What is the Notifiable Data Breaches Scheme? (Simple Guide for Australian Businesses)

The Surprising Truth

The Notifiable Data Breaches (NDB) scheme became mandatory on 22 February 2018—over 7 years ago. Yet our research found that 100% of analyzed Australian companies fail to include it in their privacy policies.

This includes billion-dollar businesses like Telstra, companies with substantial legal teams, and even privacy policy generators that claim "Australian compliance."

If you don't have the NDB scheme in your privacy policy, you're not compliant—and you're at risk of penalties up to $50 million under the December 2024 reforms.

What is the NDB Scheme?

The Notifiable Data Breaches scheme is part of the Privacy Act 1988. It requires organisations to notify individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm.

When Does it Apply?

A notifiable data breach occurs when:

There's unauthorised access to or disclosure of personal information, OR
Personal information is lost in circumstances where unauthorised access is likely, AND
The breach is likely to result in serious harm to affected individuals

What is "Serious Harm"?

Serious harm includes:

Physical harm - threats to safety
Psychological harm - significant distress or anxiety
Emotional harm - embarrassment or humiliation
Economic harm - financial fraud or identity theft
Harm to reputation - damage to personal or professional standing

Your Obligations

1. Assessment (30 days)

When you become aware of a potential breach, you have 30 days to assess whether it's a notifiable data breach.

2. Notification (as soon as practicable)

If it's notifiable, you must notify:

Affected individuals (directly, or via public statement if impracticable)
The OAIC (through their online notification form)

3. What to Include

Your notifications must contain:

Your identity and contact details
Description of the breach
The kind of information involved
Recommendations for steps individuals should take
Your contact details for further information

Common Breach Scenarios

Lost or stolen devices: Laptop, USB drive, or phone containing customer data is lost. This is notifiable if the data wasn't encrypted.

Ransomware attacks: Hackers encrypt your data and demand payment. Notifiable if customer data was accessed or exfiltrated.

Phishing attacks: Staff member falls for phishing email, giving hackers access to customer data.

Insider threats: Current or former employee accesses customer data without authorisation.

Third-party breaches: A service provider you share data with (like a cloud host or email provider) experiences a breach affecting your customers.

Why Everyone Misses This

US-Based Generators

Most privacy policy generators are built for US businesses. They don't understand Australian requirements, including the NDB scheme. They might mention "Australia" but don't actually address Australian law.

Template Providers

Even major template providers like TermsFeed and Termly—who claim Australian compliance—provide US-centric policies with cosmetic country references. They miss the NDB scheme entirely.

Copy-Paste Approach

Many businesses copy privacy policies from other companies or use generic templates. Since those sources don't include the NDB scheme, the problem perpetuates.

The Penalties

Failing to notify affected individuals and the OAIC of a notifiable data breach can result in:

Under December 2024 reforms:

Up to $2.5 million for individuals
Up to $50 million for companies (or 30% of adjusted turnover, or three times the benefit obtained—whichever is greater)

Plus reputational damage:

Loss of customer trust
Media coverage of non-compliance
Regulatory scrutiny
Potential class action lawsuits (since June 2025 statutory tort)

What Your Privacy Policy Must Include

Your privacy policy should explain:

What constitutes a notifiable data breach for your organisation
Your assessment process for determining if a breach is notifiable
How you'll notify affected individuals if a breach occurs
What information you'll provide in notifications
Your security measures to prevent breaches

This isn't optional guidance—it's a mandatory requirement under APP 1 (Open and Transparent Management) and the NDB scheme itself.

How to Get Compliant

Check Your Current Policy

Does it mention:

"Notifiable Data Breaches"
"NDB scheme"
Data breach notification procedures
The 30-day assessment timeframe

If not, your policy is incomplete.

Generate a Compliant Policy

ComplianceKit is the only generator we know of that includes the NDB scheme as a standard component—because we're built specifically for Australian businesses, not adapted from US templates.

Our generator:

Covers all 13 Australian Privacy Principles
Includes comprehensive NDB scheme section
Reflects December 2024 reforms
Uses plain English (Grade 10 reading level)
Generates in 5 minutes

Generate Once - $79 one-time:

Complete, compliant policy
Download in 4 formats
Update anytime for free

Managed Compliance - +$29/year:

Automatic updates when laws change
Hosted at secure URL
Email notifications
Version history

Generate Your Compliant Privacy Policy →

Related Resources

Learn more about Australian privacy compliance:

Official guidance:

OAIC NDB scheme guidance: oaic.gov.au
Privacy enquiries: 1300 363 992

Last updated: February 6, 2026

This guide provides general information about the NDB scheme. It's not legal advice. For specific questions about your data breach obligations, consult a qualified privacy lawyer.