What Is A Notifiable Data Breach?

If your business holds customer details, runs an online store, or uses cloud tools to manage clients, you’re a custodian of personal information. With that comes legal obligations under Australia’s Notifiable Data Breaches (NDB) scheme.

In simple terms, a notifiable data breach is a serious data security incident that’s likely to cause harm to individuals, and you’re legally required to tell them (and the Office of the Australian Information Commissioner) about it.

In this guide, we’ll explain what counts as a notifiable data breach in Australia, when and how you must respond, and the practical steps you can take to reduce risk. We’ll also cover the key legal documents that help you prepare, respond and comply confidently.

What Is A Notifiable Data Breach?

Under the Privacy Act 1988 (Cth), the Notifiable Data Breaches (NDB) scheme requires certain organisations to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) about “eligible data breaches”.

An eligible data breach happens when:

• There is unauthorised access to, unauthorised disclosure of, or loss of personal information, and
• This is likely to result in serious harm to one or more individuals.

Personal information includes anything that can identify a person, such as names, addresses, email addresses, phone numbers, dates of birth, tax file numbers, driver licence or passport details, health and disability records, and payment details.

Serious harm isn’t limited to financial loss. It can include identity theft, psychological harm, humiliation, reputational damage, or loss of opportunity. The assessment is practical: would a reasonable person expect that harm is likely if no remedial action is taken?

Common examples include:

• Sending customer records to the wrong recipient who is outside your organisation.
• A ransomware incident where personal information is accessed or exfiltrated.
• A lost laptop or USB without encryption that contained client files.
• Exposed web database (e.g. misconfigured cloud storage bucket) with customer details.

Not every incident is notifiable. If you can quickly take remedial action that removes the risk of serious harm (for example, you mistakenly send data to a trusted recipient who confirms deletion before accessing it), then it may not be an “eligible” breach. But you still need to assess it promptly and document your decision.

When Do You Have To Notify Under Australia’s NDB Scheme?

You must notify when you have reasonable grounds to believe an eligible data breach has occurred. The clock doesn’t start at suspicion; it starts when you have those reasonable grounds-but you are expected to move quickly to find out.

How to judge “serious harm”

Consider a mix of factors, including the sensitivity of the information, whether it’s encrypted or de-identified, the security protections in place, who has obtained it (or could obtain it), and the nature and scale of the breach. Health, financial, children’s data and identity documents are higher risk.

What does “as soon as practicable” mean?

The OAIC expects notification without undue delay. You’re also required to complete a “reasonable and expeditious assessment” of a suspected breach within 30 days. In practice, aim to commence within hours, not days, and keep clear records of your decision-making.

Who needs to comply?

The NDB scheme applies to Australian Government agencies, private sector organisations with an annual turnover of $3 million or more, health service providers, and a range of small businesses that handle sensitive information or provide certain services (such as credit reporting bodies). Even if you’re under $3 million, you may still be captured due to the type of personal information you handle.

If you collect any personal information on your website or in your CRM, you should be operating with a compliant Privacy Policy and be prepared to respond to breaches, regardless of turnover. Not only is this best practice, it fosters trust with your customers.

How To Respond: Identify, Assess, Contain And Notify

A calm, structured response reduces harm for individuals and risk for your business. Here’s a practical workflow you can adapt.

Step 1: Identify and contain

• Detect the incident (staff report, IT alert, customer complaint, supplier notification).
• Isolate affected systems, revoke access, change credentials, and stop the data flow.
• Preserve evidence for investigation (system logs, emails, screenshots) while maintaining security.

Step 2: Assemble your response team

• Nominate an incident lead (often the privacy officer or senior manager).
• Involve IT/security, legal, communications and affected business owners.
• If you have a Data Breach Response Plan, activate it and follow the checklist and roles defined there.

Step 3: Assess eligibility (the 30-day assessment)

• What information was involved? How sensitive is it? Was it encrypted?
• Who accessed it (or could have)? For how long? In what quantity?
• What is the likely harm if no further steps are taken?
• Can remedial action reduce the risk to below “serious harm” (e.g. remote wipe, verified deletion, password resets)?

Document your findings. If you form reasonable grounds to believe serious harm is likely, you must notify.

Step 4: Notify the OAIC and individuals

• Prepare a statement for the OAIC that outlines your identity and contact details, a description of the breach, the kinds of information involved, and recommended steps for individuals. You can streamline this with a tailored data breach notification process and templates.
• Notify affected individuals as soon as practicable. Use clear language and provide practical advice (e.g. change passwords, enable MFA, monitor accounts, contact their bank, freeze credit if ID documents are exposed).
• If you can’t identify every individual, consider public notification (e.g. website notice) that still meets the legal requirements.

Step 5: Remediate and learn

• Close vulnerabilities and strengthen controls to prevent similar incidents.
• Update your training and internal processes.
• Review your incident, your decisions and timing, and refine your response playbook.

If third parties were involved (for example, a software supplier or outsourced support), review your contracts and whether they met their obligations. This is where a robust Data Processing Agreement with vendors is invaluable.

Preventing Breaches: Practical Steps For Small Businesses

Prevention is always cheaper than response. A few targeted controls can materially reduce your risk profile.

Build a security and privacy foundation

• Policy suite: Establish an Information Security Policy that sets minimum technical and administrative controls (access, encryption, patching, backups, acceptable use).
• Privacy management: Keep your Privacy Policy accurate and accessible, and give people a clear Privacy Collection Notice at (or before) the time you collect their information.
• Risk thinking: For new systems or projects, run a proportionate Privacy Impact Assessment to spot and mitigate risks early.

Harden your technology

• Access control: Use unique logins, least-privilege permissions and multi-factor authentication for staff and administrators.
• Patch and backup: Keep software updated and test your backups regularly (and encrypt them).
• Data minimisation: Only collect and retain what you need. Fewer records = less exposure.
• Payment data: If you handle card information, comply with PCI-DSS and avoid storing raw card numbers. Our guide on storing credit card details covers the essentials.

Strengthen your third-party ecosystem

• Due diligence: Assess the security and privacy posture of key suppliers (hosting, CRM, marketing tools).
• Contractual protections: Use a Data Processing Agreement to set clear obligations for data handling, breach reporting and assistance.
• Data lifecycle: Align vendor retention and deletion practices with your own approach and any data retention requirements.

People and process

• Training: Run short, frequent refreshers on phishing, handling sensitive information and incident reporting.
• Testing: Tabletop your breach response twice a year so everyone knows their role.
• Marketing compliance: Be careful with mailing lists and consent; this sits alongside privacy law compliance and dovetails with email marketing laws.

What Legal Documents Should You Have In Place?

Having the right documents isn’t just about compliance-it speeds up your response and shows regulators and customers you take privacy seriously.

• Privacy Policy: Explains what personal information you collect, why, how you use and disclose it, and how individuals can access or correct it. A clear, compliant Privacy Policy is a baseline requirement for most businesses.
• Privacy Collection Notice: A concise notice you give at the point of collection telling people what you’re collecting and why, with links to your full policy. A tailored Privacy Collection Notice reduces ambiguity and risk.
• Data Breach Response Plan: A practical playbook with roles, decision trees, and draft communications so you can act quickly. A documented Data Breach Response Plan is one of the strongest risk controls you can have.
• Data Breach Notification Templates: OAIC and customer letters prepared in advance. Streamlined notification documents help you meet timing and content requirements under pressure.
• Information Security Policy: Sets minimum technical and administrative controls, staff responsibilities and incident management. See our Information Security Policy for a solid starting point.
• Data Processing Agreement (DPA): Governs how vendors handle personal information, including sub-processors, security, audit rights and breach reporting. A robust DPA is crucial when you rely on third-party platforms.
• Privacy Impact Assessment (PIA) Plan: A structured approach to identifying privacy risks in new projects so you can fix issues before launch. A practical PIA plan keeps privacy “by design”.

Depending on your operations, you may also formalise staff rules (for example, an Acceptable Use Policy and email disclaimers) and align these with your broader security standards.

Key Takeaways

• A notifiable data breach in Australia is a data security incident that’s likely to cause serious harm-if that threshold is met, you must notify affected individuals and the OAIC.
• Move fast: identify and contain the incident, run a structured assessment (within 30 days), and notify “as soon as practicable” once you have reasonable grounds to believe an eligible breach has occurred.
• Not every incident is notifiable-effective remedial action can lower risk below the serious harm threshold-but you must document your reasoning.
• Strong foundations reduce risk: clear policies, staff training, multi-factor authentication, vendor due diligence and data minimisation all make a real difference.
• Key documents like a Privacy Policy, Data Breach Response Plan, Information Security Policy and Data Processing Agreement help you comply and respond confidently.
• If you handle personal information, act as if the NDB scheme applies-being prepared protects your customers and your business reputation.

If you would like a consultation on notifiable data breach obligations and getting your privacy documents in place, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.