If your business experiences a data breach that's likely to cause serious harm, you're legally required to notify both the OAIC and affected individuals. Most privacy policies don't mention this at all — including policies from major Australian enterprises.
NDB scheme included • 5 minutes • No subscription required
The Notifiable Data Breaches scheme has been mandatory for Australian Privacy Act-covered entities since 1 February 2018.
An "eligible data breach" occurs when personal information is accessed or disclosed without authorisation, and the breach is likely to result in serious harm to one or more individuals. This includes cyberattacks, accidental disclosures, and lost devices containing personal data.
You must notify the OAIC and affected individuals as soon as practicable — typically within 30 days of becoming aware of a breach. You must also take remedial action to reduce the risk of harm. Failure to notify when required is itself a breach of the Privacy Act.
Since December 2024, penalties for serious or repeated breaches are up to $50 million for companies — a 2,250% increase from the previous maximum. The OAIC can now issue on-the-spot fines without going to court and has been actively using these powers throughout 2025.
100%
of Australian companies we analysed — across $100B+ combined market cap — miss the NDB scheme in their privacy policies.
Most privacy policy generators are built for the US market and adapted for international use. US breach notification requirements are fragmented across 50 state laws with no unified federal equivalent — so US-built templates default to US frameworks that simply don't map onto Australia's NDB scheme.
The NDB scheme has been mandatory since February 2018. Eight years later, it's still the most commonly missed requirement in Australian privacy policies — including at companies that should know better.
What's Covered
APP 1 of the Australian Privacy Principles requires your privacy policy to explain how you manage personal information — including what happens in the event of a data breach. Without an NDB scheme section, your policy is non-compliant with the Privacy Act 1988.
Your NDB section must cover: what constitutes an eligible data breach, how you assess and respond to breaches, how affected individuals can contact you, and how they can obtain more information from the OAIC.
Every ComplianceKit policy includes a full NDB scheme section covering all mandatory requirements
Clear explanation of breach notification obligations for both the OAIC and affected individuals
With Managed Compliance, your NDB section updates automatically when requirements change