The Notifiable Data Breach 30-day rule explained

What the NDB scheme is

The Notifiable Data Breaches (NDB) scheme is in Part IIIC of the Privacy Act 1988. This legislation places obligations on organisations to protect personal information held by them and to respond appropriately when a data breach occurs.

The scheme applies to what are known as APP entities. When an ‘eligible data breach’ occurs, APP entities are required to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals. An eligible data breach is one that is likely to result in serious harm to individuals. You can use the NDB notification timer to help manage the notification timeframe.

The Office of the Australian Information Commissioner (OAIC) administers the NDB scheme and provides guidance to organisations on their obligations.

The 30-day assessment window

Following the discovery of reasonable grounds to suspect an eligible data breach, organisations are required to undertake a thorough assessment. This assessment must be conducted in a reasonable and expeditious manner.

The law mandates that this assessment period cannot exceed 30 calendar days from the point at which the suspected breach came to your attention. To assist with tracking this timeframe, a NDB notification timer is available.

Confirmation of an eligible data breach following this assessment triggers the obligation to notify affected individuals and other relevant bodies.

Notifying the OAIC and individuals

Following confirmation of an eligible data breach, Australian organisations are legally obligated to notify both the Office of the Australian Information Commissioner (OAIC) and any affected individuals as soon as practicable. This requirement is a core element of the Notifiable Data Breaches (NDB) scheme.

The notification to the OAIC and individuals must contain specific details. These include identification of the organisation experiencing the breach, a clear description of the data breach itself, the types of personal information that were compromised, and guidance outlining recommended actions individuals should take in response.

While the law mandates notification as soon as practicable, it’s important to recognise that contractual obligations may exist separately. For example, cyber insurance policies frequently stipulate a shorter notification timeframe, often within 24 hours. Organisations should review their insurance policies independently to ensure compliance with those terms.

Reducing your exposure

A documented data-breach response plan can significantly reduce the time required to assess and notify following a data breach. This plan should outline clear steps and responsibilities for identifying, containing, and assessing breaches, ultimately streamlining the process and minimising potential delays. Organisations should review and update these plans regularly to ensure their effectiveness. Privacy Act 2026 readiness

The scope of organisations required to comply with the Notifiable Data Breach scheme is expanding. From 10 December 2026, the small-business exemption will be removed. This change will bring approximately 2 million more small and medium-sized businesses into the Privacy Act and the Notifiable Data Breach scheme, meaning more organisations will be obligated to meet these requirements.

To prepare for these changes, organisations should proactively assess their privacy practices. The Privacy Act 2026 readiness tool provides a means to score your privacy program and identify areas for improvement. Privacy Act 2026 readiness