NDB Scheme Compliance for Australian Businesses

A data breach can turn into a legal problem very quickly. Many Australian businesses collect customer details, employee records, payment information or login credentials, but still assume the Notifiable Data Breaches scheme only applies to big tech companies or government agencies. That is a common mistake. Another is treating a suspected breach like an IT issue only, without checking whether legal notification duties have been triggered. A third is waiting too long to investigate, which can make a bad situation harder to control.

If you are not sure whether the ndb scheme applies to your business, what counts as an eligible data breach, or what you actually need to do after a cyber incident, this guide answers those questions. It also explains where founders and SMEs often get caught out, what to put in place before anything goes wrong, and how privacy documents, contracts and internal processes fit together.

Overview

The ndb scheme is Australia’s mandatory data breach notification regime under the Privacy Act. If your business is covered by the Privacy Act and experiences an eligible data breach, you may need to assess the incident quickly, take reasonable remedial action and notify affected individuals and the Office of the Australian Information Commissioner.

  • Check whether your business is an APP entity or otherwise covered by the Privacy Act.
  • Work out what personal information you collect, store, share and where it sits.
  • Know the difference between a cyber incident, a privacy incident and an eligible data breach.
  • Set up an internal response process so key people know who investigates, who decides and who communicates.
  • Review contracts with IT providers, software vendors and other service providers that handle personal information.
  • Make sure your privacy policy and collection notices reflect how you actually handle data.
  • Keep records of breach assessments, remedial action and notification decisions.

What NDB Scheme Means For Australian Businesses

The ndb scheme means some Australian businesses must notify certain data breaches, not just quietly fix them behind the scenes.

The scheme sits under the Privacy Act 1988 (Cth) and applies to entities that are required to comply with the Australian Privacy Principles. In practical terms, that usually includes Commonwealth government agencies and many private sector organisations, but not every small business automatically falls within the regime.

Who is usually covered?

The first question is whether your business is subject to the Privacy Act at all. Many businesses assume they are too small to worry about privacy law, but that is not always right.

Businesses are commonly covered where they:

  • have an annual turnover above $3 million
  • provide health services and hold health information
  • trade in personal information
  • are related to a larger corporate group that is covered
  • are otherwise brought within the Privacy Act by the way they operate

Small businesses under the usual turnover threshold can still be covered in some situations. This is where founders often get caught, especially in digital businesses, health-adjacent services and businesses that rely heavily on customer data.

What counts as personal information?

Personal information is broader than many business owners expect. It can include obvious details like names, email addresses, phone numbers and home addresses, but also information that can reasonably identify a person.

Depending on your business, that may include:

  • customer accounts and order histories
  • employee records held outside the employee records exemption context
  • driver licence or passport details collected for verification
  • bank account details
  • medical or health information
  • photos, recordings or support tickets linked to an individual
  • IP addresses, device identifiers or other online identifiers where they identify someone

If your team is selling online, using a CRM, outsourcing payroll, storing files in cloud systems or using software tools that track user behaviour, you are likely handling more personal information than you think.

What is an eligible data breach?

An eligible data breach is a breach involving personal information that is likely to result in serious harm to one or more individuals, where you have not been able to prevent that risk through remedial action.

There are usually three elements:

  • there is unauthorised access to, unauthorised disclosure of, or loss of personal information
  • a reasonable person would conclude the incident is likely to result in serious harm to an affected individual
  • remedial action has not removed that likelihood of serious harm

That does not mean every lost laptop or suspicious email triggers notification. The legal test turns on the facts. For example, if a staff member sends a spreadsheet of customer information to the wrong recipient, but the recipient deletes it immediately and confirms they did not access it further, the risk profile may be very different from a ransomware attack that exposes payroll, identity and banking data.

What does serious harm mean?

Serious harm can be physical, psychological, emotional, financial or reputational. The assessment is not just about whether harm has already happened. It is about whether serious harm is likely.

When assessing seriousness, businesses usually need to consider:

  • the kind and sensitivity of the information involved
  • whether the information is protected by security measures such as encryption
  • who has obtained or could obtain the information
  • the nature of the harm that could follow, such as identity theft or fraud
  • how many people are affected
  • whether the information can be matched with other data to identify people

This is not a box-ticking exercise. A small incident involving highly sensitive health or identity information may be more serious than a larger incident involving less sensitive contact details.

What happens if notification is required?

If an eligible data breach has occurred, the entity generally needs to prepare a statement for the regulator and notify affected individuals as soon as practicable. The notice should set out the identity and contact details of the business, describe the breach, identify the kinds of information involved and recommend steps people should take in response.

For a founder or operations lead, this often becomes a cross-functional issue very quickly. Legal, IT, leadership, customer support, HR and external providers may all need to coordinate before you send notices, speak to clients or update your website or app messaging.

When This Issue Comes Up

The ndb scheme usually becomes relevant at the exact moment a business is under pressure, after a cyber incident, a human error event or a systems failure.

Most businesses do not think about breach notification until something goes wrong. In reality, the legal risk often starts much earlier, when your systems, contracts and privacy documents are first set up.

Common founder and SME scenarios

This issue regularly comes up in situations such as:

  • a team member emails personal information to the wrong client or supplier
  • a laptop, phone or USB containing unencrypted personal information is lost or stolen
  • a software provider is hacked and your customer data is exposed
  • your ecommerce platform or website database is accessed without authorisation
  • staff fall for phishing and attacker access is gained through compromised credentials
  • payroll or HR files are accidentally shared internally or externally
  • a departing employee downloads customer lists or other personal records
  • a cloud storage folder is misconfigured and publicly accessible

These are not edge cases. They are everyday operational failures or cyber events that can affect startups and established SMEs alike.

Why early-stage businesses still need to care

Even if your business is still small, the practical impact of a breach can be serious before you spend money on setup for your next growth phase. Investors, enterprise customers and commercial partners often expect clear privacy governance, incident response planning and sensible security commitments in contracts.

This matters when you are:

  • selling online and collecting account or payment-related information
  • bidding for commercial contracts that ask about privacy controls
  • signing SaaS, hosting or managed IT agreements
  • hiring staff and storing HR records in multiple systems
  • launching health, fintech, edtech or other data-heavy services
  • expanding into a company structure with more formal governance

While the ndb scheme is not about business registration, business name registration, trade mark filings or company setup, it often sits alongside those core growth steps. A business can have its structure, contracts and branding sorted, but still be exposed if privacy and breach response are left until later.

Third-party providers often create the hardest questions

A breach does not need to happen on your own server to create legal risk for your business. If a software provider, cloud host, payroll platform, marketing platform or outsourced service provider handles personal information on your behalf, an incident on their side can still affect your obligations.

This is where contract terms matter before you sign a contract. You want to know:

  • how quickly the provider must notify you of a suspected incident
  • what cooperation they must give during investigation and remediation
  • who controls customer communications
  • what security commitments they have made
  • whether they use offshore subcontractors or overseas data storage
  • how liability is allocated if their systems fail

Without clear clauses, your business may be left trying to assess a breach without the information needed to make a defensible decision.

Practical Steps And Common Mistakes

The best way to handle the ndb scheme is to do the legal and operational groundwork before an incident, then respond quickly and document your decisions when something happens.

1. Confirm whether the Privacy Act applies to your business

You cannot assess ndb scheme obligations properly if you have not first worked out whether your business is covered. Many startups rely on the small business exception without checking whether one of the carve-ins applies.

If your business handles health information, trades in personal information, supports enterprise clients or operates in a highly data-driven model, get clear advice on where you stand.

2. Map the personal information you actually hold

A privacy compliance gap usually starts with poor visibility. If you do not know what information you collect or where it sits, you will struggle to assess breach impact.

Your data map should cover:

  • what personal information is collected
  • why it is collected
  • where it is stored
  • who can access it
  • which providers process it
  • whether any information is sent overseas
  • how long it is retained and how it is deleted

This exercise also helps make sure your privacy policy, collection notices, customer terms and employment contracts line up with reality.

3. Prepare an incident response plan

When a suspected breach occurs, time matters. The people involved should not be improvising roles, approval paths or communications while systems are down.

A workable response plan usually identifies:

  • who reports incidents internally
  • who leads technical investigation
  • who assesses privacy and notification risk
  • who communicates with customers, staff and vendors
  • who approves regulator notifications and external statements
  • what records must be kept during the process

For many SMEs, the plan does not need to be complicated. It does need to be clear, tested and available when key people are offline or unavailable.

4. Review your privacy documents

Your privacy policy is not a substitute for incident response, but it still matters. If it says little about your data handling practices, uses generic wording or no longer matches your systems, it may create extra problems during a breach.

Review whether your documents accurately describe:

  • the information you collect
  • how and why you collect it
  • disclosure to third parties
  • overseas storage or processing
  • security practices at a high level
  • how individuals can contact you about privacy issues

Collection notices and customer-facing wording should also match your real processes, especially if you are onboarding users through an app, website or online checkout.

5. Tighten contracts with vendors and customers

Contracts often decide how painful a breach becomes. This is particularly true for software, managed services, marketing platforms, payment support and outsourced admin functions.

Depending on your role in the data chain, key clauses may deal with:

  • privacy compliance obligations
  • minimum security standards
  • breach notification timeframes
  • audit or information rights after an incident
  • data return or deletion at the end of the relationship
  • indemnities, liability caps and exclusions
  • subcontracting and cross-border handling of information

Founders often focus on pricing and service levels before they sign a contract, but privacy and breach allocation can matter just as much when something goes wrong.

6. Train staff on the mistakes that actually happen

Most incidents are not dramatic headline hacks. They are ordinary errors made on busy days.

Training should cover practical scenarios such as:

  • spotting phishing and credential theft attempts
  • sending files securely
  • checking recipient details before emailing information
  • using access permissions properly
  • escalating suspected incidents quickly
  • handling lost devices
  • not storing personal information in unauthorised tools

Short, repeated training usually works better than one dense policy document no one reads.

Common mistakes businesses make

The biggest mistakes are usually process failures, not obscure legal misunderstandings.

  • Assuming a small business is automatically exempt from privacy law.
  • Treating every data issue as purely technical and failing to involve legal or decision-makers early.
  • Waiting too long to investigate because the team is hoping the problem will disappear.
  • Failing to preserve records of what happened, when it was discovered and what action was taken.
  • Relying on generic privacy policies that do not match actual practices.
  • Signing vendor contracts with weak breach notification and cooperation clauses.
  • Sending notifications too early without enough facts, or too late after avoidable delay.
  • Ignoring remedial action that might prevent serious harm and avoid notification altogether.

A sensible response sits in the middle. Move quickly, investigate properly, contain the issue, and document why you reached your final view.

FAQs

Does every Australian business have to comply with the ndb scheme?

No. The scheme generally applies to entities covered by the Privacy Act, which includes many, but not all, private sector businesses. Some small businesses may still be covered depending on what they do and what information they handle.

Is every data breach reportable?

No. A reportable incident under the ndb scheme is an eligible data breach. That usually requires unauthorised access, disclosure or loss of personal information, plus a likely risk of serious harm that has not been removed by remedial action.

How fast do businesses need to act?

Businesses should move quickly. If there are reasonable grounds to suspect an eligible data breach, the entity must carry out a reasonable and expeditious assessment, and if notification is required, notify as soon as practicable after becoming aware.

What if the breach happened at a software provider, not inside our business?

You may still have obligations if personal information you hold or control is affected through a third-party provider. The exact position depends on the arrangement, the facts of the incident and who is subject to the Privacy Act, which is why vendor contracts and fast information sharing matter.

Can fixing the problem mean notification is not required?

Sometimes, yes. If remedial action is taken before serious harm is likely, the incident may not become an eligible data breach. That depends on whether the action actually removes the relevant risk, not just whether the business has made a general attempt to contain the issue.

Key Takeaways

  • The ndb scheme requires certain Australian businesses to assess and notify eligible data breaches under the Privacy Act.
  • Not every breach is reportable, but every suspected incident should be assessed quickly and documented carefully.
  • Coverage under the Privacy Act is not limited to large businesses, and some smaller businesses are still caught.
  • Common triggers include phishing, misdirected emails, lost devices, vendor incidents and poor access controls.
  • Strong privacy documents, incident response plans, staff training and vendor contracts can reduce both legal risk and operational damage.
  • The right answer depends on the kind of information involved, the likelihood of serious harm and whether remedial action removes that risk.

If your business is dealing with ndb scheme and wants help with privacy compliance, data breach response, vendor contracts, and privacy policy updates, you can reach us on 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.

Alex Solo
Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.