facebook-pixel

Australian Data Breach Notification Scheme: The Complete 2026 Guide

L
Lunyb Security Team
··10 min read

Australia's Notifiable Data Breaches (NDB) scheme is one of the most consequential privacy regulations facing Australian organisations today. Introduced in February 2018 as part of the Privacy Act 1988, it requires eligible entities to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to cause serious harm. With penalties now reaching AU$50 million for serious or repeated interferences with privacy, understanding your obligations has never been more important.

This guide breaks down exactly what the Australian data breach notification scheme covers, who it applies to, the strict timelines involved, and the practical steps your business should take before, during, and after a breach.

What Is the Australian Data Breach Notification Scheme?

The Notifiable Data Breaches (NDB) scheme is a mandatory reporting framework under Part IIIC of the Privacy Act 1988 (Cth). It requires organisations covered by the Australian Privacy Principles (APPs) to notify individuals and the OAIC whenever an "eligible data breach" occurs — that is, one likely to result in serious harm to any of the individuals whose personal information was compromised.

The scheme has three core objectives:

  1. Protect individuals by giving them timely notice so they can take steps to reduce harm.
  2. Improve transparency and accountability in how organisations handle personal data.
  3. Drive better security practices across Australian industry.

Who Must Comply?

The NDB scheme applies to all entities that already have obligations under the Australian Privacy Principles. This includes:

  • Australian Government agencies (excluding some intelligence agencies)
  • Businesses and not-for-profit organisations with an annual turnover of more than AU$3 million
  • Private sector health service providers (regardless of turnover)
  • Credit reporting bodies and credit providers
  • Tax File Number (TFN) recipients
  • Entities that trade in personal information (e.g. buy or sell customer lists)
  • Contracted service providers for Australian Government contracts

Small businesses under the AU$3 million threshold may still be caught if they fall into one of the specific categories above. Notably, from December 2024 amendments to the Privacy Act have signalled a phased removal of the small business exemption in future years — so businesses of all sizes should prepare.

What Counts as an Eligible Data Breach?

An eligible data breach occurs when three conditions are all met:

  1. There is unauthorised access, unauthorised disclosure, or loss of personal information held by the entity.
  2. The access, disclosure, or loss is likely to result in serious harm to one or more of the individuals to whom the information relates.
  3. The entity has not been able to prevent the likely risk of serious harm through remedial action.

Examples of Notifiable Breaches

  • A laptop containing unencrypted customer records is stolen
  • Employee credentials are phished and used to access a customer database
  • Medical records are emailed to the wrong recipient
  • A ransomware attack exfiltrates personal identifiers, financial data, or health information
  • Cloud storage is misconfigured and left publicly accessible

What Is "Serious Harm"?

Serious harm is not defined exhaustively in the Act, but the OAiC considers factors including:

  • The type and sensitivity of the information (health, financial, government identifiers are high-risk)
  • Whether the data is protected by security measures like encryption
  • The persons or kinds of persons who could obtain the information
  • The likelihood of identity theft, financial loss, physical harm, reputational damage, or psychological harm

Notification Timelines and Requirements

Speed matters under the NDB scheme. The core timelines are strict, and failure to meet them exposes your organisation to enforcement action.

Stage Timeframe Requirement
Suspected breach identified Immediately Begin containment and preliminary assessment
Assessment period Within 30 calendar days Reasonable and expeditious assessment to determine if it is an eligible data breach
Notification to OAIC As soon as practicable after determining eligible breach Submit statement via OAIC's online Notifiable Data Breach form
Notification to individuals As soon as practicable Direct notice to affected individuals, or public statement if direct notice is not practicable

What Must the Notification Include?

Under section 26WK of the Privacy Act, your statement to the OAIC and affected individuals must contain:

  • The identity and contact details of your organisation
  • A description of the eligible data breach
  • The kinds of information involved
  • Recommended steps individuals should take in response (for example, changing passwords, monitoring accounts, requesting new identity documents)

Penalties for Non-Compliance

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 dramatically increased penalties for serious or repeated privacy interferences. For body corporates, the maximum civil penalty is now the greater of:

  • AU$50 million; or
  • Three times the value of the benefit obtained from the misuse of information; or
  • 30% of the entity's adjusted turnover during the relevant period

The OAIC also has enhanced information-gathering, assessment, and infringement notice powers. Beyond fines, reputational damage from a public breach notice — and potential class actions from affected individuals — can be even more costly.

Step-by-Step: Responding to a Data Breach

The OAIC recommends a four-step response framework. Every Australian organisation should embed these steps into a written data breach response plan.

Step 1: Contain

  1. Isolate affected systems from the network
  2. Revoke or reset compromised credentials
  3. Preserve evidence for forensic analysis (do not wipe machines prematurely)
  4. Engage your incident response team and external counsel

Step 2: Assess

  1. Identify what personal information was involved and how many individuals are affected
  2. Determine the cause of the breach
  3. Assess the likelihood of serious harm, considering the sensitivity of the data and the parties who may have accessed it
  4. Document your assessment methodology and conclusions — the OAIC may request this

Step 3: Notify

  1. If the breach is eligible, prepare the statement required under section 26WK
  2. Submit to the OAIC via the Notifiable Data Breach form
  3. Notify affected individuals directly (email, SMS, or post) where practicable
  4. If direct notice is not practicable, publish the statement on your website and take reasonable steps to publicise it

Step 4: Review

  1. Conduct a post-incident review to identify root causes
  2. Update policies, staff training, and technical controls
  3. Update your data breach response plan based on lessons learned
  4. Consider whether to notify additional regulators (e.g. ASIC, APRA, ASD's ACSC, or state health authorities)

Building a Data Breach Response Plan

Having a written, tested response plan is arguably the single most important compliance investment. A strong plan should include:

  • Roles and responsibilities: Named response team including executive sponsor, privacy officer, IT/security lead, legal counsel, and communications
  • Escalation triggers: Clear criteria for when incidents move up to formal response
  • Assessment templates: Pre-built worksheets aligned to the section 26WE eligible breach test
  • Notification templates: Draft language for the OAIC form and individual notices
  • Contact lists: External forensic providers, cyber insurers, PR firms, regulators
  • Testing schedule: Annual tabletop exercises to validate the plan

Reducing Breach Risk: Practical Safeguards

Prevention is far cheaper than notification. Australian organisations should focus on foundational security controls that repeatedly appear in OAIC breach reports.

Technical Controls

  • Multi-factor authentication on all remote access and privileged accounts
  • Encryption of personal information at rest and in transit
  • Timely patching, aligned to the Australian Signals Directorate's Essential Eight
  • Network segmentation and least-privilege access
  • Endpoint detection and response tooling
  • Encrypted DNS and private browsing tools for staff handling sensitive data
  • Regular, tested offline backups

Organisational Controls

  • Data minimisation — only collect and retain what you actually need
  • Documented retention and secure destruction schedules
  • Vendor due diligence for third parties handling personal information
  • Regular phishing simulations and staff privacy training
  • Clear policies on the use of shortened or redirect links in marketing and internal communications — reputable providers such as Lunyb offer analytics and click-fraud protection that reduce phishing risks associated with unbranded short links

If you use link shorteners as part of customer-facing campaigns, transparency matters: recipients should be able to trust that a link leads where it claims. For more on choosing a trustworthy provider, see our 2026 buyer's guide to URL shorteners and our honest review of Lunyb.

How the NDB Scheme Compares to Other Regimes

Feature Australia (NDB) EU (GDPR) New Zealand (Privacy Act 2020)
Notification trigger Likely serious harm Risk to rights and freedoms Likely serious harm
Regulator deadline As soon as practicable (assessment within 30 days) 72 hours As soon as practicable
Individual notification Required if eligible Required if high risk Required if serious harm likely
Maximum penalty AU$50m / 30% turnover €20m / 4% global turnover NZ$10,000 (individual offences)
Small business exemption Yes (being phased out) No No

Recent Trends in OAIC Breach Reports

The OAIC publishes six-monthly Notifiable Data Breaches reports. Consistent themes have emerged since 2018:

  • Malicious or criminal attacks account for roughly two-thirds of notified breaches, with phishing and compromised credentials leading the pack
  • Human error — such as sending personal information to the wrong recipient — remains a stubborn source of breaches
  • Health service providers, finance, and government are the most frequently notifying sectors
  • Contact details, identity information, and financial details are the most commonly compromised data types

These trends should inform where you invest your privacy and security budget.

Looking Ahead: Privacy Act Reform

The Australian Government's Privacy Act Review response, followed by the Privacy and Other Legislation Amendment Act 2024, has kicked off the most significant privacy reform in a generation. Key developments to watch include:

  • A statutory tort for serious invasions of privacy (commencing 2025)
  • New criminal offences for doxxing
  • Greater transparency obligations for automated decisions
  • Expected removal of the small business exemption in later tranches
  • Expanded OAIC enforcement powers, including infringement notices for less serious breaches

Organisations should treat the NDB scheme as a floor, not a ceiling. Building strong privacy governance now will pay dividends as obligations expand.

Frequently Asked Questions

Do I have to notify the OAIC if I resolve a breach quickly?

If you take remedial action before the breach results in likely serious harm — for example, recovering a lost device before the data is accessed — then it is not an eligible data breach and notification is not required. You should still document your assessment and remediation. If serious harm was likely at any point that you could not prevent, notification is required.

What is the difference between an incident, a data breach, and an eligible data breach?

A security incident is any event that potentially affects the confidentiality, integrity, or availability of information. A data breach specifically involves unauthorised access, disclosure, or loss of personal information. An eligible data breach is a data breach that meets the section 26WE test — likely to result in serious harm and not remediated. Only eligible data breaches trigger mandatory notification.

How long do I have to assess a suspected breach?

The Privacy Act requires you to complete your assessment within 30 calendar days of becoming aware of reasonable grounds to suspect an eligible breach may have occurred. If you finish sooner and confirm it is eligible, you must notify as soon as practicable — you cannot use the full 30 days as a buffer.

Are cyber insurance payouts affected by NDB compliance?

Yes. Most Australian cyber insurance policies require prompt notification to the insurer and compliance with statutory notification obligations as a condition of cover. Late or non-notification under the NDB scheme can void portions of your policy, particularly regulatory defence and penalty coverage.

Does the NDB scheme apply to breaches involving overseas customers?

The scheme applies to personal information held by an APP entity, regardless of where the individual is located. If your Australian business holds personal information about overseas customers and suffers an eligible breach, you must notify those individuals as well as the OAIC. You may also have parallel obligations under overseas regimes such as the GDPR.

Final Thoughts

The Australian data breach notification scheme is more than a compliance checkbox — it is a framework designed to protect individuals and drive stronger security across the economy. With penalties climbing and reforms broadening the scope of obligations, every organisation handling personal information should have a documented response plan, trained staff, and layered technical controls in place today, not the day after a breach.

Preparation is what separates organisations that survive a breach with reputation intact from those that don't. Start with your response plan, test it regularly, and treat the NDB scheme as the minimum bar for how you protect the people who trust you with their data.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles