Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
A data breach can turn into a legal problem very quickly, especially if your business delays its response, assumes a software provider will handle it, or decides the incident is too small to report. Those are common mistakes under Australia’s Notifiable Data Breaches regime. Another one is focusing only on cyber security and forgetting the legal questions, such as whether the incident is likely to cause serious harm and who actually needs to be notified.
The NDB scheme matters to businesses that collect customer, employee or contractor information, whether you run an online store, a professional services firm, a health business, or a growing startup with cloud systems and remote staff. The rules are not just for large corporations.
This guide explains what the ndb scheme is, when notification duties can arise, what “eligible data breach” means in practice, and what business owners should do before they speak to customers, regulators, insurers or suppliers.
Overview
The ndb scheme is Australia’s mandatory data breach notification framework under privacy law. If your organisation is covered by the Privacy Act 1988 (Cth), and a data breach is likely to result in serious harm, you may need to assess the incident quickly and notify both affected individuals and the Office of the Australian Information Commissioner.
- Check whether your business is actually covered by the Privacy Act and the Australian Privacy Principles.
- Work out whether the incident involves personal information, unauthorised access, unauthorised disclosure, or loss of data.
- Assess whether serious harm is likely, not just whether harm is possible.
- Decide whether remedial action has removed the risk before notification is required.
- Prepare a clear internal response plan covering legal, technical and communications steps.
- Review contracts with IT providers, software vendors and other service providers to confirm who must report incidents and when.
What NDB Scheme Means For Australian Businesses
The ndb scheme requires certain organisations to notify serious data breaches. For many businesses, the key legal question is not whether a cyber incident happened, but whether that incident is an “eligible data breach” under the law.
Australia’s Notifiable Data Breaches scheme sits within the Privacy Act. Broadly, it applies to entities that are already subject to that Act, including many companies and some other organisations that handle personal information. Small businesses are sometimes exempt, but that exemption is not absolute, and some industries or activities can still bring a smaller business within the privacy law framework.
What is an eligible data breach?
An eligible data breach usually exists where three elements are present:
- There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by the organisation.
- The access, disclosure or loss is likely to result in serious harm to one or more individuals.
- The organisation has not been able to prevent that likely risk of serious harm through remedial action.
That sounds simple, but this is where founders often get caught. A breach is not limited to a hacker getting into your systems. It can also include a staff member emailing a spreadsheet to the wrong recipient, a laptop with unencrypted customer files going missing, or a cloud folder being left publicly accessible.
What counts as personal information?
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. In a business setting, that can include:
- customer names, email addresses and phone numbers
- payment details and billing records
- employee HR records and payroll information
- medical or health information
- identity documents
- user account credentials
- location data and online identifiers, depending on context
The sensitivity of the information matters when you assess serious harm. Exposure of passport details, health records or login credentials is generally more concerning than a list of first names alone.
What does “likely to result in serious harm” mean?
The test is about likely serious harm, not guaranteed harm. You are looking at a real chance of serious harm, based on the facts known at the time. Harm can be physical, psychological, emotional, financial or reputational.
When assessing risk, businesses usually need to weigh factors such as:
- the kind of information involved
- whether the information is protected by encryption or other security measures
- who may have accessed or received it
- whether the recipient is likely to misuse it
- how easily the information could be combined with other data
- the people affected, including whether they are vulnerable individuals
For example, if a payroll file with TFN-related details, bank account information and addresses is sent to the wrong person outside the business, the risk of financial and identity harm may be high. If the recipient confirms immediate deletion and the business can verify that no further access occurred, remedial action may reduce the risk enough to change the outcome. The facts matter.
Who must be notified?
If an eligible data breach occurs, the organisation generally needs to notify the regulator and affected individuals. The notice should describe the breach, the kinds of information involved, and steps individuals should take in response.
The notification should be practical, not vague. People need enough information to protect themselves, such as changing passwords, contacting their bank, or watching for suspicious activity.
Does the scheme apply to startups and SMEs?
Yes, it can. A common misconception is that privacy law only applies to large enterprises. Many startups and SMEs handle personal information through online sales, SaaS products, customer databases, staff systems, bookings, subscriptions and app-based services.
Even where a small business exemption may appear relevant, founders should be cautious. Privacy obligations can still arise depending on the type of information handled, the business model, industry-specific rules, or contractual promises made to customers and commercial partners. Before you sign a major client contract or process sensitive customer data, it is worth checking your actual position rather than assuming the exemption protects you.
When This Issue Comes Up
The ndb scheme usually becomes relevant at exactly the moment a business is least prepared, after an incident has already happened. The practical risk is that teams scramble to investigate while customers, suppliers and internal stakeholders all expect answers immediately.
Common founder and SME scenarios
Many reportable incidents begin with ordinary operational mistakes, not dramatic cyber attacks. Common examples include:
- a staff member falls for a phishing email and attackers access inboxes containing customer data
- an ecommerce platform plugin is compromised and exposes order information
- an employee downloads client files onto a personal device that is later lost
- a spreadsheet containing personal information is sent to the wrong customer or supplier
- a misconfigured cloud storage folder allows public access to records
- a former contractor retains access to business systems after the engagement ends
- a ransomware incident affects systems that store employee or customer information
These situations are not limited to tech businesses. Retailers, agencies, clinics, online educators, tradies with CRM systems, and professional firms can all face the same issue.
When business growth increases the risk
Growth often creates privacy gaps faster than businesses expect. You might move from a simple spreadsheet to multiple SaaS platforms, onboard offshore contractors, or start selling online in a way that collects much more data than before.
This is often when legal settings lag behind operations. Your privacy collection notices may be out of date. Supplier contracts may say very little about incident reporting. Staff may not know who to call if they suspect a breach. Before you spend money on setup for a new platform or outsource a customer support function, check how personal information will flow through the business.
Third-party providers and shared responsibility
Using an IT provider or software platform does not remove your legal risk. If another party stores or processes personal information on your behalf, your business may still need to assess the incident and make notifications.
This is where contracts matter. A service agreement should clearly deal with:
- security obligations
- incident notification timeframes
- cooperation during investigations
- access to logs and technical information
- responsibility for customer communications
- liability and indemnity settings where appropriate
Without those clauses, businesses often discover too late that a vendor will not provide enough information quickly, even though the legal clock is already ticking.
Why speed matters
Once there are reasonable grounds to suspect an eligible data breach, the organisation must carry out a reasonable and expeditious assessment. Delay is a major risk. Waiting for perfect information can make things worse if the facts already point to likely serious harm.
That does not mean rushing out a careless notice. It means having a process that lets decision-makers gather the right facts quickly, preserve evidence, engage technical help, and make a legally defensible call.
Practical Steps And Common Mistakes
A workable breach response plan is the best protection against bad judgement under pressure. The goal is to help your business identify incidents early, assess them properly, and communicate in a way that meets legal obligations without making the situation worse.
What your business should do first
When a suspected breach occurs, your first steps should focus on containment, evidence and decision-making. In practice, that usually means:
- Contain the incident, such as disabling accounts, isolating systems, recovering devices, or restricting access.
- Preserve evidence, including logs, emails, screenshots and internal records of what happened.
- Escalate internally to the right decision-makers, not just the IT team.
- Identify what personal information may be involved and which individuals are affected.
- Assess whether serious harm is likely and whether remedial action can remove that risk.
- Prepare notifications if the breach is likely to be an eligible data breach.
- Record the reasoning behind your assessment and response.
Founders often focus heavily on the technical fix and neglect the record-keeping. That is a mistake. A regulator will usually want to see how your business reached its conclusion, not just the conclusion itself.
Common mistakes under the ndb scheme
Several errors come up repeatedly in small and mid-sized businesses:
- assuming an incident is too minor without a documented assessment
- treating a provider’s verbal assurance as enough evidence
- failing to involve legal or senior decision-makers early
- not knowing where sensitive personal information is stored
- using weak access controls or shared logins across staff
- sending notifications that are too vague, defensive or delayed
- forgetting employee information can also be part of the problem
Another common issue is trying to avoid reputational damage by saying as little as possible. A notification that is incomplete or confusing can create more distrust, and may not satisfy the legal standard.
Prepare before there is a breach
The best time to sort out your legal position is before an incident. A sensible preparation plan often includes:
- a data breach response policy or incident response plan with clear escalation steps
- internal roles for legal, operations, IT, HR and communications
- a current privacy policy and privacy collection notices that reflect actual data handling
- staff training on phishing, access control and incident reporting
- vendor agreements with privacy and security clauses
- regular reviews of what personal information you collect and why you keep it
- retention and deletion practices so old data does not sit around unnecessarily
Businesses that collect more data than they need usually face higher risk when something goes wrong. If old databases, archived spreadsheets or duplicate customer lists are still sitting in unsecured systems, the exposure can be much wider than expected.
How this connects with other legal documents
The ndb scheme does not sit in isolation. Your wider legal documents should support your privacy compliance and incident response. Depending on the business, that may include:
- privacy policies
- website terms and ecommerce terms
- SaaS terms or customer terms
- employee policies and employment contracts or confidentiality clauses
- IT services agreements and software vendor contracts
- data processing and security clauses in commercial contracts
If your contracts promise security measures or notification timeframes, make sure your operations can actually meet them. Overpromising in customer terms can create extra exposure after a breach.
What about insurance and other reporting?
A data breach may also trigger obligations outside the Privacy Act. Your cyber insurance policy may require prompt notification. A key customer contract may require you to report incidents within a fixed time. In regulated sectors, industry-specific requirements may also apply.
This is why a business should not view the ndb scheme as the only issue on the table. Before you respond publicly, confirm whether any insurer, major client, platform provider or sector regulator also needs to be notified.
FAQs
Does every data breach need to be reported?
No. The ndb scheme is concerned with eligible data breaches, not every security incident. Your business needs to assess whether the incident involves personal information and is likely to cause serious harm, unless remedial action removes that risk.
How fast does a business need to act?
You should act quickly. Once there are reasonable grounds to suspect an eligible data breach, the business must carry out a reasonable and expeditious assessment. Delay can increase legal and reputational risk.
Can a small business ignore the ndb scheme?
No, not safely. Some small businesses may be exempt from parts of the Privacy Act, but the position depends on the business and the data involved. Do not assume an exemption applies without checking the details.
What if a software provider caused the incident?
Your business may still have obligations if the provider was handling personal information on your behalf. Review the contract, gather the provider’s incident details quickly, and assess whether your own notification duties are triggered.
What should a notification to affected individuals say?
It should explain what happened, what information was involved, and what practical steps the person should take. Clear instructions matter, such as changing passwords, contacting financial institutions, or monitoring for suspicious activity.
Key Takeaways
- The ndb scheme is Australia’s mandatory notification framework for eligible data breaches under the Privacy Act.
- A reportable breach usually involves personal information, unauthorised access or disclosure or loss, and likely serious harm that has not been prevented by remedial action.
- Startups and SMEs can be affected, especially where they collect customer, employee or sensitive information through digital systems.
- Common incidents include phishing, lost devices, misdirected emails, cloud misconfigurations and third-party provider failures.
- Your business should have a documented response plan, clear internal escalation, current privacy documents and supplier contracts that deal with security incidents.
- Fast, evidence-based assessment is critical, because delay and poor documentation are common mistakes after a breach.
If your business is dealing with ndb scheme and wants help with privacy compliance, data breach response plans, supplier contracts, customer-facing privacy terms, you can reach us on 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.







