facebook-pixel

Australian Data Breach Notification Scheme: Complete 2026 Guide

L
Lunyb Security Team
··10 min read

Data breaches have become an unavoidable reality for Australian organisations. From large-scale incidents at Optus and Medibank to smaller compromises affecting local businesses, the question is no longer if your organisation will face a security event, but when — and how you respond. That response is governed by the Notifiable Data Breaches (NDB) scheme, one of the most important pieces of privacy legislation in Australia.

This guide explains everything you need to know about the Australian Data Breach Notification Scheme in 2026: who it applies to, what counts as a notifiable breach, the timeline for reporting, the penalties for non-compliance, and the practical steps your organisation should take before, during, and after an incident.

What Is the Australian Data Breach Notification Scheme?

The Notifiable Data Breaches (NDB) scheme is a mandatory reporting framework established under Part IIIC of the Privacy Act 1988 (Cth). It requires eligible organisations to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm.

The scheme came into effect on 22 February 2018 and applies to any entity already bound by the Australian Privacy Principles (APPs). Its purpose is to give Australians timely information about breaches involving their personal information, so they can take steps to protect themselves — such as changing passwords, monitoring bank accounts, or requesting a new identity document.

Key legislation underpinning the scheme

  • Privacy Act 1988 (Cth) — the primary legislation.
  • Privacy Amendment (Notifiable Data Breaches) Act 2017 — introduced the NDB scheme.
  • Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 — significantly increased penalties.
  • Privacy and Other Legislation Amendment Act 2024 — introduced further reforms, including a statutory tort for serious invasions of privacy.

Who Must Comply with the NDB Scheme?

The NDB scheme applies to APP entities, which broadly includes:

  • Australian Government agencies (with limited exceptions).
  • Businesses and not-for-profits with an annual turnover of more than $3 million.
  • Private sector health service providers, regardless of turnover.
  • Credit reporting bodies and credit providers.
  • Tax File Number (TFN) recipients.
  • Businesses that trade in personal information or provide services under a Commonwealth contract.

Small businesses under the $3 million turnover threshold are generally exempt — but this exemption is under active review and is expected to be removed as part of ongoing Privacy Act reforms. Many small operators are already voluntarily complying to prepare for the change.

What Counts as an "Eligible Data Breach"?

An eligible data breach — the type that triggers notification obligations — has three components:

  1. Unauthorised access, unauthorised disclosure, or loss of personal information held by the entity.
  2. The access, disclosure, or loss is likely to result in serious harm to one or more individuals.
  3. The entity has not been able to prevent the likely risk of serious harm through remedial action.

Examples of eligible data breaches

  • A cyberattack that exfiltrates customer names, addresses, and identity documents.
  • A misconfigured cloud storage bucket exposing patient health records.
  • A lost or stolen laptop containing unencrypted employee tax file numbers.
  • An employee emailing a spreadsheet of client financial information to the wrong recipient.
  • Ransomware encrypting a database where evidence of exfiltration exists.

What is "serious harm"?

The Privacy Act does not exhaustively define serious harm, but the OAIC considers it to include:

  • Identity theft and financial fraud.
  • Physical harm or intimidation (e.g. disclosure of home addresses of at-risk individuals).
  • Psychological or emotional harm.
  • Reputational damage.
  • Significant financial loss.

Relevant factors include the kind and sensitivity of the information, whether it was encrypted, who might have obtained it, and the likelihood of misuse.

Notification Timeline and Process

Once an entity becomes aware there are reasonable grounds to suspect an eligible data breach may have occurred, a strict timeline kicks in.

The 30-day assessment window

Entities have 30 calendar days to carry out a reasonable and expeditious assessment to determine whether the incident is in fact an eligible data breach. If confirmed — or if reasonable grounds exist to believe it is one — notification must occur as soon as practicable.

Who must be notified?

  1. The OAIC — via the online Notifiable Data Breach form.
  2. Affected individuals — either directly (email, phone, letter) or, if direct notification is not practicable, via a public statement on the entity's website and reasonable steps to publicise it.

What the notification must contain

  • The identity and contact details of the entity.
  • A description of the data breach.
  • The kinds of information involved.
  • Recommended steps individuals should take in response.

Penalties for Non-Compliance in 2026

Penalties under the Privacy Act were dramatically increased in late 2022 following the Optus and Medibank breaches, and remain in force in 2026.

Entity TypeMaximum Penalty for Serious or Repeated Interference
Body corporateThe greater of: $50 million; or 3x the benefit derived from the misuse of information; or 30% of adjusted turnover during the breach period.
IndividualsUp to $2.5 million.
Mid-tier civil penalty (new tier)Up to $3.3 million for interferences with privacy that are not serious.
Low-tier / infringement noticesUp to $66,000 for administrative breaches.

Beyond financial penalties, the OAIC now has expanded powers to conduct assessments, issue compliance notices, and share information with other regulators such as ASIC and the ACCC.

Recent Enforcement Trends

The OAIC's most recent Notifiable Data Breaches Report shows notifications continuing to trend upward, with malicious or criminal attacks accounting for the majority of incidents. Health service providers, finance, insurance, and government remain the most-affected sectors.

Key enforcement trends in 2025-2026 include:

  • Increased scrutiny of data retention practices — organisations holding personal information longer than necessary are drawing OAIC attention.
  • Focus on third-party and supply chain breaches, where a vendor's compromise cascades to primary entities.
  • Class actions and representative complaints becoming a common follow-on from major breaches.
  • Greater regulator interest in identity verification practices and whether entities collected more information than they needed.

How to Prepare: A Practical Compliance Roadmap

Compliance with the NDB scheme is not just about reacting to incidents — it's about building the systems that make a proper response possible.

1. Know your data

Conduct and maintain a data inventory that answers: what personal information do we collect, where is it stored, who has access, how long do we keep it, and why? You cannot protect — or accurately report on — data you don't know you hold.

2. Minimise collection and retention

APP 3 (collection) and APP 11 (retention and destruction) require you to only collect information you reasonably need and to destroy or de-identify it when no longer required. Reducing your data footprint reduces breach impact.

3. Implement layered technical controls

  • Multi-factor authentication on all admin and remote-access accounts.
  • Encryption at rest and in transit for personal information.
  • Network segmentation to limit lateral movement.
  • Endpoint detection and response (EDR) tooling.
  • Regular patching and vulnerability management.
  • Encrypted DNS and private browser configurations for staff handling sensitive workflows.

4. Reduce link-based risks

Phishing and malicious links remain the number-one initial access vector. Educate staff, deploy email filtering, and when sharing external links (for campaigns, customer communications, or partner portals) use a reputable link management platform with HTTPS, analytics, and abuse controls — such as Lunyb — so you can monitor click behaviour and quickly disable a link if it is compromised. For a broader comparison of options, see our 2026 URL shorteners buyer's guide.

5. Write and rehearse a Data Breach Response Plan

The OAIC expects every APP entity to have a documented plan. It should cover:

  1. Containment — immediate steps to stop the breach.
  2. Assessment — a structured process to determine whether the breach is notifiable within the 30-day window.
  3. Notification — templates for OAIC and individual notifications.
  4. Review — a post-incident process to prevent recurrence.

Test the plan at least annually via tabletop exercises involving legal, IT, communications, and executive stakeholders.

6. Manage third-party risk

Contracts with vendors that handle personal information should include breach notification clauses requiring the vendor to inform you promptly enough to meet your own 30-day obligation.

Common Mistakes Organisations Make

  • Starting the clock too late. The 30-day assessment window starts when you become aware of the possibility of a breach, not when you confirm it.
  • Under-notifying. When in doubt, notify. The OAIC has publicly criticised entities that took an overly narrow view of "serious harm."
  • Poor communication with affected individuals. Notifications that are vague, jargon-heavy, or buried on a website erode trust and attract regulatory scrutiny.
  • Ignoring the root cause. A breach caused by a known unpatched vulnerability or an untrained employee will attract far harsher regulatory treatment.
  • Forgetting about paper records and legacy systems. The scheme applies to personal information in any format.

How the NDB Scheme Compares to Other Frameworks

FeatureAustralia (NDB)EU (GDPR)New Zealand (Privacy Act 2020)
Notification thresholdLikely to result in serious harmRisk to rights and freedomsLikely to cause serious harm
Regulator notification deadlineAs soon as practicable (after up to 30-day assessment)Within 72 hoursAs soon as practicable
Individual notificationRequired if serious harm likelyRequired if high riskRequired if serious harm likely
Max corporate penaltyUp to $50m or 30% of turnoverUp to €20m or 4% of global turnoverNZ$10,000 per offence

Looking Ahead: Reform in 2026 and Beyond

The Australian Government's response to the Privacy Act Review continues to roll out in tranches. Reforms already legislated or being drafted include:

  • Removal or narrowing of the small business exemption.
  • A new statutory tort for serious invasions of privacy, allowing individuals to sue directly.
  • Stricter rules on automated decision-making and children's privacy.
  • A "fair and reasonable" test overlaying all personal information handling.
  • Expanded OAIC powers, including new civil penalty tiers.

Organisations that treat NDB compliance as the floor rather than the ceiling will be best positioned as the regime tightens.

Frequently Asked Questions

Do I have to notify the OAIC if the data was encrypted?

Not necessarily. If the personal information was strongly encrypted, the encryption keys were not compromised, and there is no realistic pathway to decryption, the breach may not be "likely to result in serious harm." Document your reasoning carefully — the OAIC expects entities to be able to justify a decision not to notify.

What happens if I miss the 30-day assessment window?

Failing to complete the assessment within 30 days is itself a breach of the Privacy Act. If you can't finish in time, you should still notify the OAIC of the situation and continue the assessment. Delays combined with a genuine eligible breach can attract civil penalties and formal investigation.

Does the NDB scheme apply to small businesses?

Currently, businesses with turnover under $3 million are largely exempt, with some exceptions (health providers, TFN recipients, credit providers, and businesses trading in personal information). However, this exemption is expected to be removed as part of ongoing Privacy Act reforms, so small operators should start preparing now.

Can we be sued by individuals as well as fined by the regulator?

Yes. In addition to OAIC enforcement action, individuals may lodge complaints with the OAIC and, following the 2024 reforms, may soon be able to bring direct legal action under the new statutory tort for serious invasions of privacy. Class actions following major breaches are also increasingly common.

Where can I report a data breach or read the official guidance?

Notifications and detailed guidance are available on the OAIC website (oaic.gov.au). The OAIC publishes a quarterly Notifiable Data Breaches Report which is valuable reading for benchmarking your own posture.

Final Thoughts

The Australian Data Breach Notification Scheme is more than a compliance checkbox — it is a public commitment to treating personal information as something worth protecting. In 2026, with penalties reaching tens of millions of dollars, expanding individual rights of action, and community expectations at an all-time high, organisations that invest in prevention, preparation, and transparent response will not only avoid enforcement action but also build lasting customer trust. The best time to prepare for a data breach was before the last one; the second-best time is today.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles