The most common questions are whether a breach is actually notifiable, when the 30-day clock starts and who must be told. Exceptions, penalty tiers and overlapping ransomware-reporting duties create fewer public questions but carry high compliance risk.
What is the NDB scheme and who does it apply to?
The Notifiable Data Breaches scheme is the mandatory notification regime in Part IIIC of the Privacy Act 1988. It applies to entities with personal-information security obligations under the Act, including Australian Government agencies, businesses and not-for-profits with annual turnover above $3 million, private-sector health service providers, credit reporting bodies, credit providers and some smaller operators. A small business is not automatically outside the scheme: tax file number recipients and businesses covered by another Privacy Act exception can still be regulated. Covered entities must assess suspected eligible breaches and notify the OAIC and affected people when the statutory threshold is met.
- Business or not-for-profit with annual turnover above $3 million — The entity is generally covered by the Privacy Act and must comply with Part IIIC for personal information it holds.
- Small business with annual turnover of $3 million or less — Check the statutory exceptions before assuming exemption, including health services, tax file numbers, credit reporting, trading in personal information and opting in.
- Entity already subject to APP 11 — If the entity has an APP 11 obligation to secure personal information, it must also comply with the NDB scheme.
The organisation must immediately escalate every suspected loss, unauthorised access or unauthorised disclosure of personal information to the Privacy Officer. The Privacy Officer must determine whether the organisation and the affected information are covered by Part IIIC of the Privacy Act 1988 and, where covered, must commence and document the required NDB assessment without waiting for proof that serious harm has occurred.
What counts as an "eligible data breach"?
A data breach becomes eligible only when all parts of the statutory test are satisfied. Personal information must have been accessed or disclosed without authority, or lost in circumstances where unauthorised access or disclosure is likely. A reasonable person must conclude that the breach is likely to result in serious harm to at least one individual. Finally, effective remedial action must not have prevented that likely serious harm; not every mistake, cyber incident or misdirected email is therefore notifiable.
- Covered entity with confirmed unauthorised access or disclosure — Assess likely serious harm and the effect of remedial action; confirmation of access alone does not finish the legal test.
- Covered entity that has lost information or a device — The loss limb is engaged where unauthorised access to or disclosure of the information is likely to occur.
- Incident below the eligible-breach threshold — Contain, record and review it even if Part IIIC notification is not required, and check other legal or contractual reporting duties.
An incident is an eligible data breach only if: (1) personal information held by the organisation was accessed or disclosed without authority, or was lost in circumstances where unauthorised access or disclosure is likely; (2) a reasonable person would conclude that serious harm to one or more individuals is likely; and (3) remedial action has not prevented the likely risk of serious harm. The assessment must address and document each element separately.
The serious harm test — how is it assessed?
The test is objective: ask what a reasonable person in the entity's position, properly informed after reasonable inquiries, would conclude. Serious harm is likely when it is more probable than not, not merely possible, and the assessment should weigh both probability and consequences. Harm may be physical, psychological, emotional, financial or reputational. Section 26WG requires consideration of matters such as the kind and sensitivity of the information, security protections, who obtained or could obtain it, whether protections could be overcome, the likely intentions and capability of a recipient, the nature of possible harm and any other relevant circumstances.
- Breach involving identity, health, financial or government-identifier information — The sensitivity and misuse potential generally increase the likelihood or consequence of serious harm.
- Breach affecting a person experiencing vulnerability — Consider circumstances such as family violence, physical safety, financial hardship and whether the information could expose or locate the individual.
- Encrypted or otherwise protected information — Assess the strength of the protection, whether the key or credential was also compromised, and whether the recipient can or intends to overcome it.
The serious-harm assessment must be made objectively from the position of a properly informed reasonable person in the organisation's circumstances. The assessor must consider whether serious harm is more probable than not, the sensitivity and combination of information involved, existing security protections and the likelihood they can be overcome, the identity and likely intentions of recipients, the circumstances of affected individuals, the possible physical, psychological, emotional, financial and reputational consequences, and all other relevant matters under section 26WG.
The 30-day assessment clock — when does it start and what's the maximum?
The duty starts when the entity is aware of reasonable grounds to suspect that an eligible data breach may have occurred, while it does not yet have reasonable grounds to believe one occurred. It must carry out a reasonable and expeditious assessment and take all reasonable steps to complete it within 30 calendar days. The 30 days are an outer limit, not a target or a waiting period, and OAIC guidance expects assessments to finish much sooner where possible. Knowledge held by responsible or appropriately senior personnel can start the process; the business should not wait until the chief executive or board is briefed.
- Covered entity with reasonable grounds to suspect an eligible breach — Record the date and time of awareness, appoint an assessor and begin reasonable inquiries immediately.
- Assessment reaches reasonable belief before day 30 — Move to the notification duties immediately; the remaining assessment period is not available as extra notification time.
- Assessment cannot be completed within 30 calendar days — Continue urgently and document the steps taken, reasons for delay and why those steps were reasonable; the statutory maximum has still been missed.
When any responsible employee or officer becomes aware of information creating reasonable grounds to suspect an eligible data breach, the Privacy Officer must record the awareness date and time and commence a reasonable and expeditious assessment. All reasonable steps must be taken to finish the assessment within 30 calendar days. The organisation must aim to conclude earlier and must not wait for day 30, complete forensics, executive confirmation or proof of actual harm before progressing the assessment or notification decision.
When and how must I notify the OAIC and affected individuals?
Once the entity has reasonable grounds to believe an eligible data breach occurred, it must prepare the statutory statement and give it to the OAIC as soon as practicable. It must also notify people as soon as practicable after preparing the statement. Depending on what is practicable, the entity may notify everyone whose information was involved, only the people at likely risk of serious harm, or publish the statement on its website and take reasonable steps to publicise it when direct notification is impracticable. The OAIC provides an online NDB form, and the Act does not require the OAIC always to be notified before individuals.
- Entity able to identify every person whose information was involved — It may notify all of those individuals using reasonable steps and a communication method suited to the circumstances.
- Entity able to identify only people at likely risk of serious harm — It may notify that at-risk group rather than every person whose information appeared in the incident.
- Direct notification is impracticable — Publish the statement on the entity's website, if any, and take reasonable steps to publicise its contents.
As soon as the organisation has reasonable grounds to believe an eligible data breach occurred, it must prepare and submit the section 26WK statement to the OAIC as soon as practicable and notify affected individuals as soon as practicable after the statement is prepared. The notification method must follow section 26WL: notify all relevant individuals, notify only those at likely risk of serious harm, or, where neither direct option is practicable, publish the statement and take reasonable steps to publicise it.
What must the statement to the Commissioner contain?
The section 26WK statement has four mandatory elements: the entity's identity and contact details, a description of the eligible data breach, the particular kinds of information involved, and recommendations about steps individuals should take. If the same access, disclosure or loss is also an eligible breach of other entities, their identity and contact details may be included. The description should be clear enough for the OAIC and affected people to understand the event and act on the risk, without speculation or misleading reassurance. OAIC guidance encourages useful detail such as relevant dates, how the breach occurred, who may have received the information and containment or remediation already completed.
- Single entity responsible for the breach — Identify the entity and a monitored contact point that affected individuals and the OAIC can use.
- Breach involving jointly held information or multiple entities — The statement may identify the other entities, and the parties should coordinate a single accurate account and practical recommendations.
- Facts are still developing — State what is known, distinguish estimates from confirmed facts and update communications where material information changes.
Every statement submitted under section 26WK must contain: (1) the organisation's legal identity and current contact details; (2) a plain-English description of the eligible data breach; (3) the particular kind or kinds of personal information involved; and (4) practical recommendations about steps individuals should take. The statement must be accurate, must distinguish confirmed facts from estimates and must provide enough detail for individuals to understand and reduce the risk of harm.
Exceptions — when am I NOT required to notify?
The main practical exception is successful remedial action: if action prevents unauthorised access or disclosure, or prevents the likelihood of serious harm, the incident is not an eligible breach for the people protected by that action. For jointly held information, one entity's compliant assessment or notification can relieve the others from duplicating the same statutory step, but all remain exposed if nobody acts. Other narrow exceptions address enforcement-related activities, inconsistency with Commonwealth secrecy provisions and a declaration by the Commissioner. Breaches notified under section 75 of the My Health Records Act follow that regime instead of duplicate NDB notification. These exceptions are technical and should be documented rather than assumed from a recall request, deletion promise or belief that an incident was small.
- Successful remedial action — Notification is not required for individuals whose likely serious harm was actually prevented; retain evidence showing why the action was effective.
- Multiple entities jointly hold the affected information — One entity may assess and notify for the group, but responsibilities and information sharing should be agreed immediately and recorded.
- Enforcement, secrecy, Commissioner declaration or My Health Record issue — Apply the precise statutory provision and obtain specialist advice because each exception has limited scope and conditions.
No person may rely on an NDB exception without a documented decision approved by the Privacy Officer and, where appropriate, legal advice. The decision record must identify the statutory exception, affected individuals and information, supporting evidence, the effectiveness and timing of remedial action, any other entity undertaking assessment or notification, and any residual duties. An attempted recall, deletion request, confidentiality assurance or small number of affected people is not by itself sufficient.
Penalties and enforcement for getting it wrong.
A failure to assess, give the required statement, notify individuals or comply with a Commissioner's direction is treated as an interference with privacy and can trigger OAIC investigation and enforcement. Under the current tiered regime, a serious interference by a body corporate can attract the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach turnover period; repeated or continuous conduct is one factor a court may consider when deciding seriousness. A non-serious interference can attract up to 2,000 penalty units. Separately, preparing an NDB statement that omits the mandatory section 26WK(3) content is a civil penalty provision with a maximum of 200 penalty units and can support infringement or compliance action. Those maximums are not automatic for every late or imperfect notice; liability and remedy depend on the contravention, seriousness, evidence and enforcement pathway.
- Serious interference with privacy — The highest corporate maximum is the greater-of formula in section 13G, with seriousness assessed from statutory factors and the circumstances.
- Interference not established as serious — Section 13H creates a lower civil penalty tier capped at 2,000 penalty units.
- NDB statement missing mandatory content — Section 13K creates a specific 200-penalty-unit tier and permits infringement or compliance notices.
The organisation must preserve a complete decision record for every suspected or eligible data breach, including awareness times, assessment steps, evidence, legal advice, remedial action, notification decisions, statement versions and communications. Delaying, concealing, providing incomplete mandatory information or failing to comply with an OAIC requirement may constitute an interference with privacy and expose the organisation to investigation, directions, determinations, enforceable undertakings, injunctions and civil penalty proceedings.
How NDB interacts with the Cyber Security Act ransomware reporting and other clocks.
The NDB and ransomware-payment regimes are separate and may run at the same time. NDB turns on personal information, likely serious harm and remedial action; the Cyber Security Act 2024 clock is triggered when a covered reporting business entity makes, or becomes aware of a payment or other benefit made on its behalf in response to ransomware or cyber extortion. That payment report is due within 72 hours, while a demand with no payment does not trigger the mandatory payment report. The ransomware regime generally captures businesses carrying on business in Australia with previous-year turnover exceeding $3 million and specified critical-infrastructure entities, and non-compliance can attract 60 penalty units. Neither report automatically satisfies NDB, critical-infrastructure, APRA, ASIC, contractual, insurance or other sector obligations, so each trigger and deadline must be tracked separately.
- Covered business that makes a ransomware or cyber-extortion payment — Start the 72-hour Cyber Security Act clock at payment, or when the entity becomes aware a payment was made on its behalf.
- Ransomware incident involving personal-information theft — Run the NDB serious-harm assessment and the separate payment-reporting analysis in parallel; the clocks have different triggers.
- Cyber extortion demand with no payment — The mandatory Cyber Security Act payment report is not triggered, but NDB and other incident-reporting duties may still apply.
For every cyber incident, the Incident Lead must maintain a reporting matrix that separately records the trigger, awareness time, decision-maker, deadline, recipient and submission status for the Privacy Act NDB scheme, the Cyber Security Act ransomware-payment regime, the Security of Critical Infrastructure Act, sector regulators, contracts, insurance and any other applicable requirement. A covered ransomware or cyber-extortion payment must be reported within 72 hours even while the NDB assessment continues. No report is treated as satisfying another obligation unless the relevant law expressly provides that result.
What's my next step?
Common misconceptions
- Every data breach or cyber incident must be notified under the NDB scheme. VERIFIED
- Actual identity theft, fraud or other harm must already have happened before a breach can be eligible. VERIFIED
- The 30-day assessment period is permission to wait until day 30. VERIFIED
- The assessment clock starts only when the chief executive, board or legal team is formally notified. VERIFIED
- Once an eligible breach is established, notifying the OAIC alone is sufficient. VERIFIED
- The OAIC must always be notified before affected individuals. VERIFIED
- An attempted email recall or a request that the recipient delete the information automatically satisfies the remedial-action exception. INFERRED
- A breach affecting only one person can never meet the NDB threshold. VERIFIED
- If a cloud provider or contractor caused the breach, only that provider has NDB responsibilities. VERIFIED
- Every small business is exempt from the Privacy Act and NDB scheme. VERIFIED
- The Cyber Security Act creates a 72-hour report for every ransomware incident, even where no payment or benefit is provided. VERIFIED
- Submitting a ransomware-payment report automatically satisfies the NDB scheme and every other regulatory or contractual reporting duty. INFERRED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| Assessment of a suspected eligible data breach | Office of the Australian Information Commissioner | A covered entity is aware of reasonable grounds to suspect that there may have been an eligible data breach and does not yet have reasonable grounds to believe one occurred. | Carry out a reasonable and expeditious assessment and take all reasonable steps to complete it within 30 calendar days after awareness. | Contravention is an interference with privacy and may attract investigation, directions, determinations, undertakings, injunctions or civil penalties under the applicable Privacy Act tier. |
| Statement to the Australian Information Commissioner | Office of the Australian Information Commissioner | A covered entity has reasonable grounds to believe an eligible data breach occurred and no exception applies. | Prepare a compliant statement and give it to the Commissioner as soon as practicable after becoming aware of the reasonable grounds to believe. | Contravention is an interference with privacy. A statement that omits mandatory section 26WK(3) content is separately subject to a maximum civil penalty of 200 penalty units. |
| Notification of affected individuals | Office of the Australian Information Commissioner | A covered entity has reasonable grounds to believe an eligible data breach occurred, has prepared the section 26WK statement and no exception applies. | Take the required notification or publication steps as soon as practicable after completing the statement. | Contravention is an interference with privacy and may attract the Privacy Act's tiered enforcement and civil penalty regime. |
| Mandatory content of an NDB statement | Office of the Australian Information Commissioner | A covered entity prepares a statement under section 26WK. | The statement must be compliant when submitted to the Commissioner and when its contents are notified or published. | Maximum 200 penalty units for a non-compliant statement under section 13K, with infringement and compliance notice mechanisms available. |
| Compliance with an OAIC direction to notify | Office of the Australian Information Commissioner | The Commissioner directs an entity under section 26WR to prepare a statement and notify an eligible data breach. | Comply as soon as practicable, subject to the terms of the direction and statutory exceptions. | Contravention is an interference with privacy and may attract enforcement action and civil penalties. |
| Serious interference with privacy civil penalty | Office of the Australian Information Commissioner; Federal Court | An entity's act or practice is an interference with an individual's privacy and the interference is serious. | No fixed reporting timeframe; the provision applies through civil penalty enforcement. | For a body corporate, the greater of $50 million, three times the attributable benefit, or 30% of adjusted turnover during the breach turnover period. |
| Cyber Security Act ransomware or cyber-extortion payment report | Department of Home Affairs | A reporting business entity makes a ransomware or cyber-extortion payment or becomes aware that another entity made one on its behalf in connection with a qualifying cyber incident. | Within 72 hours after making the payment or becoming aware that it was made on the entity's behalf. | Civil penalty of 60 penalty units. |
Sources
- Privacy Act 1988 primary
- Quick reference guide for responding to data breaches primary
- About the Notifiable Data Breaches scheme primary
- When to report a data breach primary
- Report a data breach primary
- Part 4: Notifiable Data Breach (NDB) Scheme primary
- Small business and the Privacy Act primary
- Chapter 11: Data breach incidents primary
- Mandatory ransomware and cyber extortion payment reporting factsheet primary
- Cyber Security Act 2024 primary
- Cyber Security (Ransomware Payment Reporting) Rules 2025 primary
- What are the rules about data breaches? How soon does a company have to notify their customers? forum
- You may bring a Support Person - FINAL UPDATE forum
- Important information sent to wrong email address - how screwed am I? forum
- Ticketek data breach forum
- How can I protect myself from data or identity theft when I constantly have to give away my details online? forum
- Bank Data Breach - ANZ forum
- Are there any penalties that I am entitled to now my details have been compromised by Qantas? forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.