The Notifiable Data Breaches Scheme: A Complete Guide for Australian Businesses
The NDB scheme has been mandatory since 2018, but most Australian businesses still don't understand their obligations. Here's everything you need to know.
What is the NDB Scheme?
The Notifiable Data Breaches (NDB) scheme is a mandatory reporting framework that has been part of Australian privacy law since 1 February 2018. Under the scheme, organisations covered by the Privacy Act 1988 must notify both the OAIC and affected individuals when an eligible data breach occurs.
Despite being mandatory for eight years, the NDB scheme is the most commonly missed requirement in Australian privacy policies — including at major Australian companies across a wide range of industries.
This guide explains what the NDB scheme requires, when it applies, what you need to do when a breach occurs, and how to make sure your privacy policy covers it correctly.
Table of Contents
- Who the NDB Scheme Applies To
- What is an Eligible Data Breach?
- What You Must Do When a Breach Occurs
- Assessing Serious Harm — The 30-Day Rule
- Penalties for Non-Compliance
- What Your Privacy Policy Must Say
- Building a Basic Breach Response Process
Who the NDB Scheme Applies To
The NDB scheme applies to all entities covered by the Privacy Act 1988, including:
- Australian Government agencies
- Businesses with annual turnover over $3 million
- Health service providers (regardless of turnover)
- Credit reporting bodies and credit providers
- Contracted service providers for Commonwealth contracts
- Tax file number recipients
The small business exemption currently applies — businesses with annual turnover under $3 million are generally not covered by the Privacy Act or the NDB scheme, with some exceptions. However, the Tranche 2 privacy reforms expected in 2026-2027 will remove this exemption, bringing all Australian businesses under the NDB scheme.
What is an Eligible Data Breach?
Not every data breach is a notifiable one. Under the Privacy Act, an eligible data breach occurs when all three of the following are true:
1. There is unauthorised access to, unauthorised disclosure of, or loss of personal information
This includes:
- Cyberattacks (ransomware, phishing, credential theft)
- Accidental disclosure (emailing personal information to the wrong person)
- Lost or stolen devices containing personal information
- Insider threats (an employee accessing information without authorisation)
- Third-party breaches (a supplier or cloud provider experiencing a breach)
2. The breach is likely to result in serious harm to one or more individuals
This is the key threshold. Not every breach triggers notification — only those where serious harm is likely. More on this below.
3. You haven't been able to prevent the likely serious harm
If you can take remedial action that prevents the serious harm from occurring, you may not need to notify. For example, if a laptop containing personal information is remotely wiped before the data is accessed, notification may not be required.
Assessing Serious Harm — The 30-Day Rule
The most complex aspect of the NDB scheme is assessing whether a breach is likely to result in serious harm. The Privacy Act lists factors you must consider:
- The kind of information involved (health, financial, identity documents attract higher risk)
- The sensitivity of the information
- Whether the information is protected by security measures (e.g. encryption)
- The persons who accessed or could access the information
- The nature of the harm that could result
Serious harm includes:
- Financial loss or identity theft
- Physical harm or safety risks
- Psychological harm or significant emotional distress
- Damage to reputation, employment prospects, or relationships
- Discrimination or humiliation
The 30-day rule: Once you become aware of a potential eligible data breach, you have 30 days to complete your assessment of whether it meets the notification threshold. If after 30 days you reasonably believe an eligible data breach has occurred, you must notify.
If you're uncertain whether a breach meets the threshold, err on the side of notification. Notifying unnecessarily has no penalty — failing to notify when required does.
What You Must Do When a Breach Occurs
Step 1 — Contain the breach
Immediately take steps to limit the impact:
- Revoke compromised access credentials
- Isolate affected systems
- Recover lost devices or data where possible
- Stop any ongoing unauthorised access
Step 2 — Assess the breach
Determine whether the breach is an "eligible data breach" requiring notification:
- What personal information was involved?
- Who could access it?
- What harm could result?
- Can remedial action prevent serious harm?
Complete this assessment within 30 days.
Step 3 — Notify the OAIC
If the breach is an eligible data breach, notify the OAIC using the Notifiable Data Breach Statement form at oaic.gov.au. The statement must include:
- Your organisation's name and contact details
- A description of the breach
- The kinds of personal information involved
- The steps you've taken or intend to take
Step 4 — Notify affected individuals
You must also notify affected individuals directly — by the most effective means available. For most businesses, this means email. Your notification must include:
- A description of the breach
- The kinds of personal information involved
- What steps you recommend individuals take to protect themselves
- How they can contact you for more information
- How they can complain to the OAIC if they're not satisfied
Step 5 — Document everything
Keep a record of the breach, your assessment, the steps you took, and the notifications you sent. This documentation demonstrates compliance if the OAIC ever investigates.
Penalties for Non-Compliance
The penalties for NDB scheme non-compliance have increased significantly since December 2024.
Failing to notify an eligible data breach is an interference with privacy under the Privacy Act, which can result in:
| Breach Type | Individual | Company |
|---|---|---|
| Interference with privacy | Up to $660,000 | Up to $3.3 million |
| Serious or repeated breach | Up to $2.5 million | Up to $50 million* |
*Or 30% of adjusted turnover, or three times the benefit obtained — whichever is greater.
The OAIC can now act faster. Since December 2024, the OAIC can issue infringement notices (on-the-spot fines up to $66,000) without going to court, and compliance notices requiring specific actions. They have been actively using these powers throughout 2025.
The statutory tort adds civil risk. Since June 2025, individuals can sue directly for serious privacy invasions without proving financial damage. A significant data breach that wasn't notified could expose you to both OAIC enforcement and private litigation.
What Your Privacy Policy Must Say About the NDB Scheme
APP 1 requires your privacy policy to explain how you manage personal information — including in the context of data breaches. Your privacy policy must include:
1. That you are subject to the NDB scheme
Clearly state that you comply with the Notifiable Data Breaches scheme under the Privacy Act 1988.
2. What constitutes an eligible data breach
Explain what an eligible data breach is in plain English — unauthorised access or disclosure of personal information that is likely to result in serious harm.
3. What you will do if a breach occurs
Describe your obligations to notify the OAIC and affected individuals, and the steps you will take to contain and remediate breaches.
4. How individuals can contact you
Provide contact details for privacy inquiries and breach concerns — typically a dedicated email address.
5. How individuals can contact the OAIC
Include the OAIC's contact details (oaic.gov.au, 1300 363 992) for individuals who want to make a complaint or get more information.
The problem with most privacy policies: US-built generators don't include any of this. The NDB scheme is an Australian-specific requirement with no direct US equivalent — so US templates simply don't cover it. This is why 100% of Australian company privacy policies we've analysed miss the NDB scheme, even at large enterprises.
Building a Basic Breach Response Process
You don't need a 50-page incident response plan — but you do need a documented process. Here's a simple template:
Step 1 — Detection
- Who in your business is responsible for identifying potential breaches?
- What channels might a breach be reported through? (IT alerts, customer complaints, staff reports)
Step 2 — Containment
- What immediate steps should be taken? (Revoke access, isolate systems, recover devices)
- Who has authority to take these steps?
Step 3 — Assessment
- What personal information was involved?
- Is serious harm likely?
- Can remedial action prevent harm?
- Deadline: 30 days from becoming aware
Step 4 — Notification (if required)
- Notify OAIC at oaic.gov.au
- Notify affected individuals by email
- Document everything
Step 5 — Review
- What caused the breach?
- What changes will prevent recurrence?
- Update security measures and policies accordingly
Even for a small business, having this documented — even as a one-page document — demonstrates good faith and reduces liability if a breach occurs and the OAIC investigates.
Summary
The NDB scheme has been mandatory for Privacy Act-covered entities since February 2018. Despite this, it remains the most commonly missed requirement in Australian privacy policies.
Key obligations:
- Assess potential breaches within 30 days
- Notify the OAIC and affected individuals if an eligible data breach occurred
- Include the NDB scheme in your privacy policy
- Maintain a documented breach response process
The exemption for businesses under $3 million turnover is being removed in Tranche 2 reforms — expected 2026-2027. When that happens, every Australian business will be subject to the NDB scheme.
Last updated: April 26, 2026
This guide provides general information about the Notifiable Data Breaches scheme. It is not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer or contact the OAIC on 1300 363 992.
Ready to Get Compliant?
ComplianceKit includes a complete NDB scheme section in every Australian privacy policy — covering all mandatory requirements in plain English.
Generate Your Compliant Privacy Policy
ComplianceKit automatically includes all 13 Australian Privacy Principles and the NDB scheme. Generate your policy in 5 minutes.
Get Started →Last updated: 26 April 2026
This guide provides general information about Australian privacy law. It's not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer.