Australian Data Breach Notification Scheme: Complete 2026 Compliance Guide
The Australian Data Breach Notification Scheme — formally known as the Notifiable Data Breaches (NDB) scheme — requires organisations covered by the Privacy Act 1988 to report eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and affected individuals. With penalties for serious or repeated privacy interferences now reaching up to AU$50 million, understanding your obligations under this scheme has never been more critical for Australian businesses.
This guide walks you through everything you need to know about the NDB scheme in 2026: who it applies to, what counts as an eligible breach, reporting timelines, notification requirements, and practical steps to build a compliant response plan.
What Is the Notifiable Data Breaches Scheme?
The Notifiable Data Breaches scheme is a mandatory reporting framework introduced through amendments to the Privacy Act 1988 (Cth) and came into force on 22 February 2018. It requires APP (Australian Privacy Principle) entities to notify both the OAIC and affected individuals when an "eligible data breach" occurs that is likely to result in serious harm.
The scheme sits within Part IIIC of the Privacy Act and is administered by the Australian Information Commissioner. Its core purpose is to give individuals the opportunity to take protective steps — such as changing passwords, monitoring accounts, or freezing credit — when their personal information is compromised.
Key Objectives of the Scheme
- Improve transparency around data handling in Australia
- Enable individuals to mitigate harm when their data is exposed
- Encourage organisations to invest in stronger information security
- Provide the OAIC with visibility into the data breach landscape
Who Must Comply With the NDB Scheme?
The NDB scheme applies to all entities that have existing personal information security obligations under the Australian Privacy Act. This includes a broader range of organisations than many businesses realise.
Entities Covered
- Australian Government agencies (including most federal departments)
- Businesses and not-for-profit organisations with an annual turnover of more than AU$3 million
- Private sector health service providers (regardless of turnover)
- Credit reporting bodies and credit providers
- Tax File Number (TFN) recipients
- Entities trading in personal information
- Small businesses that opt-in or fall under specific categories (e.g., contractors providing services to the Commonwealth)
Note: Following the Privacy Act review and 2024 reforms, the small business exemption is under active review, and many small businesses are expected to lose their exemption in upcoming reform tranches.
What Counts as an "Eligible Data Breach"?
An eligible data breach occurs when three conditions are met simultaneously:
- There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an entity.
- The breach is likely to result in serious harm to one or more individuals.
- The entity has been unable to prevent the likely risk of serious harm through remedial action.
Examples of Eligible Data Breaches
- A ransomware attack that exfiltrates customer records containing names, addresses, and financial details
- An employee emailing a spreadsheet of patient records to the wrong recipient
- A lost laptop containing unencrypted client files
- A phishing attack compromising login credentials that grant access to a CRM system
- A misconfigured cloud storage bucket exposing personal data publicly
What "Serious Harm" Means
Serious harm isn't defined exhaustively in the Act, but the OAIC interprets it to include:
- Identity theft and financial fraud
- Significant financial loss
- Threats to physical safety
- Serious psychological or emotional harm
- Reputational damage
- Discrimination or bullying
NDB Scheme Reporting Timeline
The NDB scheme imposes specific timeframes that entities must follow once a suspected breach is identified. Failure to meet these deadlines can itself constitute a breach of the Privacy Act.
| Stage | Timeframe | Required Action |
|---|---|---|
| Suspected breach identified | Immediately | Begin assessment and containment |
| Assessment period | Within 30 calendar days | Determine if it's an eligible breach |
| Notification to OAIC | As soon as practicable | Submit statement to Commissioner |
| Notification to individuals | As soon as practicable | Notify affected individuals directly |
What Must Be Included in the Notification?
The statement provided to both the OAIC and affected individuals must include specific information as set out in section 26WK of the Privacy Act.
Mandatory Content
- The identity and contact details of the entity
- A description of the eligible data breach
- The kinds of personal information involved
- Recommendations about the steps individuals should take in response
How to Notify Individuals
Entities have three options for notifying affected individuals:
- Option 1: Notify all individuals whose data was involved in the breach
- Option 2: Notify only those individuals at likely risk of serious harm
- Option 3: Publish the statement on the entity's website and take reasonable steps to publicise it (used when direct notification is not practicable)
Exceptions to Notification
There are limited circumstances where notification may not be required, even when a breach occurs:
- Remedial action exception: If the entity acts quickly enough that serious harm is no longer likely
- Multi-party breach: If another entity has already notified about the same breach
- Enforcement body exception: Where notification would prejudice law enforcement activities
- Inconsistency with secrecy provisions: Where Commonwealth law prohibits disclosure
- OAIC declaration: The Commissioner may declare notification not required in specific cases
Penalties for Non-Compliance
The penalty regime under the Privacy Act was significantly strengthened by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, with further reforms in 2024.
Current Maximum Penalties (Serious or Repeated Interferences)
| Entity Type | Maximum Penalty |
|---|---|
| Individuals | AU$2.5 million |
| Body corporates | The greater of: AU$50 million, 3x the benefit obtained from the conduct, or 30% of adjusted turnover during the breach period |
The 2024 reforms also introduced new mid-tier and low-tier civil penalty provisions for less serious contraventions, giving the OAIC more flexibility in enforcement.
How to Build an NDB-Compliant Response Plan
Preparation is the single biggest factor in meeting your NDB obligations. Here's a practical framework for building a data breach response plan.
Step 1: Establish a Response Team
Form a cross-functional team including representatives from IT/security, legal, communications, HR, and executive leadership. Assign a clear breach response coordinator.
Step 2: Document a Response Procedure
Your plan should cover four phases:
- Contain — stop the breach and prevent further data loss
- Assess — determine scope, data types, and likely harm
- Notify — inform the OAIC and affected individuals if required
- Review — conduct a post-incident review to prevent recurrence
Step 3: Implement Preventive Controls
- Multi-factor authentication on all administrative accounts
- Encryption of personal data at rest and in transit
- Regular staff phishing awareness training
- Network segmentation and least-privilege access
- Routine vulnerability scanning and patching
- Endpoint detection and response (EDR) tooling
Step 4: Reduce Your Data Footprint
The less personal information you hold, the smaller your breach exposure. Audit what you collect, retain only what you need, and securely destroy data that's no longer required.
This also applies to seemingly innocuous tools like marketing links. Using a privacy-conscious URL shortener such as Lunyb for campaign tracking — instead of platforms that aggregate extensive visitor profiles — can reduce the personal data flowing into your systems and your third-party processors. For a deeper comparison of options, see our Best URL Shorteners Reviewed and Compared: 2026 Buyer's Guide.
Step 5: Test the Plan
Run tabletop exercises at least annually. Simulate scenarios like ransomware, lost devices, and accidental disclosures to identify gaps before a real incident occurs.
Current Breach Trends in Australia
The OAIC publishes biannual Notifiable Data Breaches Reports. Recent reporting periods have highlighted several persistent themes Australian organisations should be aware of:
- Malicious or criminal attacks remain the leading cause of breaches, accounting for roughly 65–70% of incidents
- Health service providers, finance, and government consistently rank as the top three reporting sectors
- Phishing is the most common attack vector for credential-based breaches
- Ransomware incidents have grown in both frequency and severity
- Supply chain breaches — where a third-party provider is compromised — continue to expose customer entities
How the NDB Scheme Compares Internationally
| Jurisdiction | Notification Deadline | Threshold | Max Penalty |
|---|---|---|---|
| Australia (NDB) | As soon as practicable (post 30-day assessment) | Likely serious harm | AU$50M / 30% turnover |
| EU (GDPR) | 72 hours | Risk to rights and freedoms | €20M / 4% global turnover |
| UK (UK GDPR) | 72 hours | Risk to rights and freedoms | £17.5M / 4% global turnover |
| USA (state-based) | Varies (30–90 days typical) | Varies | Varies by state |
Upcoming Reforms to Watch
The Privacy Act is undergoing the most significant reform in three decades. Key changes either enacted or proposed include:
- Introduction of a statutory tort for serious invasions of privacy
- Potential removal of the small business exemption
- Stronger rights for individuals including erasure and de-indexing
- Enhanced OAIC investigative and enforcement powers
- New requirements for automated decision-making transparency
- Tightened breach notification timelines (a 72-hour deadline aligning with GDPR has been proposed)
Organisations should monitor reform tranches closely and update compliance programs in advance of commencement dates.
Frequently Asked Questions
Do I have to report every data breach to the OAIC?
No. You only need to report "eligible data breaches" — those where unauthorised access, disclosure, or loss of personal information is likely to result in serious harm and you cannot prevent that harm through remedial action. Many minor incidents will not meet this threshold but should still be documented internally.
How long do I have to assess a suspected breach?
You have up to 30 calendar days from the point you become aware of grounds to suspect an eligible breach to complete a reasonable and expeditious assessment. However, you should act as soon as practicable — waiting the full 30 days when faster assessment is possible could itself be considered non-compliant.
Does the NDB scheme apply to small businesses?
Generally, businesses with annual turnover under AU$3 million are exempt — but there are major exceptions including health service providers, businesses that trade in personal information, TFN recipients, and contractors to the Commonwealth. The small business exemption is also under active review and may be removed in future reforms.
What happens if I don't notify when I should have?
Failure to comply with the NDB scheme is an interference with privacy under the Privacy Act and can attract civil penalties up to AU$50 million (or higher based on turnover) for body corporates, plus OAIC enforcement actions, reputational damage, and potential class action exposure.
Can I notify individuals before notifying the OAIC?
Yes. The Act does not mandate which notification comes first, only that both occur as soon as practicable after you determine an eligible breach has occurred. In practice, many entities notify the OAIC and affected individuals in parallel.
Final Thoughts
The Notifiable Data Breaches scheme is more than a reporting obligation — it's a forcing function for better privacy and security practices across the Australian economy. With penalties now reaching AU$50 million and reforms tightening the framework further, treating NDB compliance as a strategic priority rather than a checkbox exercise is essential.
Start by mapping the personal information you hold, identifying your highest-risk data flows, building a documented response plan, and rehearsing it regularly. The organisations that fare best after a breach are not the ones that avoid incidents entirely — they're the ones prepared to respond quickly, transparently, and in line with their legal obligations.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 transforms data protection across the country with new individual rights, a statutory tort for privacy invasions, and penalties up to $50 million. This guide explains what's changed, how to exercise your new rights, and what businesses must do to comply.
Data Protection Act 2018 Ireland: Complete Guide for Businesses
A complete, practical guide to Ireland's Data Protection Act 2018 — covering key provisions, business obligations, DPC enforcement, fines, and a compliance checklist. Essential reading for any organisation handling personal data in Ireland.
DPC Ireland: How to File a Privacy Complaint (Complete 2026 Guide)
A complete step-by-step guide to filing a privacy complaint with Ireland's Data Protection Commission (DPC). Learn what evidence to gather, how to use the DPC's online form, realistic timelines, and what outcomes to expect under GDPR.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 introduces sweeping new obligations for online platforms, intermediaries, and advertisers. This complete guide explains who is in scope, the new rules on AI content and scam links, penalties of up to 10% of turnover, and a practical 10-step compliance checklist.