Australian Data Breach Notification Scheme: A Complete 2026 Guide
If your organisation handles personal information in Australia, the Notifiable Data Breaches (NDB) scheme isn't optional reading — it's a legal obligation that can cost you millions if you get it wrong. Since coming into force in February 2018, the Australian Data Breach Notification Scheme has reshaped how businesses, government agencies and not-for-profits respond when personal data is compromised. With the Office of the Australian Information Commissioner (OAIC) issuing record penalties and Australians becoming more privacy-aware than ever, understanding this scheme is mission-critical for any entity covered by the Privacy Act 1988.
This guide walks you through everything you need to know about the Australian data breach notification scheme: who it applies to, when you must notify, how to assess an eligible data breach, and the practical steps to stay compliant in 2026.
What Is the Australian Data Breach Notification Scheme?
The Australian Notifiable Data Breaches (NDB) scheme is a legal framework under Part IIIC of the Privacy Act 1988 (Cth) that requires covered entities to notify affected individuals and the OAIC when an eligible data breach occurs. It was introduced through the Privacy Amendment (Notifiable Data Breaches) Act 2017 and commenced on 22 February 2018.
The scheme's purpose is straightforward: give Australians timely information about breaches involving their personal data so they can take protective steps — like changing passwords, cancelling cards, or watching for identity theft. It also creates accountability, pushing organisations to invest in stronger data security practices.
Key Legislative Framework
- Privacy Act 1988 (Cth) — the parent legislation governing personal information handling
- Part IIIC — the specific section creating the NDB scheme
- Australian Privacy Principles (APPs) — 13 principles covering collection, use, disclosure and security of personal information
- Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 — dramatically increased penalties
Who Must Comply with the NDB Scheme?
The NDB scheme applies to all entities that have existing obligations under the Privacy Act 1988 to secure personal information. These are collectively referred to as "APP entities."
Entities Covered
- Australian Government agencies
- Businesses and not-for-profits with annual turnover exceeding A$3 million
- Private sector health service providers (regardless of turnover)
- Credit reporting bodies and credit providers
- Tax File Number (TFN) recipients
- Entities that trade in personal information
- Contracted service providers for Commonwealth contracts
Notably, even small businesses below the A$3 million threshold can be caught if they handle health information, sell or buy personal information, or hold TFNs.
What Counts as an "Eligible Data Breach"?
An eligible data breach under the NDB scheme has three elements that must all be present:
- Unauthorised access or disclosure of personal information, or loss of personal information where unauthorised access or disclosure is likely
- The breach is likely to result in serious harm to one or more affected individuals
- The entity has not been able to prevent the likely risk of serious harm through remedial action
What Is "Serious Harm"?
The Act doesn't exhaustively define serious harm, but the OAIC interprets it to include:
- Physical or psychological harm
- Financial loss or identity theft
- Reputational damage
- Emotional distress
- Harm to relationships or employment prospects
Entities must apply a "reasonable person" test: would a reasonable person conclude the breach is likely to result in serious harm given the type of information, sensitivity, protections in place (like encryption), and circumstances of the breach?
Notification Timelines and Process
Speed matters under the NDB scheme. Here's the timeline you need to memorise.
The 30-Day Assessment Window
If you suspect an eligible data breach may have occurred, you must conduct a reasonable and expeditious assessment within 30 calendar days to determine whether it is, in fact, an eligible data breach. The OAIC expects assessments to be completed as quickly as practicable — 30 days is the outer limit, not a default timeframe.
The Notification Step
Once you confirm an eligible data breach, you must as soon as practicable:
- Prepare a statement for the Australian Information Commissioner
- Notify affected individuals (or take reasonable steps to do so)
Required Contents of a Notification Statement
| Required Element | Detail |
|---|---|
| Entity identity | Name and contact details of the organisation |
| Breach description | What happened and when |
| Information involved | Type of personal information compromised |
| Recommended steps | Actions individuals should take to protect themselves |
| Other entities | Names of any other entities affected by the same breach |
How to Notify Affected Individuals
The Act provides three options for notifying individuals, in order of preference:
- Option 1: Notify each individual whose personal information was involved in the breach
- Option 2: Notify only those individuals at likely risk of serious harm
- Option 3: If neither of the above is practicable, publish the statement on the entity's website and take reasonable steps to publicise it
Email, SMS, mail or phone calls are all acceptable notification methods, depending on how the entity ordinarily communicates with the individuals.
Penalties for Non-Compliance
The 2022 amendments dramatically increased the consequences for serious or repeated privacy breaches. As of late 2022, the maximum penalty for serious or repeated interferences with privacy is the greater of:
- A$50 million, or
- Three times the value of any benefit obtained from the conduct, or
- 30% of adjusted turnover during the relevant period
These figures reflect a tenfold increase from the previous A$2.22 million cap. The OAIC has also gained expanded investigation and information-gathering powers.
Other Consequences
- Public enforceable undertakings
- Compensation orders for affected individuals
- Reputational damage and loss of consumer trust
- Class action exposure
- Increased regulatory scrutiny
Exceptions to Notification
The NDB scheme includes several limited exceptions where notification may not be required:
1. Remedial Action Exception
If you take remedial action that prevents the likely risk of serious harm before it materialises, notification isn't required. For example, recovering a lost laptop before any data was accessed, or remotely wiping a stolen device.
2. Multi-Party Breach Exception
Where multiple entities are involved in the same breach, only one needs to notify, provided the others rely on that notification.
3. Enforcement Body Exception
Notification may be delayed or withheld if it would prejudice an enforcement-related activity.
4. Inconsistency with Secrecy Provisions
Where notification would be inconsistent with a Commonwealth secrecy provision, it may be withheld.
Common Causes of Notifiable Breaches in Australia
The OAIC publishes biannual Notifiable Data Breaches Reports. Recent trends consistently show:
| Cause | Approximate Share | Examples |
|---|---|---|
| Malicious or criminal attacks | ~65–70% | Phishing, ransomware, hacking, credential compromise |
| Human error | ~25–30% | Emails sent to wrong recipient, lost devices, misconfigured cloud storage |
| System faults | ~3–5% | Software bugs exposing data, access control failures |
The health sector, finance, education and Australian Government remain the top-reporting sectors.
Building an NDB-Compliant Response Plan
Every covered entity should maintain a documented Data Breach Response Plan. Here's what it should include:
1. Response Team Roles
- Privacy Officer or Data Protection Lead
- IT/Security incident responder
- Legal counsel
- Communications/PR lead
- Executive sponsor
2. Five-Step Response Workflow
- Contain the breach to prevent further compromise
- Assess the risks and whether the breach is "eligible"
- Notify the OAIC and affected individuals if required
- Review the incident and root causes
- Remediate with updated controls, training and policies
3. Preventative Controls
- Multi-factor authentication on all systems
- Encryption at rest and in transit
- Least-privilege access controls
- Regular staff phishing training
- Vendor and third-party risk assessments
- Secure link sharing — when sending sensitive URLs, use a privacy-focused shortener like Lunyb, which offers password protection, expiry dates and click tracking without exposing the destination URL in transit
NDB Scheme vs GDPR: Key Differences
Many Australian businesses also need to comply with the EU's GDPR. Here's how the two regimes compare on breach notification:
| Feature | NDB Scheme (Australia) | GDPR (EU) |
|---|---|---|
| Notification deadline to regulator | As soon as practicable (after 30-day assessment) | Within 72 hours of awareness |
| Trigger threshold | Likely serious harm | Risk to rights and freedoms |
| Individual notification | Required if serious harm likely | Required if high risk |
| Max penalty | A$50M / 30% turnover | €20M / 4% global turnover |
| Regulator | OAIC | National DPAs |
Recent Enforcement Trends
The OAIC has become significantly more active since 2022. High-profile incidents involving major Australian telcos, health insurers and retailers have led to federal court proceedings, multi-million-dollar settlements and ongoing investigations. Key trends include:
- Greater scrutiny of data retention practices — holding data longer than necessary is increasingly treated as an aggravating factor
- Focus on third-party and supply chain breaches
- Closer alignment with cybersecurity obligations under the SOCI Act
- Push for mandatory cyber incident reporting beyond privacy alone
Practical Compliance Checklist
Use this checklist to gauge your NDB readiness:
- ☐ Documented and tested Data Breach Response Plan
- ☐ Privacy Officer appointed and trained
- ☐ Up-to-date data inventory mapping personal information
- ☐ Vendor contracts with breach notification clauses
- ☐ Cyber insurance with regulatory response coverage
- ☐ Annual privacy and security training for all staff
- ☐ Established channels for receiving and triaging incident reports
- ☐ Pre-drafted notification templates for OAIC and individuals
- ☐ Penetration testing and vulnerability assessments at least annually
- ☐ Encryption of personal information at rest and in transit
For further reading on secure communication tools that support privacy compliance, see our guide to the best URL shorteners reviewed and compared in 2026.
What's Coming Next: Privacy Act Reforms
The Australian Government has accepted, or accepted in principle, the majority of recommendations from the Privacy Act Review Report. Expected reforms include:
- Removal of the small business exemption
- Introduction of a direct right of action for individuals
- Statutory tort for serious invasions of privacy
- Stricter requirements around automated decision-making
- Enhanced children's privacy protections
- A 72-hour notification window potentially replacing the 30-day assessment
Organisations should monitor these developments and begin preparing now — particularly small businesses that may soon lose their current exemption.
Frequently Asked Questions
1. How quickly do I need to report a data breach to the OAIC in Australia?
You must notify "as soon as practicable" after confirming an eligible data breach. Before that, you have up to 30 calendar days to assess whether a suspected breach qualifies as eligible. In practice, the OAIC expects rapid action — waiting the full 30 days without justification can attract scrutiny.
2. Does the NDB scheme apply to small businesses?
Generally, businesses with annual turnover under A$3 million are exempt — but there are major carve-outs. Small businesses must comply if they handle health information, trade in personal information, hold Tax File Numbers, or are contracted service providers to the Commonwealth. The exemption is also under review and likely to be removed.
3. What's the maximum penalty for breaching the NDB scheme?
Since December 2022, the maximum penalty for serious or repeated privacy interferences is the greater of A$50 million, three times the benefit obtained, or 30% of adjusted turnover during the relevant period. This applies to body corporates; individuals face penalties up to A$2.5 million.
4. Do I need to notify if the data was encrypted?
Encryption is highly relevant to the "likely serious harm" test. If personal information was strongly encrypted and the decryption key wasn't compromised, a reasonable person may conclude serious harm is unlikely — meaning notification may not be required. However, you should still document your assessment and the basis for your decision.
5. What's the difference between a data breach and an eligible data breach?
A data breach is any unauthorised access, disclosure or loss of personal information. An eligible data breach is one that is also likely to result in serious harm and where remedial action hasn't eliminated that risk. Only eligible data breaches trigger mandatory notification under the NDB scheme — but all breaches should still be logged, investigated and remediated internally.
Final Thoughts
The Australian Data Breach Notification Scheme isn't just compliance bureaucracy — it's a framework that genuinely protects Australians and, when properly implemented, protects your organisation too. With penalties now reaching A$50 million and reforms on the horizon that will tighten obligations further, 2026 is the year to move from a reactive posture to a mature, well-rehearsed privacy program.
Start with the basics: know what data you hold, who can access it, how it's protected, and what you'll do when (not if) something goes wrong. Document everything. Train your people. Test your plan. And review it every year — because the threat landscape, and the law, will keep evolving.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
PIPEDA vs GDPR: Canadian Privacy Law Explained for 2026
PIPEDA and GDPR both protect personal information, but they differ in scope, consent, penalties, and individual rights. This guide compares Canada's federal privacy law to the EU's GDPR and explains what Canadian businesses need to do in 2026.
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives you powerful rights over your personal data, from access and correction to breach notifications. Learn what these rights mean, how to exercise them, and what penalties organisations face in 2026 for non-compliance.
UK Data Protection Act vs GDPR Explained: Key Differences in 2026
Confused about the UK Data Protection Act vs GDPR? This 2026 guide explains how the DPA 2018, UK GDPR and EU GDPR fit together, where they differ, and what UK businesses must do to stay compliant.
OAIC Complaints: How to Report a Privacy Breach in Australia
If an Australian organisation has mishandled your personal information, you can lodge a free complaint with the OAIC. This step-by-step guide explains the process, timelines, evidence requirements and possible outcomes — from apologies to compensation.