Back to Blog
LegalTech & IA

Australia's Notifiable Data Breaches Scheme: What You Need to Know (and Why You Should Care)

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
May 28, 2026
10 min read
Australia's Notifiable Data Breaches Scheme: What You Need to Know (and Why You Should Care)

What is the Notifiable Data Breaches (NDB) Scheme?

The NDB scheme, established under the Privacy Act 1988, requires organizations covered by the Act to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm. Think of it as a mandatory 'oops, we messed up' call—but with legal teeth.

If your business handles personal information and suffers a breach that could cause serious harm (like identity theft or financial loss), you must act fast. The clock starts ticking from the moment you become aware of the breach.

When Does the NDB Apply?

The scheme applies to all entities with existing obligations under the Privacy Act, including most businesses with an annual turnover of more than $3 million, health service providers, credit reporting bodies, and more. If you're not sure, check the OAIC's guidelines—ignorance is not a defense.

Serious harm is assessed based on the type of information compromised (e.g., health records, financial details) and the context. A leaked email address might not trigger notification, but a stolen database of credit card numbers likely will.

What Are Your Obligations?

If you suspect a breach, you must conduct a reasonable and expeditious assessment within 30 days. If it's likely to cause serious harm, you must notify the OAIC and affected individuals as soon as practicable. Failure to comply can result in fines up to $2.1 million for organizations or $420,000 for individuals.

But it's not just about fines—reputation damage can be far more costly. Customers expect you to protect their data, and a mishandled breach can erode trust faster than a bad Yelp review.

Under the NDB scheme, you must notify the OAIC and affected individuals as soon as practicable after becoming aware of a breach that is likely to result in serious harm. There is no fixed deadline, but delays can increase penalties.

Practical Steps for Compliance

  • Develop a data breach response plan before a breach occurs.
  • Train staff to recognize and report potential breaches immediately.
  • Conduct regular risk assessments and security audits.
  • Engage legal counsel to guide you through the notification process.

Remember, the NDB scheme is not just about punishment—it's about transparency. By notifying affected individuals, you give them a chance to protect themselves (e.g., changing passwords, freezing credit).

Real-World Example: The Optus Breach

In 2022, Optus suffered a massive breach affecting millions of customers. The OAIC investigated and later took legal action, highlighting the serious consequences of non-compliance. The case serves as a cautionary tale: even large organizations are not immune.

For more details, read the OAIC's official NDB scheme page.

FAQ

What types of data breaches must be reported?

Any breach that is likely to result in serious harm to affected individuals, such as identity theft, financial loss, or emotional distress. Examples include unauthorized access to health records, credit card numbers, or passport details.

What happens if I don't report a breach?

You may face fines up to $2.1 million for organizations or $420,000 for individuals, as well as reputational damage and potential civil lawsuits. The OAIC can also issue public statements naming your organization.

How do I assess if a breach is likely to cause serious harm?

Consider the type and sensitivity of the information, the context of the breach, and the likelihood of misuse. The OAIC provides a risk assessment tool to help guide your decision.

NDB Compliance Checklist

  • Identify if your organization is covered by the Privacy Act
  • Develop a data breach response plan
  • Train staff on breach identification and reporting
  • Conduct regular security audits
  • Establish a 30-day assessment process
  • Prepare notification templates for OAIC and individuals

Check off each item as you implement it.

NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.