Notification thresholds, reporting deadlines and who must be told generate the strongest operator concern. Ownership, evidence and post-breach review appear less often publicly, but are recurring causes of delayed or ineffective responses.
What is a data breach response plan, and does my business actually need one?
A data breach response plan is the written, breach-specific runbook for suspected loss, unauthorised access or unauthorised disclosure of personal information. It tells the team how to contain the breach, start the Notifiable Data Breaches assessment, decide whether notification is legally required, communicate with affected people and review what failed. OAIC guidance says all entities should have a plan, although the NDB scheme itself applies to entities covered by the Privacy Act and certain small-business exceptions. Keep this plan linked to, but distinct from, the broader cyber incident response plan so the serious-harm assessment and notification mechanics are not buried inside a general technical playbook.
- Privacy Act-covered organisation or agency — Build the NDB assessment and OAIC and individual notification steps directly into the plan.
- small business with annual turnover of $3 million or less — Do not assume exemption: some small businesses are covered because of health services, trading in personal information, related-body status, credit reporting, tax file numbers or other statutory exceptions.
- business with a broader cyber incident response plan — Cross-reference technical containment and recovery, but retain a breach-specific privacy assessment, notification and communications runbook.
Every suspected loss, unauthorised access or unauthorised disclosure of personal information must be reported immediately to [privacy or breach-response role]. The organisation will activate this plan without waiting for proof of harm, contain and remediate the breach, assess whether it is an eligible data breach, make all required notifications and document the decision and response. No person may conceal, minimise or independently resolve a suspected data breach without reporting it.
What counts as an eligible data breach (the serious-harm test)?
Not every privacy mistake is an eligible data breach. The NDB threshold is met when personal information is accessed or disclosed without authority, or lost in circumstances where unauthorised access or disclosure is likely; serious harm to one or more people is likely; and effective remedial action has not prevented that likely harm. OAIC says likely means more probable than not and assesses the question objectively from the viewpoint of a reasonable person in the entity's position. Serious harm can be physical, psychological, emotional, financial or reputational, so the answer depends on the information, recipients, security protections, likely misuse and the people affected.
- Privacy Act-covered entity — Apply the three-part eligible-data-breach test and document the facts, risk analysis and remedial action.
- entity outside the NDB scheme — The statutory NDB notification test may not apply, but contractual, sector, state, overseas or voluntary notification duties may still apply.
- breach involving vulnerable people or sensitive information — Escalate quickly because identity, health, financial, family-violence and safety consequences can materially increase the likelihood and seriousness of harm.
The organisation will treat a breach as an eligible data breach when: (1) personal information has been accessed or disclosed without authority, or lost in circumstances where unauthorised access or disclosure is likely; (2) a reasonable person would conclude that serious harm to one or more affected individuals is likely; and (3) remedial action has not prevented that likely risk of serious harm. The assessment must consider the information involved, the circumstances and recipients, existing protections, likely misuse, affected individuals and all effective remedial action.
What are the four steps — contain, assess, notify, review?
OAIC organises a data breach response into four steps: contain, assess, notify and review. Containment stops further compromise without destroying evidence; assessment gathers facts, evaluates likely serious harm and tests whether remediation can prevent it. Notification means telling the OAIC and affected individuals when the breach is eligible, while review addresses root causes, control failures and lessons. The steps are not a slow sequence: OAIC says containment, assessment and notification may occur simultaneously or in quick succession, and immediate individual notification can sometimes be appropriate.
- cyber-enabled data breach — Run technical containment, forensic preservation and the privacy assessment in parallel rather than waiting for complete system recovery.
- human-error breach such as a misdirected email — Attempt recovery or deletion immediately, verify whether the recipient accessed or retained the information and assess whether remediation actually prevented likely serious harm.
The response will follow four connected steps: CONTAIN — stop further loss, access or disclosure while preserving evidence; ASSESS — establish the facts, affected information and people, likely serious harm and effectiveness of remedial action; NOTIFY — make all legally required and risk-reducing notifications as soon as practicable; REVIEW — identify root causes, correct control failures, record lessons and update this plan. These steps may run at the same time and must not be treated as approval gates that delay urgent action.
How fast must I act (the 30-day assessment and notification clocks)?
Act immediately; 30 days is a maximum assessment period, not a waiting period or a target. A covered entity that has reasonable grounds to suspect an eligible data breach must carry out a reasonable and expeditious assessment and take all reasonable steps to finish it within 30 calendar days after the day it became aware of the grounds or information causing the suspicion. Awareness can arise when appropriately senior or responsible personnel know enough to trigger suspicion, so the organisation should not wait for the chief executive or board. As soon as reasonable grounds to believe an eligible breach exist, the entity must notify affected individuals and the OAIC as soon as practicable rather than using the balance of the 30 days.
- Privacy Act-covered entity with a suspected eligible breach — Record the awareness date and time, begin the assessment promptly and treat 30 calendar days as the outer limit.
- entity that forms a reasonable belief before assessment is complete — Move to notification as soon as practicable; do not wait for day 30 or for every forensic question to be closed.
- organisation with multiple business units or outsourced providers — Require immediate central escalation because knowledge held by appropriate personnel can start the assessment obligation.
Suspected data breaches must be reported immediately. The Breach Lead must record when the organisation first became aware of the grounds or information causing suspicion and commence a reasonable and expeditious assessment. Where the NDB scheme applies, all reasonable steps must be taken to complete the assessment within 30 calendar days after that day. Thirty days is the maximum assessment period, not permission to delay. Once there are reasonable grounds to believe an eligible data breach occurred, required notifications must be made as soon as practicable.
Who do I have to tell, and how?
For an eligible data breach, a covered entity must provide a statement to the OAIC and notify the individuals at likely risk of serious harm as soon as practicable. The statement must identify the entity, describe the breach, identify the kinds of information involved and recommend practical protective steps. Depending on what is practicable, the entity may notify everyone whose information was involved, only those at likely risk of serious harm, or publish the statement on its website and take reasonable steps to publicise it when direct notification is impracticable. Also check separate duties to clients, insurers, law enforcement, cyber.gov.au, sector regulators, contractual partners and overseas regulators; none should be assumed to replace the NDB process.
- eligible data breach affecting identifiable individuals — Notify the OAIC and the people at likely risk of serious harm, using clear language and actionable recommendations.
- direct individual notification is impracticable — Publish the OAIC statement on the entity's website and take reasonable steps to bring it to the attention of people at risk.
- breach involving jointly held information or a service provider — Agree promptly which entity will assess and notify; ordinarily the entity with the most direct relationship is best placed, but all parties remain exposed if nobody acts.
When an eligible data breach is established, the organisation must provide the required statement to the OAIC and notify individuals at likely risk of serious harm as soon as practicable. The notification must state the organisation’s name and contact details, describe the breach, identify the kinds of information involved and recommend practical steps individuals should take. Communications must be accurate, in plain English, coordinated across affected entities and approved without delaying the statutory notification.
How does it interact with the Cyber Security Act and other reports?
The NDB scheme and the Cyber Security Act answer different questions and can operate at the same time. The NDB scheme is about personal information and likely serious harm; the Cyber Security Act ransomware rule is triggered when a covered reporting business entity makes, or becomes aware of, a ransomware payment connected to a cyber incident. The Act requires that payment report within 72 hours, even if the privacy assessment is still running, and imposes a civil penalty of 60 penalty units for non-compliance. A ransomware report, ACSC report, police report, insurer notice, critical-infrastructure report or sector-regulator report should be tracked as a separate obligation unless the relevant law expressly says otherwise.
- business carrying on business in Australia with previous-year annual turnover exceeding $3 million — If it makes or becomes aware of a ransomware payment connected to the incident, assess the Cyber Security Act reporting obligation immediately.
- responsible entity for a critical infrastructure asset covered by Part 2B of the Security of Critical Infrastructure Act — The ransomware payment reporting regime can apply independently of the ordinary turnover test.
- Privacy Act-covered entity affected by ransomware data theft — Run the 30-day NDB assessment and any 72-hour payment-reporting clock in parallel; one report does not automatically discharge the other.
The Breach Lead must maintain a reporting matrix for every incident. The matrix must separately assess the Privacy Act NDB scheme, the Cyber Security Act ransomware payment reporting obligation, the Security of Critical Infrastructure Act, sector-regulator rules, law-enforcement and cyber.gov.au reporting, cyber-insurance notice conditions, contracts and any overseas law. If a covered ransomware payment is made, or the organisation becomes aware that one was made on its behalf, the required report must be submitted within 72 hours while all other assessments continue.
Who owns it, and what must the plan contain?
Give one named breach lead authority to activate the plan, coordinate the assessment and keep the legal clocks visible, with an accountable executive as sponsor. The response team should draw on privacy, legal, cyber or IT, business operations, communications, customer service and records expertise, with external forensic, legal, identity-protection or media support available on short notice. The plan needs definitions, reporting and escalation routes, containment options, the serious-harm assessment method, notification decision authority, stakeholder and regulator contacts, templates, evidence preservation, documentation, post-breach review and backups for unavailable team members. Keep current contact details and state who can make urgent decisions outside normal hours.
- small business without dedicated privacy or security staff — Name the owner or senior manager as accountable sponsor and pre-arrange external legal, IT forensic, communications and insurance contacts.
- larger or regulated organisation — Use a multidisciplinary response team with explicit decision rights, alternates, escalation thresholds and board reporting.
- business using outsourced technology or data processors — Include contractual escalation contacts, evidence-access rights, joint assessment arrangements and notification responsibilities.
Plan Owner: [role]. Accountable Executive: [role]. The Plan Owner may activate the response team, direct containment and evidence preservation, obtain urgent professional advice, commence the NDB assessment and escalate notification decisions. The plan must identify primary and alternate contacts, decision authorities, after-hours escalation, assessment and notification procedures, communication templates, external advisers, recordkeeping requirements and post-breach review actions. Contact details and authorities must be kept current.
What evidence proves the plan works?
Evidence starts with a current approved plan, contact list and data-breach register, but it must also show what happened in practice. Keep the first-alert timestamp, containment and forensic records, affected-data and individual analysis, serious-harm assessment, remedial-action evidence, decision log, legal and regulator advice, copies of OAIC and individual notifications, vendor communications and the post-incident review. Test the plan with realistic exercises and retain scenarios, attendance, decisions, gaps and remediation owners. For an ISM-aligned environment, ASD calls for the broader cyber incident plan to be exercised at least annually; OAIC uses a risk-based test frequency for the breach plan.
- ISM-aligned organisation — Exercise the associated cyber incident response plan at least annually and retain evidence of findings and remediation.
- Privacy Act-covered entity — Document every suspected breach assessment and outcome, including why notification was or was not required.
- business dependent on third-party providers — Test whether providers can meet escalation, evidence, containment and joint-notification requirements within the legal clocks.
The organisation must retain a complete record of each suspected or confirmed data breach, including the initial report and awareness time, containment actions, evidence preserved, affected information and individuals, serious-harm assessment, remedial action, decisions and approvals, external advice, regulatory and individual notifications, communications, costs, root-cause review and corrective actions. Exercises must record the scenario, participants, decisions, delays, control gaps, assigned owners and completion of remediation.
The common mistakes and misconceptions?
The biggest timing error is treating the 30-day assessment period as permission to wait, especially while a business unit, provider or executive debates ownership. Other failures include assuming every breach must be notified, assuming no breach is notifiable without proven misuse, treating an attempted email recall as successful remediation, destroying evidence during containment and sending vague notifications with no useful protective steps. Businesses also lose time when vendor contracts do not assign assessment and notification responsibility, or when ransomware, insurer and sector reports are confused with the NDB process. A healthy plan encourages prompt reporting of honest mistakes; punishing or shaming reporters creates concealment risk and can turn a manageable breach into a larger one.
- multi-entity or outsourced service arrangement — Assign assessment, evidence access, decision rights and notification responsibilities in writing before a breach.
- business relying on a generic incident template — Add the NDB serious-harm test, awareness timestamp, 30-day outer limit, notification options and separate reporting matrix.
- workforce handling personal information manually — Use a no-concealment reporting culture, simple escalation route and controls that reduce address, attachment and recipient errors.
Thirty days is not a waiting period, proof of actual misuse is not required before serious harm can be likely, and an attempted recall or deletion request is not treated as successful remediation unless its effectiveness is established. Containment must preserve relevant evidence. Staff will not be disciplined merely for promptly reporting an honest mistake; concealment, delay, deliberate misuse or failure to cooperate may be handled separately under applicable workplace policies and law.
What's my next step?
Common misconceptions
- Every data breach must be reported to the OAIC and every affected person. VERIFIED
- The organisation may wait until day 30 before deciding whether to notify. VERIFIED
- The 30-day assessment clock starts only when the chief executive or board is told. VERIFIED
- An attempted email recall or request to delete the information automatically satisfies the remedial-action exception. INFERRED
- No notification is required unless there is proof the information has already been misused. INFERRED
- Small businesses are always exempt from the NDB scheme. VERIFIED
- The Cyber Security Act requires every ransomware attack to be reported within 72 hours even when no payment or benefit is provided. VERIFIED
- A ransomware payment report replaces any OAIC, critical-infrastructure, sector-regulator, insurer or contractual report. INFERRED
- If a service provider caused the breach, the customer organisation can wait for the provider to decide whether anyone must be notified. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| NDB suspected-breach assessment | Office of the Australian Information Commissioner | A Privacy Act-covered entity has reasonable grounds to suspect that an eligible data breach may have occurred and is not yet aware of reasonable grounds to believe it occurred. | Take all reasonable steps to complete a reasonable and expeditious assessment within 30 calendar days after the day the entity became aware of the grounds or information causing the suspicion. | |
| NDB statement to the Commissioner | Office of the Australian Information Commissioner | A Privacy Act-covered entity has reasonable grounds to believe an eligible data breach occurred and no exception applies. | As soon as practicable after forming the reasonable belief. | |
| NDB notification to individuals | Office of the Australian Information Commissioner | An eligible data breach is likely to result in serious harm to one or more individuals and no exception applies. | As soon as practicable; notify under an available statutory option or, if direct notification is impracticable, publish the statement and take reasonable steps to publicise it. | |
| Cyber Security Act ransomware payment report | Department of Home Affairs and Australian Signals Directorate as the designated Commonwealth body unless otherwise prescribed | A reporting business entity makes, or becomes aware that another entity made on its behalf, a payment or benefit directly related to an extortion demand arising from a cyber security incident. | Within 72 hours of making the ransomware payment or becoming aware it was made, whichever applies. | Civil penalty: 60 penalty units. |
| APP 11 security of personal information | Office of the Australian Information Commissioner | An APP entity holds personal information. | Ongoing while the information is held, including reasonable preparation for and response to data breaches. | |
| ISM annual cyber incident response exercise | Australian Signals Directorate, Australian Cyber Security Centre | An organisation applies the Information Security Manual control for its cyber security incident management policy and associated response plan. | At least annually. |
Sources
- Part 2: Preparing a data breach response plan primary
- Part 3: Responding to data breaches – four key steps primary
- Part 4: Notifiable Data Breach (NDB) Scheme primary
- When to report a data breach primary
- Report a data breach primary
- Quick reference guide for responding to data breaches primary
- Purpose and structure of the data breach preparation and response guide primary
- OAIC launches new dashboard for data breaches primary
- Notifiable Data Breaches Report: January to June 2024 primary
- Cyber Security Act 2024 primary
- Cyber Security (Ransomware Payment Reporting) Rules 2025 primary
- Guidelines for cyber security incidents primary
- Important information sent to wrong email address – how screwed am I? forum
- You may bring a Support Person – FINAL UPDATE forum
- Ticketek data breach forum
- Fell for a phishing email and got hacked. Will I be fired? forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.