When must a data breach be reported to the OAIC?

A breach must be reported when an organisation has reasonable grounds to believe that an eligible data breach has occurred (i.e., unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm). The organisation has 30 days to complete its assessment and must notify the OAIC as soon as practicable after forming that belief.

What information must be included in a breach notification?

Notifications to the OAIC must include the identity and contact details of the organisation, a description of the breach, the kinds of information involved, and recommendations for affected individuals. Notifications to individuals must include the same information plus specific steps they can take to protect themselves.

What are the penalties for failing to notify a data breach?

Failure to comply with the NDB scheme can attract civil penalties under the Privacy Act, with maximum penalties of the greater of $50 million, three times the value of any benefit obtained, or 30% of adjusted turnover. The OAIC can also issue infringement notices, accept enforceable undertakings, and pursue court proceedings.

Book Free Assessment Calculator

Notifiable Data Breach (NDB)

Notifiable Data Breach

Also known as:NDBdata breach notificationmandatory breach reporting

A data breach that is likely to result in serious harm to affected individuals and must be reported to the OAIC and notified to the affected individuals under the Privacy Act 1988.

In-Depth Explanation

The Notifiable Data Breaches (NDB) scheme, established under Part IIIC of the Privacy Act 1988, requires organisations covered by the Australian Privacy Principles to notify the OAIC and affected individuals when a data breach is likely to result in serious harm.

What constitutes a notifiable data breach:

Unauthorised access: Someone gains access to personal information without permission
Unauthorised disclosure: Personal information is made accessible or visible to others
Loss of information: Where unauthorised access or disclosure is likely

The "serious harm" test considers:

The type of information involved (sensitive information, financial details, health records)
Whether the information is encrypted or otherwise protected
The likelihood that the information could be used for identity fraud
The nature of the harm that could result
The individuals affected (vulnerable persons)

Notification requirements:

To the OAIC: Submit a statement as soon as practicable after becoming aware of the breach
To affected individuals: Notify the individuals at risk of serious harm
Content: Include description of the breach, types of information involved, and recommended steps

Assessment timeline:

Organisations have 30 days to assess whether a suspected breach is notifiable
If the assessment confirms serious harm is likely, notification must occur as soon as practicable
The 30-day assessment period begins when there are reasonable grounds to suspect a breach

The OAIC publishes regular statistics on data breaches, with the most common causes being malicious attacks, human error, and system faults.

Business Context

Failing to properly assess and notify data breaches can result in regulatory enforcement action, penalties, and significant reputational damage with customers and partners.

How Clever Ops Uses This

Clever Ops implements data breach response workflows for Australian businesses, including automated breach detection, assessment frameworks, notification templates, and communication plans. We help clients prepare incident response procedures that meet the NDB scheme requirements and minimise response times.

Example Use Case

"A business discovers a potential data breach and uses its automated incident response workflow to assess severity, determine if notification is required, prepare OAIC statements, and notify affected customers within required timeframes."