Australian Data Breach Notification Scheme: A Complete 2026 Guide
The Australian Data Breach Notification Scheme, formally known as the Notifiable Data Breaches (NDB) scheme, requires organisations to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when an eligible data breach occurs. Established under Part IIIC of the Privacy Act 1988, the scheme has been in force since 22 February 2018 and has become one of the most consequential privacy obligations Australian businesses face.
With penalties for serious or repeated breaches now reaching up to AUD $50 million following the 2022 amendments, understanding your obligations under the scheme is no longer optional. This guide explains who the scheme applies to, what counts as a notifiable breach, the steps you must take, and how to build a compliance programme that actually works.
What Is the Notifiable Data Breaches Scheme?
The Notifiable Data Breaches scheme is an Australian federal law that mandates the disclosure of certain data breaches to both regulators and affected individuals. It sits within the broader Privacy Act framework and is enforced by the OAIC.
The scheme was introduced after years of debate about voluntary disclosure failing to give Australians meaningful awareness of when their personal information had been compromised. Today, the NDB scheme operates alongside the 13 Australian Privacy Principles (APPs) and forms a cornerstone of Australia's privacy regulation alongside emerging reforms expected through 2026 and beyond.
Key objectives of the scheme
- Provide individuals with timely awareness of breaches affecting their personal data
- Enable affected individuals to take protective action (such as changing passwords or monitoring accounts)
- Encourage organisations to improve information security practices
- Give the OAIC visibility into breach trends across Australia
Who Must Comply With the Scheme?
The NDB scheme applies to all entities that have existing personal information security obligations under the Privacy Act. This is a broader group than many organisations realise.
Specifically, the scheme covers:
- Australian Government agencies at the federal level
- Businesses and not-for-profit organisations with an annual turnover of more than AUD $3 million
- Private sector health service providers (regardless of turnover)
- Credit reporting bodies and credit providers
- Tax File Number (TFN) recipients
- Entities that trade in personal information (such as data brokers)
- Certain small businesses that have opted in or are otherwise covered
It's worth noting that the long-anticipated removal of the small business exemption is part of the government's broader Privacy Act reform agenda. Once enacted, millions of additional Australian businesses will fall under the NDB scheme. Forward-looking organisations are already preparing as if the exemption no longer exists.
What Is an "Eligible Data Breach"?
An eligible data breach occurs when there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an entity, AND a reasonable person would conclude the breach is likely to result in serious harm to one or more individuals.
The three-part test
- There is a breach — unauthorised access, unauthorised disclosure, or loss of personal information.
- Serious harm is likely — to any individual whose information was involved.
- Remedial action has not prevented the harm — if you can act quickly enough to prevent serious harm, the breach may not be notifiable.
What counts as "serious harm"?
Serious harm is not defined as a single threshold but is assessed against multiple factors, including:
- The kind and sensitivity of information involved (health data, financial details, government identifiers)
- Whether the information is protected by security measures such as encryption
- The persons or kinds of persons who have obtained or could obtain the information
- The likelihood of identity theft, financial loss, physical harm, reputational damage, or psychological distress
Notification Timeframes and Process
Once an entity becomes aware of grounds to suspect an eligible data breach has occurred, strict timelines apply. Failing to act quickly is one of the most common compliance failures the OAIC sees.
| Stage | Timeframe | Required Action |
|---|---|---|
| Suspected breach identified | Immediately | Begin internal assessment |
| Assessment period | Within 30 calendar days | Determine if breach is "eligible" |
| Confirmed eligible breach | As soon as practicable | Notify OAIC and affected individuals |
| Public statement (if direct contact impractical) | As soon as practicable | Publish statement on website |
What must the notification contain?
A statement to the OAIC and to affected individuals must include:
- The identity and contact details of the entity
- A description of the eligible data breach
- The kind or kinds of information concerned
- Recommended steps individuals should take in response
Penalties for Non-Compliance
The financial consequences of failing to comply with the NDB scheme were dramatically increased by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. For serious or repeated interferences with privacy, organisations now face penalties of up to the greater of:
- AUD $50 million
- Three times the value of any benefit obtained through the misuse of information
- 30% of the entity's adjusted turnover during the relevant period
Beyond direct penalties, organisations face reputational damage, customer loss, class action litigation, and operational disruption. The 2022 Optus and Medibank breaches demonstrated how a single incident can dominate national headlines for weeks and trigger sustained regulatory attention.
Common Causes of Notifiable Data Breaches
The OAIC publishes biannual reports on NDB scheme statistics. Year after year, the same root causes dominate.
Top breach sources
- Malicious or criminal attacks (around 65–70% of reported breaches) — including phishing, ransomware, and compromised credentials
- Human error (around 25–30%) — emails sent to wrong recipients, lost devices, misconfigured systems
- System faults (small percentage) — software bugs that expose data unintentionally
Most-affected sectors
- Health service providers
- Finance (including banks, insurers, and superannuation)
- Recruitment agencies
- Legal, accounting and management services
- Australian Government agencies
Building an NDB Compliance Programme
Compliance with the NDB scheme is not a one-off project. It requires an integrated programme combining technology, process, and people.
Step 1: Map your personal information holdings
You can't protect what you don't know about. Conduct a data inventory covering what personal information you collect, why, where it's stored, who has access, and how long it's retained.
Step 2: Assess and reduce risk
Apply the principle of data minimisation — collect and retain only what you genuinely need. Encrypt data at rest and in transit. Use multi-factor authentication. Limit privileged access.
Step 3: Develop a Data Breach Response Plan
Your plan should include defined roles (response team lead, legal, communications, IT), escalation criteria, assessment procedures, notification templates, and post-incident review processes. The OAIC publishes guidance on what response plans should contain.
Step 4: Train staff regularly
Given that human error causes nearly a third of breaches, training is one of the highest-return investments you can make. Run phishing simulations and refresh training at least annually.
Step 5: Vet your third-party suppliers
A breach at your processor is still your breach. Contractually require notification within tight timeframes, and assess vendor security posture before onboarding.
Step 6: Use secure tools for sensitive links and communications
When sharing links to documents, customer portals, or marketing campaigns, use a privacy-focused link management platform like Lunyb that supports password-protected links, expiry dates, and audit-friendly analytics. For background on choosing secure URL tooling, see our 2026 buyer's guide to URL shorteners.
The NDB Scheme vs the GDPR: Key Differences
Many Australian organisations also handle data of EU residents and must comply with both regimes. Understanding the differences avoids gaps.
| Aspect | Australia (NDB) | EU (GDPR) |
|---|---|---|
| Notification trigger | Likely serious harm | Risk to rights and freedoms |
| Regulator deadline | As soon as practicable | 72 hours |
| Assessment window | Up to 30 days | No formal window |
| Maximum penalty | AUD $50m / 30% turnover | €20m / 4% global turnover |
| Individual notification | Required if eligible breach | Required if high risk |
Recent Developments and the Road Ahead
The Australian privacy landscape is in the most significant period of reform since the Privacy Act was first introduced. The Attorney-General's Department's Privacy Act Review proposed 116 reforms, many of which directly affect the NDB scheme.
Key changes to watch
- Mandatory 72-hour notification — aligning with international standards
- Removal of the small business exemption — extending the scheme to all businesses regardless of turnover
- Statutory tort for serious invasions of privacy — opening direct civil claims by affected individuals
- Expanded definition of "personal information" — capturing more technical identifiers
- Stronger enforcement powers for the OAIC, including on-the-spot infringement notices
Tranche 1 of the reforms passed in late 2024, and further tranches are expected through 2026. Organisations should track these changes and update their compliance programmes proactively.
Practical Checklist for Australian Organisations
- Confirm whether you are covered by the Privacy Act and NDB scheme
- Maintain a current personal information inventory
- Document a Data Breach Response Plan with named roles
- Run tabletop exercises at least annually
- Implement encryption, MFA, and least-privilege access
- Vet and contractually bind third-party processors
- Monitor systems for unauthorised access in real time
- Use privacy-aware tools for link sharing, file transfer, and customer comms
- Train staff on phishing and incident reporting
- Stay current on Privacy Act reform and update policies accordingly
Frequently Asked Questions
How quickly must I notify the OAIC of a data breach in Australia?
You must notify "as soon as practicable" after concluding that an eligible data breach has occurred. You have up to 30 calendar days to assess a suspected breach, but once confirmed, notification should be immediate. Reform proposals are likely to introduce a hard 72-hour deadline.
Does the NDB scheme apply to small businesses with less than $3 million turnover?
Currently, most small businesses under the AUD $3 million turnover threshold are exempt — but health service providers, credit reporting bodies, TFN recipients and entities trading in personal information are covered regardless of size. The exemption is expected to be removed in upcoming Privacy Act reforms.
What's the difference between an eligible and a non-eligible data breach?
An eligible breach involves unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm and where remedial action has not prevented that harm. A breach that you can contain quickly — for example, recalling a misdirected email before it's opened — may not be eligible and therefore not notifiable.
Can I be fined personally as a director for a data breach?
The Privacy Act primarily targets entities, but directors and officers can be exposed through ASIC's continuous disclosure rules, work health and safety analogies for cyber resilience, and emerging case law on director duties. Many boards now treat cyber risk as a core governance issue.
Do I need to notify if encrypted data is stolen?
Possibly not. If the data is strongly encrypted and the decryption key was not compromised, a reasonable person may conclude that serious harm is not likely. However, you must document this assessment carefully — relying on encryption is not an automatic exemption, and the OAIC will scrutinise the strength of the encryption used.
Where can I report a breach or get more guidance?
Eligible breaches must be reported via the OAIC's online Notifiable Data Breach form at oaic.gov.au. The OAIC also publishes detailed guidance, breach response plan templates, and biannual statistical reports that are essential reading for compliance teams.
Final Thoughts
The Notifiable Data Breaches scheme is more than a regulatory checkbox — it's a framework that, taken seriously, materially improves how Australian organisations handle personal information. With penalties now in the tens of millions and a reform agenda that will broaden the scheme's reach, 2026 is the year to ensure your compliance posture is mature, tested, and continuously improving.
Build the right plan now, equip your team with privacy-aware tools, and treat every breach not just as a legal event but as an opportunity to learn and harden your defences. Your customers — and the OAIC — will thank you.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The ICO has issued record-breaking fines in 2026, with UK organisations facing penalties for data breaches, AI misuse, and PECR violations. We break down the biggest cases, key enforcement trends, and how to avoid joining the list.
PIPEDA vs GDPR: Canadian Privacy Law Explained (2026 Guide)
PIPEDA and GDPR both protect personal data, but they differ significantly in consent rules, enforcement, and penalties. This guide breaks down the key differences and shows Canadian businesses how to stay compliant with both.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a complex web of privacy laws in 2026, from PIPEDA to Quebec's Law 25 and the proposed CPPA. This guide explains how to build a compliant privacy program, handle breaches, and turn data protection into a competitive advantage.
UK Data Protection Act vs GDPR Explained: Key Differences in 2026
The UK Data Protection Act 2018 and UK GDPR work together as the UK's post-Brexit privacy regime, mirroring the EU GDPR with key differences in jurisdiction, fines, and international transfers. This guide breaks down what UK businesses actually need to do in 2026.