Standardise
PricingSupportSign inGet started

Notifiable Data Breaches Scheme

Understand the NDB scheme under the Privacy Act, the 72-hour assessment deadline, OAIC notification requirements, and how Standardise tracks breaches with countdown badges.

Overview

The Notifiable Data Breaches (NDB) scheme commenced on 22 February 2018 under Part IIIC of the Privacy Act 1988. It requires APP entities to notify the OAIC and affected individuals when a data breach is likely to result in serious harm. The scheme applies to all organisations and agencies covered by the Privacy Act, including Australian Government agencies, organisations with annual turnover above $3 million, and certain other entities such as health service providers and TFN recipients.

What Is an Eligible Data Breach?

An eligible data breach occurs when three conditions are all met:

  1. There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an entity.
  2. A reasonable person would conclude that the access, disclosure, or loss is likely to result in serious harm to any of the individuals to whom the information relates.
  3. The entity has not been able to prevent the likely risk of serious harm through remedial action.

Serious harm includes physical, psychological, emotional, financial, and reputational harm. Factors to consider include the type and sensitivity of the information, whether it is protected by security measures (such as encryption), the nature of the individuals affected, and the likelihood of misuse.

Assessment and Notification Deadlines

When an entity has reasonable grounds to suspect a data breach may be an eligible data breach, it must carry out a reasonable and expeditious assessment. The assessment must be completed within 30 days of the entity becoming aware of the grounds to suspect the breach.

While the Act specifies 30 days for the assessment period, the OAIC strongly encourages entities to complete their assessment much sooner. In practice, the OAIC expects notification as soon as practicable after the entity forms a reasonable belief that an eligible data breach has occurred. Many organisations adopt an internal 72-hour target for completing initial assessments, aligned with international best practice (such as the EU GDPR 72-hour notification requirement).

Once an eligible data breach has been confirmed, the entity must notify both the OAIC and affected individuals. The notification must include:

  • The identity and contact details of the entity
  • A description of the breach and the kinds of information involved
  • Recommendations about the steps individuals should take in response

Penalties for Non-Compliance

Failure to comply with the NDB scheme is an interference with the privacy of an individual under the Privacy Act. The OAIC can investigate, make determinations, and seek civil penalties. Since the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, penalties for serious or repeated interferences with privacy can reach up to $50 million, three times the value of the benefit obtained, or 30% of adjusted turnover, whichever is greatest.

ISO 27001 Alignment

The NDB scheme directly relates to ISO 27001:2022 Clause 10.2 (Nonconformity and corrective action) and Annex A control A.5.24 (Information security incident management planning and preparation). An effective incident management process, as required by ISO 27001, provides the foundation for detecting, assessing, and reporting eligible data breaches within the required timeframes.

How Standardise Helps

The AU Compliance Hub includes an NDB Register tab that provides a dedicated register for tracking data breaches from detection through notification and closure. Key features include:

  • Breaches flagged in the Incident Management module automatically appear in the NDB register for assessment
  • Countdown badges that visually indicate time remaining against the assessment deadline: green when more than 48 hours remain, yellow between 24 and 48 hours, red when under 24 hours, and a pulsing indicator when the deadline is overdue
  • Status tracking through the full lifecycle: assessing, notifiable, not notifiable, OAIC notified, individuals notified, and closed
  • Recording of the assessment deadline, OAIC notification date, number of affected individuals, and a description of each breach
  • Audit trail of all status changes and actions taken, supporting evidence of compliance in the event of an OAIC investigation

Related Articles

Australian Compliance
Privacy Act & Australian Privacy Principles
Understand the Privacy Act 1988, the 13 APPs, OAIC oversight, and how Standardise tracks your compliance posture against each principle.
ISMS Modules
Incident Management
Record and manage security incidents, track severity levels, meet Australian NDB 72-hour reporting deadlines, and follow structured response workflows.
ISMS Modules
Australian Compliance Hub
Track compliance with Australian Privacy Principles, Essential Eight maturity, Notifiable Data Breaches, and IRAP readiness — all in one place.
← Back to Help Center