Australia's Notifiable Data Breaches Scheme Explained

Australia's Notifiable Data Breaches (NDB) scheme sits in Part IIIC of the Privacy Act 1988 (Cth) and requires regulated entities to notify the OAIC and affected individuals when a data breach is likely to result in serious harm. The scheme has applied to breaches occurring on or after 22 February 2018.

For the full federal framework, see our overview of Australian data privacy laws.

Where the NDB scheme comes from and who it covers

The NDB scheme is contained in Part IIIC of the Privacy Act 1988 (Cth) and has applied to eligible data breaches occurring on or after 22 February 2018. It binds the same regulated population as the rest of the Act, described as APP entities. That group covers Australian Government agencies and private sector or not-for-profit organisations with an annual turnover of more than AUD 3 million. It also captures certain entities regardless of turnover, including private sector health service providers, credit reporting bodies, credit providers and recipients of tax file number information. The scheme attaches to personal information that the entity holds, so an organisation that outsources storage can still carry the obligation. The OAIC, headed by the Australian Information Commissioner, administers and enforces Part IIIC.

Watch out: the small business exemption that keeps many organisations under AUD 3 million outside the Privacy Act does not extend to the health and credit categories above, which are caught by the NDB scheme at any size.

What counts as an eligible data breach

Section 26WE defines an eligible data breach. There are three cumulative elements. First, there must be unauthorised access to or unauthorised disclosure of personal information held by the entity, or a loss of personal information in circumstances where unauthorised access or disclosure is likely to occur. Second, a reasonable person would conclude that the access, disclosure or loss is likely to result in serious harm to one or more of the individuals to whom the information relates. Third, the entity has not been able to prevent the likely risk of serious harm through remedial action. Only when all three are met is the breach eligible and the notification duties engaged. Common scenarios include a hacked database, a lost or stolen device holding customer records, or personal information sent to the wrong recipient.

The serious harm test and the section 26WG factors

The trigger for notification is whether a breach is likely to result in serious harm to an individual. The Act does not exhaustively define serious harm, but the OAIC explains it as covering serious physical, psychological, emotional, financial or reputational harm. Section 26WG sets out a non-exhaustive list of matters relevant to assessing the likelihood of serious harm. These include the kind or kinds of information involved and its sensitivity, whether the information was protected by security measures and the likelihood those measures could be overcome, the persons or kinds of persons who have obtained or could obtain the information, the nature of the harm that could result, and any other relevant matters. Whether a security technology was designed to make the information unintelligible or meaningless is also relevant. Sensitive information such as health records generally carries a higher risk of serious harm than information that is already public.

The 30-day assessment obligation

An entity does not always know straight away whether a breach is eligible. Section 26WH addresses that uncertainty. Where an entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach but is not yet aware of reasonable grounds to believe one has occurred, it must carry out a reasonable and expeditious assessment of whether the relevant circumstances amount to an eligible data breach. The entity must take all reasonable steps to ensure the assessment is completed within 30 calendar days after the day it became aware of those grounds for suspicion. The OAIC treats the 30 days as a maximum rather than a default timeframe, and expects entities to move faster where they can. Documenting the steps taken and the reasoning is important, because the assessment obligation is enforceable in its own right.

Watch out: the 30-day clock is for the assessment of whether a breach is eligible. Once an entity has reasonable grounds to believe an eligible data breach has occurred, the separate notification duty applies and runs on an "as soon as practicable" basis, not a fresh 30 days.

Preparing the statement and notifying the OAIC and individuals

When an entity has reasonable grounds to believe there has been an eligible data breach, section 26WK requires it to prepare a statement as soon as practicable and give a copy to the Commissioner. In practice this is done through the OAIC's online Notifiable Data Breach form. Section 26WK sets out what the statement must contain: the identity and contact details of the entity, a description of the eligible data breach, the kind or kinds of information concerned, and recommendations about the steps individuals should take in response. Section 26WL then governs notifying individuals, also as soon as practicable. The entity can take reasonable steps to notify the contents of the statement to each individual to whom the information relates, or to each individual at risk of serious harm. If neither of those is practicable, the entity must publish a copy of the statement on its website and take reasonable steps to publicise its contents.

Exceptions, including remedial action

Part IIIC contains several exceptions. The most significant is the remedial action provision in section 26WF. If an entity takes remedial action before any serious harm is caused, and as a result a reasonable person would conclude the access, disclosure or loss is not likely to result in serious harm, then there is no eligible data breach and notification is not required. Examples the OAIC gives include recovering and deleting an email sent to the wrong person before it is opened, or relying on encryption of a high standard that prevents the unauthorised person from accessing the information. Other exceptions in Part IIIC address enforcement-related disclosures, situations where notification would prejudice an enforcement body, breaches affecting multiple entities so that one notification can suffice, and cases where the Commissioner declares that notification need not occur. These exceptions are read narrowly, and the burden is on the entity to show one applies.

Enforcement and penalties

The Commissioner can direct an entity to prepare a statement and notify, including under section 26WR where the Commissioner is aware of an eligible data breach the entity has not reported. Failures to assess or notify are interferences with privacy that the Commissioner can investigate and enforce. A serious interference with privacy attracts civil penalties under section 13G, with maximums for body corporates that can reach AUD 50 million, three times the benefit obtained, or 30 percent of adjusted turnover, whichever is greatest. The reach of these powers became concrete on 8 October 2025, when the Federal Court ordered Australian Clinical Labs to pay AUD 5.8 million, the first civil penalty under the Privacy Act. That total included AUD 4.2 million for failing to take reasonable steps to protect personal information, AUD 800,000 for failing to assess the breach within 30 days under section 26WH(2), and AUD 800,000 for failing to notify as soon as practicable under section 26WK(2).