Cybernion
← Insights

Privacy

Notifiable Data Breaches: The Scheme, the Serious Harm Test and the 30 Day Clock

3 July 2026 · Updated 3 July 2026

Short answer: The Notifiable Data Breaches scheme requires organisations the Privacy Act covers to notify affected individuals and the OAIC when a data breach involving personal information is likely to result in serious harm. If you suspect an eligible breach, you have 30 days to assess it, and you notify as soon as practicable once confirmed.

A data breach is not automatically notifiable. What triggers the obligation is the likelihood of serious harm, and the clock that starts the moment you suspect one. The NDB scheme sits within the broader Australian Privacy Act reform that has strengthened enforcement and introduced new obligations since 2024.

What is a notifiable data breach under the NDB scheme?

A notifiable data breach is an eligible data breach under the Notifiable Data Breaches (NDB) scheme, set up by the Privacy Amendment (Notifiable Data Breaches) Act 2017. An eligible data breach occurs when there is unauthorised access to, unauthorised disclosure of, or loss of personal information an organisation or agency holds, this is likely to result in serious harm to one or more individuals, and the entity has not been able to prevent that likely risk of serious harm through remedial action.

A data breach itself happens when personal information is lost or subjected to unauthorised access or disclosure. The Office of the Australian Information Commissioner (OAIC) gives common examples: a device holding customer information is lost or stolen, a database is hacked, or personal information is sent to the wrong person. Not every breach is eligible. The eligibility test is what separates an internal incident you contain quietly from one you are legally required to report.

Which organisations does the NDB scheme apply to?

The NDB scheme applies to any organisation or agency the Privacy Act 1988 covers. That includes Australian Government agencies, private sector organisations with an annual turnover of more than $3 million, and a range of others regardless of turnover, such as health service providers, businesses that trade in personal information, credit reporting bodies and tax file number recipients.

If the Privacy Act covers you, the NDB scheme covers you. Note that the statutory tort for serious invasions of privacy introduced in 2025 is broader and can reach entities outside the Privacy Act. Many small businesses assume they are outside it because of the turnover threshold, but the exceptions are wide, and holding health information alone is enough to bring you in. Confirming whether you are an APP entity is the first question to settle, because everything downstream, from the assessment clock to the notification duty, depends on it. If you are unsure, treat the answer as yes until you have confirmed otherwise.

What is the serious harm test for a data breach?

The serious harm test asks whether a reasonable person would conclude that the data breach is likely to result in serious harm to any of the affected individuals. Likely means more probable than not, not merely possible. Serious harm is not defined exhaustively, but it can include physical, psychological, emotional, financial or reputational harm.

The assessment weighs several factors: the type and sensitivity of the information, whether it was protected by security measures such as encryption, the likelihood those protections could be overcome, the kinds of people who could have obtained the information, and the nature of the harm that could result. Sensitive information, identity documents and financial details raise the risk sharply. The test also has a built in off ramp. If you take remedial action that removes the likely risk of serious harm, for example recovering a lost device before anyone accessed it, the breach is not eligible and notification is not required.

How long do you have to assess and report a notifiable data breach?

You have 30 days to assess a suspected eligible data breach, and you must notify as soon as practicable once it is confirmed. When an entity has reasonable grounds to suspect an eligible data breach but is not yet certain, it must carry out a reasonable and expeditious assessment, taking all reasonable steps to complete it within 30 days of becoming aware of those grounds. The OAIC frames the response around four steps: contain, assess, notify and review. The table sets out the clock.

StageActionTiming
TriggerYou become aware of grounds to suspect an eligible data breachDay 0
ContainTake immediate action to limit the breach and stop further compromiseImmediately
AssessGather facts, evaluate the risk of serious harm, take remedial actionComplete within 30 days
NotifyIf confirmed eligible, notify the OAIC and affected individualsAs soon as practicable
ReviewRoot cause analysis and changes to prevent recurrenceAfter notification

Thirty days is an outer limit on the assessment, not a grace period before you act. Containment starts immediately, and in some cases it is appropriate to notify individuals before the assessment is complete.

How do you notify the OAIC and affected individuals about a data breach?

You notify the OAIC by preparing a statement and lodging it through the online Notifiable Data Breach form, and you notify affected individuals as soon as practicable. The statement must set out the identity and contact details of the entity, a description of the breach, the kinds of information involved, and recommendations about the steps individuals should take in response, such as changing passwords or watching for scams.

For notifying individuals, the scheme allows notifying each affected individual, notifying only those at likely risk of serious harm, or, where neither is practicable, publishing the statement and taking reasonable steps to publicise it. Notification is a mitigation tool, not a formality. Done well, it gives people the chance to protect themselves and demonstrates that you take the harm seriously. Done late or vaguely, it compounds the damage. A tested data breach response plan, rehearsed before you need it, is what makes the difference between a controlled notification and a scramble. Running a privacy impact assessment on new projects is the upstream control that reduces breach exposure in the first place. If you need help building and maintaining your privacy program, a virtual CISO can own that work on an ongoing basis.

Frequently asked questions

What is a notifiable data breach in Australia?

A notifiable data breach, called an eligible data breach under the NDB scheme, occurs when there is unauthorised access to, unauthorised disclosure of, or loss of personal information an entity holds, this is likely to result in serious harm to one or more individuals, and the entity has not been able to prevent that likely risk of serious harm through remedial action. When those conditions are met, the entity must notify affected individuals and the OAIC.

What is the serious harm test for a data breach?

The serious harm test asks whether a reasonable person would conclude the data breach is likely to result in serious harm to any of the individuals whose personal information was involved. Relevant factors include the type and sensitivity of the information, whether it is protected by security measures such as encryption, the kinds of people who could obtain it and the nature of the harm that could follow. If remedial action removes the likely risk of serious harm, notification is not required.

How long do you have to assess a notifiable data breach?

An entity that suspects an eligible data breach may have occurred must carry out a reasonable and expeditious assessment. It must take all reasonable steps to complete that assessment within 30 days of becoming aware of the grounds for suspicion. If the assessment confirms an eligible data breach, the entity must notify the OAIC and affected individuals as soon as practicable.

Who do you notify about a notifiable data breach?

You notify both the affected individuals and the Office of the Australian Information Commissioner. Notification to the OAIC is made through the online Notifiable Data Breach form. The statement must describe the breach, the kinds of information involved and the steps individuals should take in response. Individuals should be notified as soon as practicable after the entity is aware it is an eligible data breach.


Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.

Talk to us.

Sources:

  1. About the Notifiable Data Breaches scheme, OAIC, updated February 2025
  2. When to report a data breach, OAIC, updated June 2026
  3. Data breach preparation and response, Part 3: four key steps, OAIC, updated February 2025

Last updated: 3 July, 2026

Talk to us about your engagement

A scoped proposal within one business day.