Notifiable Data Breach (NDB)
Notifiable Data Breach
A data breach that is likely to result in serious harm to affected individuals and must be reported to the OAIC and notified to the affected individuals under the Privacy Act 1988.
In-Depth Explanation
The Notifiable Data Breaches (NDB) scheme, established under Part IIIC of the Privacy Act 1988, requires organisations covered by the Australian Privacy Principles to notify the OAIC and affected individuals when a data breach is likely to result in serious harm.
What constitutes a notifiable data breach:
- Unauthorised access: Someone gains access to personal information without permission
- Unauthorised disclosure: Personal information is made accessible or visible to others
- Loss of information: Where unauthorised access or disclosure is likely
The "serious harm" test considers:
- The type of information involved (sensitive information, financial details, health records)
- Whether the information is encrypted or otherwise protected
- The likelihood that the information could be used for identity fraud
- The nature of the harm that could result
- The individuals affected (vulnerable persons)
Notification requirements:
- To the OAIC: Submit a statement as soon as practicable after becoming aware of the breach
- To affected individuals: Notify the individuals at risk of serious harm
- Content: Include description of the breach, types of information involved, and recommended steps
Assessment timeline:
- Organisations have 30 days to assess whether a suspected breach is notifiable
- If the assessment confirms serious harm is likely, notification must occur as soon as practicable
- The 30-day assessment period begins when there are reasonable grounds to suspect a breach
The OAIC publishes regular statistics on data breaches, with the most common causes being malicious attacks, human error, and system faults.
Business Context
Failing to properly assess and notify data breaches can result in regulatory enforcement action, penalties, and significant reputational damage with customers and partners.
How Clever Ops Uses This
Clever Ops implements data breach response workflows for Australian businesses, including automated breach detection, assessment frameworks, notification templates, and communication plans. We help clients prepare incident response procedures that meet the NDB scheme requirements and minimise response times.
Example Use Case
"A business discovers a potential data breach and uses its automated incident response workflow to assess severity, determine if notification is required, prepare OAIC statements, and notify affected customers within required timeframes."