facebook-pixel

Australian Data Breach Notification Scheme: Complete 2026 Guide

L
Lunyb Security Team
··11 min read

Since February 2018, Australian organisations have operated under one of the most consequential privacy reforms in the country's history: the Notifiable Data Breaches (NDB) scheme. Administered by the Office of the Australian Information Commissioner (OAIC), the scheme creates a legal duty to notify affected individuals and the regulator whenever a data breach is likely to cause serious harm. With penalties dramatically increased in 2022 and further reforms rolling out under the Privacy Act review, understanding your obligations has never been more important.

This guide breaks down the Australian Data Breach Notification Scheme in plain English, covering who it applies to, what counts as an eligible breach, notification timelines, and the practical steps your organisation should take before, during, and after an incident.

What Is the Australian Data Breach Notification Scheme?

The Notifiable Data Breaches scheme is a mandatory reporting framework established under Part IIIC of the Privacy Act 1988 (Cth). It requires regulated entities to notify affected individuals and the OAIC when a data breach is likely to result in serious harm to one or more individuals whose personal information is involved.

The scheme replaced Australia's previous voluntary notification model and aligns the country more closely with international frameworks such as the EU's GDPR. Its core objective is to give individuals a fair chance to protect themselves — by changing passwords, watching for fraud, or contacting banks — after their data is exposed.

Who Must Comply?

The NDB scheme applies to all entities already covered by the Australian Privacy Principles (APPs), including:

  • Australian Government agencies
  • Businesses and not-for-profits with an annual turnover of more than A$3 million
  • Private sector health service providers (regardless of turnover)
  • Credit reporting bodies and credit providers
  • Tax File Number (TFN) recipients
  • Entities that trade in personal information
  • Certain small businesses that opt in or are specifically listed

Overseas organisations that carry on business in Australia and collect personal information from Australians are also captured, even if they have no physical presence in the country.

What Counts as an "Eligible Data Breach"?

An eligible data breach — the trigger for notification — occurs when three conditions are met simultaneously.

  1. There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by the entity.
  2. The access, disclosure or loss is likely to result in serious harm to one or more of the individuals to whom the information relates.
  3. The entity has been unable to prevent the likely risk of serious harm through remedial action.

If remedial action successfully removes the likelihood of serious harm — for example, recovering a lost device before data can be accessed, or remotely wiping it — no notification is required.

What Is "Serious Harm"?

The Privacy Act does not define "serious harm" exhaustively, but the OAIC's guidance identifies several categories:

  • Physical harm — threats to safety, particularly for domestic violence survivors or protected persons
  • Financial harm — identity theft, fraud, unauthorised transactions
  • Psychological or emotional harm — distress, humiliation, damage to relationships
  • Reputational harm — damage to standing, particularly through exposure of sensitive information

Whether harm is "likely" is assessed objectively from the perspective of a reasonable person in the entity's position, considering the sensitivity of the data, security protections in place, who obtained the information, and the nature of the harm that could result.

Notification Timelines and Process

The NDB scheme imposes strict timeframes. Organisations must act quickly once they become aware of a suspected breach.

The 30-Day Assessment Window

If an entity has reasonable grounds to suspect that an eligible data breach may have occurred, it must carry out a reasonable and expeditious assessment within 30 calendar days. The assessment should establish whether an eligible breach has in fact occurred.

The OAIC expects entities to take all reasonable steps to complete the assessment as quickly as possible — 30 days is a maximum, not a target.

Notifying the OAIC and Affected Individuals

Once an entity has reasonable grounds to believe an eligible data breach has occurred, it must prepare a statement and notify the Commissioner "as soon as practicable". There is no fixed hour deadline (unlike the GDPR's 72-hour rule), but delays without justification can attract regulatory action.

The statement must include:

  • The identity and contact details of the entity
  • A description of the breach
  • The kinds of information involved
  • Recommended steps individuals should take in response

Affected individuals must then be notified using one of three methods:

  1. Option 1: Notify all individuals whose personal information was involved
  2. Option 2: Notify only those individuals at likely risk of serious harm
  3. Option 3: If neither option is practicable, publish the statement on the entity's website and take reasonable steps to publicise it

Penalties for Non-Compliance

Penalties under the Privacy Act were substantially strengthened by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, passed in the wake of the Optus and Medibank breaches.

Breach TypeMaximum Penalty (Body Corporate)
Serious or repeated interference with privacyThe greater of A$50 million, three times the value of any benefit obtained, or 30% of adjusted turnover during the breach period
Individual (non-corporate) offendersUp to A$2.5 million
Failure to comply with OAIC noticesCivil penalties plus enforceable undertakings

Beyond monetary penalties, the OAIC has powers to issue infringement notices, accept enforceable undertakings, seek injunctions, and publish determinations that can cause significant reputational damage.

Common Causes of Notifiable Breaches in Australia

The OAIC publishes a Notifiable Data Breaches Report every six months. The consistent themes across recent reports paint a clear picture of where Australian organisations are most vulnerable.

Malicious or Criminal Attacks

Cyber incidents — including phishing, ransomware, compromised credentials, and hacking — account for the majority of reported breaches. Phishing that harvests employee credentials remains the single most common attack vector, followed closely by ransomware campaigns targeting Australian businesses.

Human Error

Roughly one-quarter to one-third of reported breaches stem from human error, including:

  • Emails sent to the wrong recipient
  • Personal information disclosed to the wrong person over the phone
  • Unauthorised disclosure via unintended release or publication
  • Loss of paperwork or storage devices

System Faults

A smaller but persistent category involves technical faults — misconfigured databases, permission errors, and software bugs that unintentionally expose data.

Preparing Your Organisation: A Practical Checklist

Compliance with the NDB scheme is not just about reacting to incidents. It is about building the systems, culture, and documentation that make a compliant response possible.

1. Build a Data Breach Response Plan

Every regulated entity should have a written Data Breach Response Plan. At a minimum, it should define:

  • Roles and responsibilities (response team lead, legal, comms, IT/security)
  • Escalation triggers and internal reporting channels
  • Assessment procedures and documentation requirements
  • Templates for OAIC notifications and individual notifications
  • Post-incident review processes

2. Map Your Personal Information Holdings

You cannot protect — or accurately notify about — data you don't know you hold. Maintain a data inventory covering what personal information you collect, where it is stored, who has access, and how long it is retained.

3. Strengthen Technical Controls

Core controls that materially reduce breach risk and support the OAIC's expectations under APP 11 include:

  • Multi-factor authentication (MFA) for all remote and administrative access
  • Encryption of data at rest and in transit
  • Regular patching aligned with the ACSC Essential Eight
  • Network segmentation and least-privilege access
  • Encrypted DNS, secure email gateways, and phishing-resistant authentication
  • Logging, monitoring, and endpoint detection and response (EDR)

4. Train Your People

Because human error and phishing dominate breach causes, regular, role-specific training is a legal and commercial necessity. Include simulated phishing tests and clear reporting channels so staff feel safe raising suspected incidents.

5. Manage Third-Party Risk

A breach at a supplier can still be your notifiable breach. Contracts should require prompt notification, allow security assessments, and clarify who notifies the OAIC when data is jointly held.

This includes seemingly minor tools such as marketing platforms, analytics providers, and link management services. If you use short links in customer communications or campaigns, choose a provider like Lunyb that offers HTTPS by default, transparent analytics, and clear data handling — so a small utility never becomes a large privacy problem.

Reporting a Breach to the OAIC: Step by Step

When you have determined that an eligible data breach has occurred, the notification process follows a defined sequence.

  1. Contain the breach. Stop the ongoing exposure — disable compromised accounts, isolate affected systems, recover lost devices.
  2. Assess the scope. Identify the personal information involved, the individuals affected, and the likely consequences.
  3. Consider remedial action. If you can eliminate the likelihood of serious harm, notification may not be required (but document your reasoning).
  4. Prepare the statement. Use the OAIC's online Notifiable Data Breach form. Include all mandatory fields.
  5. Submit to the OAIC. Lodge the notification as soon as practicable after forming the belief that an eligible breach occurred.
  6. Notify individuals. Use direct notification wherever practicable, with clear language and concrete recommended actions.
  7. Review and improve. Conduct a formal post-incident review and update controls, policies, and training.

How the NDB Scheme Compares Internationally

FeatureAustralia (NDB)EU (GDPR)New Zealand
Notification triggerLikely serious harmRisk to rights and freedomsLikely serious harm
Regulator deadlineAs soon as practicable72 hoursAs soon as practicable
Individual notificationRequired if serious harm likelyRequired if high riskRequired if serious harm likely
Maximum finesA$50M / 30% turnover€20M / 4% global turnoverNZ$10,000 (per offence)

Upcoming Reforms to Watch

The Privacy Act is undergoing its most significant overhaul since inception. Reforms flowing from the Attorney-General's Privacy Act Review Report — with tranches already passed and further legislation expected — will influence the NDB scheme in several ways:

  • A likely 72-hour hard deadline for notifying the OAIC, aligning with the GDPR
  • Expanded definitions of personal information (including technical identifiers)
  • Removal or narrowing of the small business exemption
  • New direct rights of action for individuals
  • Stronger obligations around security, data minimisation, and de-identification

Organisations should treat current compliance as a floor, not a ceiling, and build response capabilities that can adapt to shorter deadlines and broader scope.

Related Reading

If you're reviewing the tools that touch customer data as part of your privacy program, these guides may help:

Frequently Asked Questions

Do small businesses need to comply with the NDB scheme?

Businesses with an annual turnover of A$3 million or less are generally exempt from the Privacy Act, and therefore the NDB scheme. However, exceptions apply — health service providers, businesses that trade in personal information, credit providers, TFN recipients, and contractors to the Commonwealth are all captured regardless of turnover. Proposed reforms may remove the small business exemption entirely.

How quickly must I notify the OAIC after a breach?

You must notify "as soon as practicable" after you form a reasonable belief that an eligible data breach has occurred. There is currently no fixed hour-based deadline, but the OAIC expects prompt action and undue delay can attract enforcement. Reforms are expected to introduce a 72-hour deadline in line with international standards.

What if I'm not sure whether the breach is serious enough to notify?

You have up to 30 days to conduct a reasonable and expeditious assessment once you suspect an eligible breach may have occurred. Document your assessment carefully — the OAIC scrutinises decisions not to notify. If in doubt, seek legal advice or contact the OAIC informally for guidance.

Can I be penalised if a third-party supplier causes the breach?

Yes. Under APP 11, entities are responsible for the personal information they hold, including information held on their behalf by suppliers. If a supplier's failing leads to a breach of your customers' data, you are still generally the entity required to notify. Robust vendor management and contractual data protection clauses are essential.

Do I need to notify affected individuals overseas?

Yes. The NDB scheme applies to the personal information of any individual whose data you hold, regardless of their location. If they are at likely risk of serious harm, you must take reasonable steps to notify them, and you may also have obligations under overseas laws such as the GDPR if EU residents are involved.

Final Thoughts

The Australian Data Breach Notification Scheme is not merely a reporting obligation — it is a catalyst for stronger privacy governance across every sector. Organisations that invest in mapping their data, hardening their systems, training their people, and rehearsing their response will not only avoid penalties but will earn the trust that increasingly determines commercial success. With further reforms on the horizon and regulator expectations rising, now is the time to move from a reactive posture to a mature, well-documented privacy program.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles