Rules Mate

Free tool

NDB notification timer

When you become aware of a suspected data breach, you have up to 30 days to assess whether it's an 'eligible data breach' under the Privacy Act. Once confirmed eligible, you must notify the OAIC and affected individuals 'as soon as practicable'. This tool tracks both clocks and surfaces the next steps for each stage.

Last verified: 28 May 2026
Breach details
Current stage
on trackAware 0 day(s) ago

Assessment window: 30 day(s) remaining.

30-day assessment deadline: 3 August 2026

Recommended next steps

  1. Activate your incident response plan. Designate an incident owner and a privacy officer point of contact.
  2. Contain the breach — preserve logs, suspend affected accounts, isolate affected systems.
  3. Begin the assessment under s 26WH — you have a maximum 30 days to determine whether it's an eligible breach.
  4. Start a contemporaneous breach register entry: time of awareness, who knew, actions taken, evidence preserved.

Sources

Reference tool only — not legal advice. The OAIC, your privacy officer, and (where applicable) an Australian-admitted lawyer should be consulted on serious or complex breaches. Cyber insurers usually require notification within 24 hours — check your policy too.

Related tools

Not sure which obligations apply to you?

Run the Compliance Fingerprint — a 2-minute structured assessment that maps your business to every obligation, deadline and regulator that triggers.

Build my Compliance Fingerprint →