  • Health and medical records
  • Financial information, bank accounts, credit card details
  • Tax File Numbers
  • Login credentials providing access to sensitive accounts

What "serious harm" means

Serious harm can include physical, psychological, emotional, financial, or reputational harm. The OAIC expects entities to weigh factors such as the kind and sensitivity of information, whether it was encrypted, who obtained the information, and the nature of the harm that could follow (identity theft, fraud, blackmail, discrimination, or family violence risk).

The 30-Day Assessment Rule

If you have reasonable grounds to suspect an eligible data breach may have occurred but cannot confirm it, you must carry out a reasonable and expeditious assessment within 30 calendar days of becoming aware of the suspicion.

The OAIC recommends a three-stage assessment process:

  1. Initiate: Decide who will lead the assessment and the scope.
  2. Investigate: Gather facts about the cause, scope of personal information involved, and individuals affected.
  3. Evaluate: Decide whether the criteria for an eligible data breach are met and document the decision.

If you confirm an eligible data breach earlier than 30 days, you must notify as soon as practicable — you cannot wait out the assessment window.

How to Notify the OAIC and Affected Individuals

Once an eligible data breach is confirmed, the entity must prepare a statement and provide it to the Australian Information Commissioner as soon as practicable, then notify affected individuals.

Mandatory contents of the notification statement

  • The identity and contact details of the entity
  • A description of the data breach
  • The kinds of information involved
  • Recommendations about the steps individuals should take in response

Three options for notifying individuals

  1. Option 1 — Notify all individuals whose information was involved in the breach.
  2. Option 2 — Notify only those at likely risk of serious harm.
  3. Option 3 — Publish the statement on the entity's website and take reasonable steps to publicise it (used when direct contact isn't practicable).

Notifications can be sent by the usual method of communication (email, SMS, post, in-app messaging). Many organisations use trackable links to direct customers to detailed advice pages — a privacy-respecting URL shortener like Lunyb can help create clean, branded short links for breach notification emails without leaking recipient data to third-party trackers.

Penalties for Non-Compliance in 2026

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 dramatically increased penalties for serious or repeated interferences with privacy, including failures to notify under the NDB scheme.

Entity Type Maximum Penalty (per contravention)
Individuals A$2.5 million
Body corporate — fixed amount A$50 million
Body corporate — value of benefit obtained 3× the value of the benefit attributable to the breach
Body corporate — turnover-based 30% of adjusted turnover during the breach period

The OAIC also has expanded powers to conduct assessments, issue infringement notices, and seek civil penalty orders in the Federal Court. For comparison with overseas regimes, see our analysis of ICO fines and UK data protection penalties.

Notable Australian Data Breaches and Lessons Learned

Recent high-profile incidents have shaped how the OAIC enforces the scheme:

  • Optus (2022): Around 9.8 million customer records exposed; led to ongoing OAIC investigation and class action.
  • Medibank (2022): 9.7 million current and former customers' health and personal data leaked on the dark web.
  • Latitude Financial (2023): 14 million records breached, including driver licences and passport numbers.
  • MediSecure (2024): Prescription data of approximately 12.9 million Australians compromised.

Each case reinforced three lessons: retain personal information only as long as necessary, encrypt sensitive data at rest, and rehearse breach-response playbooks before you need them. Our 2026 data breach guide explores current attack patterns in more detail.

OAIC Notifiable Data Breach Statistics

The OAIC publishes biannual reports tracking breach trends. Recent reporting periods show:

  • Malicious or criminal attacks consistently cause 65–70% of notifiable breaches.
  • Phishing and compromised credentials remain the leading attack vectors.
  • The health sector is the top reporting industry, followed by finance and government.
  • Around 60% of breaches affect fewer than 100 individuals, but a small number of mega-breaches dominate the impacted-individual count.

Step-by-Step: Building an NDB-Ready Response Plan

An effective data breach response plan transforms a chaotic event into a controlled process. Follow these eight steps:

  1. Map your personal information holdings — know what you collect, where it's stored, and who can access it.
  2. Establish a breach response team with representatives from legal, IT/security, communications, and senior leadership.
  3. Define detection and escalation procedures so suspected incidents reach the response team within hours.
  4. Document the 30-day assessment workflow with templates for evidence gathering and decision logs.
  5. Prepare draft notification templates for the OAIC and affected individuals — pre-approved language saves critical hours.
  6. Identify containment and remediation actions: password resets, token revocation, system isolation, credit monitoring offers.
  7. Run tabletop exercises at least annually to stress-test the plan.
  8. Conduct post-incident reviews and update controls and the plan based on lessons learned.

Exceptions and Special Cases

The Privacy Act recognises a few narrow exceptions to notification:

  • Multi-party breaches: Where multiple entities hold the same information, only one needs to notify on behalf of all.
  • Enforcement-related activities: Where notification would compromise law enforcement.
  • Inconsistency with secrecy provisions in other Commonwealth laws.
  • Commissioner declarations exempting notification on a case-by-case basis.

Don't assume an exception applies — document a legal basis before relying on one.

How the NDB Scheme Interacts With Other Frameworks

Australian organisations often face overlapping notification duties:

  • SOCI Act 2018 — critical infrastructure operators must report cyber incidents to the Australian Signals Directorate within 12 or 72 hours depending on severity.
  • APRA CPS 234 — regulated financial entities must notify APRA of material information security incidents within 72 hours.
  • State health privacy laws (e.g., NSW HRIPA, Victorian HRA) — may impose parallel obligations on health service providers.
  • GDPR — if you process EU residents' data, the 72-hour GDPR clock may run alongside Australian obligations.

Practical Security Measures to Reduce Breach Risk

Prevention is always cheaper than notification. Core controls the OAIC expects under APP 11 include:

  • Multi-factor authentication on all internet-facing systems and admin accounts.
  • Encryption of personal information at rest and in transit.
  • Least-privilege access and quarterly access reviews.
  • Patch management aligned with the ASD Essential Eight.
  • Endpoint detection and response (EDR) with 24/7 monitoring.
  • Vendor risk management — most large Australian breaches in recent years started in a third party.
  • Secure link sharing and customer communications. Choosing privacy-focused tools, including enterprise-grade URL shortening platforms, helps reduce data leakage through marketing and notification channels.
  • Regular staff phishing simulations and privacy training.

Frequently Asked Questions

How long do I have to report a data breach in Australia?

You must notify the OAIC and affected individuals as soon as practicable after confirming an eligible data breach. If you only suspect a breach, you have up to 30 calendar days to complete a reasonable assessment. Waiting longer without justification risks penalties.

Does the NDB scheme apply to small businesses?

Most businesses with annual turnover under A$3 million are exempt from the Privacy Act and the NDB scheme. However, exceptions apply to health service providers, businesses trading in personal information, TFN recipients, contractors providing Commonwealth services, and small businesses that opt in. Many small businesses are covered without realising it.

What is the maximum penalty for failing to notify a data breach?

Since December 2022, body corporates can face the greatest of A$50 million, three times the value of the benefit obtained, or 30% of adjusted turnover during the breach period. Individuals can be fined up to A$2.5 million per contravention.

Do I need to notify if the data was encrypted?

Strong encryption can be a remedial action that prevents the likely risk of serious harm, removing the obligation to notify. But this depends on key management, the strength of the encryption, and whether keys may also have been compromised. Document your reasoning carefully.

Where do I lodge a Notifiable Data Breach form?

Notifications are lodged through the OAIC's online Notifiable Data Breach form available at oaic.gov.au. The form captures the mandatory statement contents and allows updates as the investigation progresses.

Can I be fined even if I notified on time?

Yes. The penalties relate to serious or repeated interferences with privacy, which can include the underlying security failure that caused the breach — not just late notification. Strong APP 11 security controls remain essential.

Final Thoughts

The Australian Data Breach Notification Scheme is now a mature, well-enforced framework backed by some of the highest privacy penalties in the Asia-Pacific region. Organisations that treat the NDB scheme as a compliance checkbox will struggle when an incident hits; those that build genuine breach-readiness — with mapped data holdings, rehearsed playbooks, strong technical controls, and clear accountability — will navigate even significant incidents with their reputation and customers' trust intact.

Review your privacy program against the NDB requirements at least annually, and treat every near-miss as a free lesson. In 2026, the question is no longer if your organisation will face a privacy incident, but how prepared you'll be when it happens.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles

GDPR in Ireland: Your Privacy Rights Explained (2026 Guide)

Ireland enforces some of the world's strongest privacy protections through GDPR and the Data Protection Act 2018. This complete guide explains your eight core privacy rights, how to file Subject Access Requests, and how to lodge a complaint with the Irish DPC.

10 min

Singapore PDPA: Your Personal Data Protection Rights Explained

Singapore's PDPA grants individuals strong rights over their personal data, including access, correction, consent withdrawal, and data portability. This guide explains each right in detail and shows you how to exercise them effectively in 2026.

10 min

ICO Fines 2026: Biggest Data Protection Penalties in the UK

The ICO issued record-breaking fines in 2026, with penalties reaching £12.4m for data breaches, children's data misuse, and PECR violations. Here's a complete breakdown of the biggest UK data protection fines and how to avoid them.

9 min

OAIC Complaints: How to Report a Privacy Breach in Australia (2026 Guide)

The OAIC is Australia's national privacy regulator and the key body for lodging complaints about privacy breaches under the Privacy Act 1988. This guide explains exactly how to report a breach, what qualifies, the step-by-step complaints process, and what outcomes you can expect.

11 min