Australian Data Breach Notification Scheme: Complete 2026 Guide
The Australian Data Breach Notification Scheme — formally known as the Notifiable Data Breaches (NDB) scheme — is one of the most important pieces of privacy regulation Australian organisations must understand. Introduced in February 2018 as an amendment to the Privacy Act 1988, it created legally binding obligations for entities that suffer a data breach likely to result in serious harm to individuals. Following significant reforms in 2022 and further tightening in 2024–2025, penalties are now substantial and regulator scrutiny is at an all-time high.
This guide explains how the scheme works, who it applies to, what counts as a notifiable breach, the notification process, penalties for non-compliance, and practical steps your organisation can take to prepare.
What Is the Notifiable Data Breaches Scheme?
The Notifiable Data Breaches scheme is an Australian legal framework that requires covered entities to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm. It sits within Part IIIC of the Privacy Act 1988 (Cth) and is enforced by the OAIC.
The scheme has three core objectives:
- Protect individuals by giving them timely information so they can take protective action.
- Encourage entities to invest in stronger information security practices.
- Increase transparency and accountability around how personal information is handled in Australia.
Who Does the Scheme Apply To?
The NDB scheme applies to any entity that has existing obligations under the Australian Privacy Principles (APPs). This includes:
- Australian Government agencies
- Businesses and not-for-profit organisations with an annual turnover of more than AUD $3 million
- Private sector health service providers (regardless of turnover)
- Credit reporting bodies and credit providers
- Tax File Number (TFN) recipients
- Entities that trade in personal information
- Small businesses that opt in to the Privacy Act
Importantly, the 2024 Privacy Act reforms have signalled the eventual removal of the small business exemption, meaning many more organisations will fall within scope in coming years. Any business handling personal information should assume the scheme will apply and prepare accordingly.
What Is an "Eligible Data Breach"?
An eligible data breach — the trigger for mandatory notification — has three elements that must all be met:
- Unauthorised access, unauthorised disclosure, or loss of personal information held by the entity.
- The access, disclosure, or loss is likely to result in serious harm to one or more individuals.
- The entity has been unable to prevent that serious harm through remedial action.
"Serious harm" is not defined narrowly. It can include physical, psychological, emotional, financial, or reputational harm. The OAIC considers factors such as the type of information involved (health data, financial details, government identifiers), the sensitivity of that information, whether it is protected by encryption or other security measures, the persons who obtained the information, and the nature of the harm that could result.
Common Examples of Eligible Data Breaches
- A ransomware attack that exfiltrates customer records containing names, addresses, and Medicare numbers.
- An employee accidentally emailing a spreadsheet of client financial details to the wrong recipient.
- Loss of an unencrypted laptop or USB drive containing patient health records.
- Credential stuffing attacks against a customer portal resulting in account takeovers.
- Misconfigured cloud storage buckets that expose personal information publicly.
The 30-Day Assessment Window
When an entity suspects an eligible data breach may have occurred but is not certain, it must carry out a reasonable and expeditious assessment within 30 calendar days to determine whether the incident meets the threshold. This is one of the most misunderstood aspects of the scheme — the clock starts from the moment suspicion arises, not from confirmation.
During the assessment, entities should:
- Contain the breach and prevent further compromise.
- Gather facts about what happened, what information was involved, and who was affected.
- Evaluate the likelihood and severity of harm.
- Consider whether remedial action can reduce the risk of serious harm below the notification threshold.
- Document every step, decision, and rationale — the OAIC expects a clear audit trail.
Notification Requirements: What, When, and How
If an eligible data breach is confirmed, notification must occur "as soon as practicable". There is no fixed additional deadline after confirmation, but the OAIC interprets this strictly — delays of more than a few days without justification are viewed unfavourably.
What Must the Notification Contain?
Under section 26WK of the Privacy Act, the statement provided to the OAIC and affected individuals must include:
- The identity and contact details of the entity
- A description of the data breach
- The kinds of information involved
- Recommendations about the steps individuals should take in response
How to Notify Affected Individuals
Entities have three options:
- Notify each individual whose information was involved in the breach.
- Notify only those at likely risk of serious harm.
- Publish the notification on the entity's website and take reasonable steps to publicise it, where individual notification is not practicable.
Penalties Under the Scheme
Following the 2022 amendments passed in the wake of the Optus and Medibank breaches, penalties for serious or repeated interferences with privacy dramatically increased. As of 2026, maximum civil penalties for body corporates are the greater of:
- AUD $50 million; or
- Three times the value of any benefit obtained through the misuse of information; or
- 30% of the entity's adjusted turnover in the relevant period.
Individuals can face penalties of up to AUD $2.5 million. The OAIC also has expanded investigative and enforcement powers, including the ability to conduct assessments, issue infringement notices, and seek court orders.
Comparison: NDB Scheme vs. Other Global Frameworks
| Feature | Australia (NDB) | EU (GDPR) | UK (UK GDPR) |
|---|---|---|---|
| Notification threshold | Likely serious harm | Risk to rights and freedoms | Risk to rights and freedoms |
| Regulator notification deadline | As soon as practicable (30-day assessment) | 72 hours | 72 hours |
| Individual notification | Required if serious harm likely | Required if high risk | Required if high risk |
| Maximum penalty | AUD $50M / 30% turnover | €20M / 4% turnover | £17.5M / 4% turnover |
| Regulator | OAIC | National DPAs | ICO |
Practical Steps to Prepare Your Organisation
Compliance with the NDB scheme is not just about reacting to breaches — it is about building the capability to detect, assess, and respond quickly. Here is a practical roadmap.
1. Build a Data Breach Response Plan
Every covered entity should have a documented, tested response plan that identifies roles, escalation paths, communication templates, and decision authorities. The OAIC publishes a Data Breach Preparation and Response guide that outlines minimum expectations.
2. Know Your Data
You cannot protect or assess what you cannot see. Maintain an up-to-date data inventory that records what personal information you hold, where it lives, who has access, and how long it is retained. Data minimisation is your most effective risk-reduction lever.
3. Strengthen Access Controls and Encryption
Multi-factor authentication, least-privilege access, and encryption at rest and in transit are baseline expectations in 2026. Where personal information is protected by strong encryption and keys were not compromised, the risk of serious harm may be materially reduced.
4. Secure Third-Party and Link-Sharing Workflows
Many breaches originate from insecure sharing of documents and links. When distributing sensitive URLs — internal reports, portal invitations, or customer-facing pages — use tools that offer link expiration, password protection, and click analytics. Services like Lunyb allow Australian organisations to shorten and manage links with additional controls and audit visibility, which helps reduce the risk of accidental exposure. For a broader look at options, see our 2026 URL shortener buyer's guide.
5. Train Staff Regularly
Human error remains the leading root cause of breaches reported to the OAIC. Quarterly training, phishing simulations, and clear reporting channels for suspected incidents pay for themselves many times over.
6. Test the Plan
Tabletop exercises simulating realistic scenarios — a ransomware event, a lost device, a misdirected email to thousands of recipients — expose weaknesses before a real incident does.
Recent Trends in OAIC Reporting
The OAIC publishes six-monthly Notifiable Data Breaches Reports. Consistent themes over recent reporting periods include:
- Malicious or criminal attacks account for roughly two-thirds of reported breaches, with phishing and compromised credentials leading the list.
- Human error remains a significant contributor, particularly in health and finance sectors.
- Health service providers report the most breaches of any sector, followed by finance and government.
- The average time to identify and report incidents continues to be a focus area for regulator concern.
What Happens If You Fail to Notify?
Failing to notify an eligible data breach — whether through negligence, an inadequate assessment, or a deliberate decision — can constitute a serious interference with privacy. Consequences may include:
- Formal investigations and public determinations by the OAIC
- Civil penalty proceedings in the Federal Court
- Enforceable undertakings requiring remediation programs
- Reputational damage and loss of customer trust
- Class actions from affected individuals (an increasingly common outcome in Australia)
Looking Ahead: The Privacy Act Reforms
The Australian Government's staged reforms of the Privacy Act, progressing through 2025 and 2026, are expanding obligations further. Expected changes include a statutory tort for serious invasions of privacy, tighter rules on automated decision-making, stronger children's privacy protections, and — critically — likely removal of the small business exemption. Organisations that build strong breach preparedness now will find compliance with future obligations far less disruptive.
Frequently Asked Questions
Is there a strict 72-hour deadline like GDPR?
No. Australia's scheme requires notification "as soon as practicable" after an eligible breach is confirmed, with up to 30 days to assess a suspected breach. However, the OAIC increasingly expects notifications within days rather than weeks, and delays without justification can attract enforcement action.
Does encrypted data still require notification if breached?
Not automatically. If personal information is protected by strong encryption and the decryption keys were not compromised, the risk of serious harm may be low enough that notification is not required. Each case must still be assessed on its facts and documented.
Do small businesses need to comply with the NDB scheme?
Currently, most businesses with turnover under AUD $3 million are exempt, with exceptions for health providers, credit reporting entities, and businesses that trade in personal information. However, Privacy Act reforms are expected to remove this exemption, so small businesses should begin preparing now.
What is the difference between a data breach and an eligible data breach?
A data breach is any unauthorised access, disclosure, or loss of personal information. An eligible data breach is one that is likely to result in serious harm to individuals and cannot be remediated — only eligible breaches trigger the mandatory notification obligation.
Can we notify affected individuals before completing our full investigation?
Yes, and in many cases you should. If you have enough information to confirm an eligible breach and identify affected individuals, waiting to complete every forensic detail can worsen harm. You can provide interim notifications with the information available and update as more becomes known.
Conclusion
The Australian Data Breach Notification Scheme is a cornerstone of Australia's evolving privacy landscape, and with the 2022–2026 reforms it has real teeth. Organisations that treat compliance as a checkbox exercise face significant financial, legal, and reputational risk. Those that invest in proper data governance, response planning, staff training, and secure sharing tools not only meet their obligations but build the kind of trust that increasingly drives customer choice. Start with the fundamentals — know your data, protect it well, and be ready to respond decisively when something goes wrong.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
GDPR After Brexit: What Changed for UK Businesses in 2026
Brexit did not abolish GDPR in the UK — it created two parallel regimes. This guide explains what changed, from the UK GDPR and the Data (Use and Access) Act 2025 to international transfers, representatives, and enforcement trends in 2026.
Singapore PDPA vs GDPR: Key Differences Every Business Must Know
Singapore's PDPA and the EU's GDPR both protect personal data, but they differ sharply in scope, rights, penalties, and DPO rules. This guide breaks down the key differences and shows Singapore businesses how to comply with both frameworks in practice.
Bill C-27 Digital Charter: What Canadian Businesses Need to Know
Bill C-27, the Digital Charter Implementation Act, will overhaul Canadian privacy law with the CPPA, a new tribunal, and the Artificial Intelligence and Data Act (AIDA). Here's what businesses need to know about consent, penalties, and AI governance — and how to prepare before it comes into force.
UK Online Safety Act: What It Means for Your Privacy
The UK Online Safety Act reshapes how platforms handle harmful content and how your data is verified. Here's what it means for your privacy in 2026 — from age checks to encrypted messaging — and the practical steps British users can take to stay in control.