Rules Mate

Notifiable Data Breach (NDB) scheme

Under the NDB scheme, APP entities must notify the OAIC and affected individuals of an eligible data breach likely to cause serious harm — assessed within 30 days.

criticalcurrentevent driven

Who must comply

All APP entities (Australian Government agencies and organisations with annual turnover >$3M, plus carved-in entities). Removal of the small business exemption is proposed in a future privacy reform tranche — not yet law.

What triggers it

An eligible data breach — unauthorised access/disclosure of personal information likely to cause serious harm.

When due

Notification 'as soon as practicable' after the entity is aware it is an eligible breach. Assessment within 30 days.

Evidence required

Breach assessment record, OAIC notification, individual notification, remediation steps log.

Max penalty

Up to $50M, or 3× benefit, or 30% of adjusted turnover (whichever is greater) for serious or repeated interferences

Summary

Under Part IIIC of the Privacy Act, APP entities must notify the OAIC and affected individuals if there has been an eligible data breach — unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm. The assessment must be completed within 30 days of becoming aware. From the 2024 amendments, statutory tort for serious invasions of privacy is now actionable.

Enforced by

Source legislation

Industries

Topics

privacyndbdata-breach

Related obligations

Frequently asked questions

Who must comply with Notifiable Data Breach (NDB) scheme?
All APP entities (Australian Government agencies and organisations with annual turnover >$3M, plus carved-in entities). Removal of the small business exemption is proposed in a future privacy reform tranche — not yet law.
What triggers Notifiable Data Breach (NDB) scheme?
An eligible data breach — unauthorised access/disclosure of personal information likely to cause serious harm.
When is Notifiable Data Breach (NDB) scheme due?
Notification 'as soon as practicable' after the entity is aware it is an eligible breach. Assessment within 30 days.
What is the maximum penalty for Notifiable Data Breach (NDB) scheme?
Up to $50M, or 3× benefit, or 30% of adjusted turnover (whichever is greater) for serious or repeated interferences
What evidence is required for Notifiable Data Breach (NDB) scheme?
Breach assessment record, OAIC notification, individual notification, remediation steps log.

Source: https://oaic.gov.au/privacy/notifiable-data-breaches. Rules Mate is not a law firm. Always verify against the live regulator source before acting.