Notifiable Data Breach (NDB) scheme
Under the NDB scheme, APP entities must notify the OAIC and affected individuals of an eligible data breach likely to cause serious harm — assessed within 30 days.
Who must comply
All APP entities (Australian Government agencies and organisations with annual turnover >$3M, plus carved-in entities). Removal of the small business exemption is proposed in a future privacy reform tranche — not yet law.
What triggers it
An eligible data breach — unauthorised access/disclosure of personal information likely to cause serious harm.
When due
Notification 'as soon as practicable' after the entity is aware it is an eligible breach. Assessment within 30 days.
Evidence required
Breach assessment record, OAIC notification, individual notification, remediation steps log.
Max penalty
Up to $50M, or 3× benefit, or 30% of adjusted turnover (whichever is greater) for serious or repeated interferences
Summary
Under Part IIIC of the Privacy Act, APP entities must notify the OAIC and affected individuals if there has been an eligible data breach — unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm. The assessment must be completed within 30 days of becoming aware. From the 2024 amendments, statutory tort for serious invasions of privacy is now actionable.
Enforced by
Source legislation
Industries
Topics
Related obligations
- CWLTHPublish a Privacy Policy compliant with APP 1Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.
- CWLTHAutomated Decision-Making transparency under Privacy Act (phased)From a phased commencement, APP entities using ADM must disclose in Privacy Policy.
- CWLTHAPP 3 collection of sensitive informationAPP 3 bars collecting sensitive information — health, race, religion, sexual orientation and more — without consent. What counts as sensitive, the exceptions and penalties.
- CWLTHPrepare for the proposed removal of the small business exemptionRemoving the Privacy Act small business exemption (<$3M turnover) is proposed for a future reform tranche — agreed in principle, not yet law.
- CWLTHPrivacy Act Reform — information controllers regime (proposed Tranche 2)Tranche 2 reforms in scoping — information controllers + processors regime.
- CWLTHProvide an APP 5 collection notice at or before collectionAPP 5 requires notice of identity, purposes, recipients, consequences of not providing info, and where Privacy Policy lives.
Frequently asked questions
- Who must comply with Notifiable Data Breach (NDB) scheme?
- All APP entities (Australian Government agencies and organisations with annual turnover >$3M, plus carved-in entities). Removal of the small business exemption is proposed in a future privacy reform tranche — not yet law.
- What triggers Notifiable Data Breach (NDB) scheme?
- An eligible data breach — unauthorised access/disclosure of personal information likely to cause serious harm.
- When is Notifiable Data Breach (NDB) scheme due?
- Notification 'as soon as practicable' after the entity is aware it is an eligible breach. Assessment within 30 days.
- What is the maximum penalty for Notifiable Data Breach (NDB) scheme?
- Up to $50M, or 3× benefit, or 30% of adjusted turnover (whichever is greater) for serious or repeated interferences
- What evidence is required for Notifiable Data Breach (NDB) scheme?
- Breach assessment record, OAIC notification, individual notification, remediation steps log.
Source: https://oaic.gov.au/privacy/notifiable-data-breaches. Rules Mate is not a law firm. Always verify against the live regulator source before acting.