Key Takeaways

• The Notifiable Data Breaches (NDB) scheme requires eligible businesses to notify both the OAIC and affected individuals when a data breach is likely to cause serious harm.
• Businesses have 30 calendar days to assess whether a breach qualifies as notifiable after becoming aware of a suspected incident.
• The Privacy Act 1988 (Cth) now carries penalties of up to $50 million for serious or repeated privacy violations following the 2024 reforms.
• From 30 May 2025, businesses with annual turnover above $3 million must also report ransomware or cyber extortion payments within 72 hours.
• Preparing a documented breach response plan before an incident occurs dramatically reduces your legal exposure and response time.

A data breach is not a hypothetical risk for most Melbourne businesses. According to the Office of the Australian Information Commissioner (OAIC), 595 data breach notifications were received in the second half of 2024 alone, with malicious cyberattacks and human error accounting for the majority. For businesses that handle customer records, health data, or financial information, the cybersecurity compliance checklist for Melbourne businesses provides the right starting point for understanding where your notification obligations sit.

This guide explains how the NDB scheme works, what triggers a notifiable breach, and the specific steps your business must take when an incident occurs. It covers the reporting timeline, what to tell the OAIC and affected individuals, and how to build readiness before a breach happens.

What Is the Notifiable Data Breaches (NDB) Scheme?

The NDB scheme was introduced under Part IIIC of the Privacy Act 1988 (Cth) and has applied to eligible entities since 22 February 2018. It establishes a mandatory notification process when a data breach is likely to result in serious harm to any individual whose personal information is involved. The scheme is administered by the OAIC, which provides guidance, investigates complaints, and can direct organisations to notify affected individuals if it has reasonable grounds to believe a notifiable breach has occurred.

The 2024 Privacy Act reforms significantly increased the penalties for non-compliance, with civil penalties for serious or repeated breaches now reaching up to $50 million, three times the value of any benefit obtained, or 30 percent of the entity’s adjusted turnover during the breach period, whichever is greater.
Source: Attorney-General’s Department, Privacy Act reforms

Which Businesses Are Covered?

The NDB scheme applies to Australian Privacy Principle (APP) entities, which include:

• Private sector organisations and not-for-profits with an annual turnover above $3 million
• Private sector health service providers, regardless of turnover
• Credit reporting bodies and credit providers
• Entities that trade in personal information
• Tax file number (TFN) recipients in relation to TFN information

From 30 May 2025, an additional obligation was introduced: businesses with annual turnover above $3 million must report ransomware or cyber extortion payments to the Australian Signals Directorate within 72 hours of a payment being made. This requirement operates alongside, not instead of, the NDB scheme obligations.
Source: Australian Cyber Security Centre

What Counts as Personal Information?

Personal information is any information or opinion about an identified individual, or an individual who is reasonably identifiable. This includes names, addresses, email addresses, tax file numbers, health records, financial details, login credentials, and biometric data. If your business collects, stores, or processes any of this data, the NDB scheme applies to how you respond to breaches involving it.

What Triggers a Notifiable Data Breach?

The Eligible Data Breach Test

Not every security incident is a notifiable data breach. For a breach to be ‘eligible’ under the Privacy Act, three conditions must all be satisfied:

• There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by your organisation.
• The breach is likely to result in serious harm to one or more of the individuals to whom the information relates.
• Remedial action taken by your organisation has not been able to prevent the likely risk of serious harm.

Serious harm encompasses financial loss, physical harm, identity theft, damage to reputation, and psychological harm. The OAIC expects organisations to assess both the nature of the information involved and the context of the breach when determining likelihood of harm.

Source: OAIC, Notifiable Data Breaches scheme

Common Breach Scenarios for Melbourne SMBs

• A laptop or mobile device containing customer records is lost or stolen.
• A ransomware attack encrypts or exfiltrates client data.
• Personal information is sent by email to the wrong recipient.
• An employee accesses client records without authorisation.
• A cloud service provider experiences a breach affecting data your business stores with them.

This last scenario is significant. Under APP 8, if you disclose personal information to an overseas recipient, your business retains responsibility for that information under the NDB scheme. Third-party vendor incidents can trigger your own notification obligations. Our guide on how to vet IT vendors and suppliers for cybersecurity risk covers how to manage this exposure contractually and operationally.

Is your business ready to respond to a data breach? Download our free Cybersecurity Compliance Checklist or contact Otto IT to arrange a breach readiness review.

Your Notification Timeline: What the 30 Days Really Means

The Assessment Period Explained

Once your organisation becomes aware that a data breach may have occurred, you have 30 calendar days to assess whether it is an ‘eligible data breach’ under the Privacy Act. This is not a deadline to notify; it is a deadline to complete your assessment and determine whether notification is required. If your assessment concludes the breach is eligible, you must then notify both the OAIC and affected individuals as soon as practicable.

The 30-day clock starts from when your organisation ‘becomes aware’ of the suspected breach, which can include when an employee first notices unusual activity. Delaying an internal investigation does not pause the clock.

What Happens If You Miss the Deadline?

Failing to complete an assessment within 30 days, or failing to notify when a breach is found to be eligible, constitutes a breach of the NDB scheme. The OAIC can conduct investigations, issue determinations, and apply to the Federal Court for civil penalty orders. Beyond penalties, the reputational damage of a delayed or concealed breach consistently proves more costly than the breach itself.

How to Notify the OAIC and Affected Individuals

Notifying the Office of the Australian Information Commissioner

Notification to the OAIC is made using the online Notifiable Data Breach notification form available at oaic.gov.au. Your statement to the OAIC must include: the identity and contact details of your organisation; a description of the eligible data breach; the kinds of information involved; and recommendations about the steps affected individuals should take. 

Source: OAIC – About the NDB scheme

Notifying Individuals: What You Must Say

Affected individuals must be notified directly where practicable. Your notification must include the same core information provided to the OAIC, plus specific recommendations about what the individual should do to protect themselves. Where direct notification is not reasonably practicable, you may publish a notice on your website, but only after consulting with the OAIC about the most appropriate approach.

Documentation and Evidence Requirements

What Records You Must Keep

Regardless of whether a breach is determined to be notifiable, you should maintain a breach register that documents every suspected incident. This register should record the date and nature of the incident, how it was discovered, the assessment process undertaken, the outcome, and any remedial action taken. This documentation is critical when preparing for a cybersecurity audit and supports your ability to demonstrate compliance to insurers and regulators.

Penalties for Non-Compliance

Under the Privacy Act reforms, the OAIC has broader enforcement powers than at any previous point. For serious or repeated interferences with privacy, the OAIC can seek civil penalties of up to $50 million in the Federal Court. For less serious contraventions, the Information Commissioner can accept enforceable undertakings or issue public determinations. Non-compliance also affects your standing with cyber insurance requirements for Australian SMBs, as insurers routinely assess your breach notification history during underwriting.

How to Prepare Your Business Before a Breach Occurs

Building a Breach Response Plan

A documented incident response plan reduces both the time to contain a breach and the legal risk that follows. Your plan should define: what constitutes a breach at your organisation; who is responsible for the internal assessment; your escalation path; how you will notify the OAIC and individuals; and who has authority to approve the notification. Test the plan at least annually. Many Melbourne SMBs that engage in regular IT governance planning already have response procedures as part of their broader security policy.

The Role of a Managed Service Provider

An experienced MSP can reduce your breach risk and improve your response capability across several dimensions: monitoring systems for early indicators of compromise; maintaining audit logs that support your 30-day assessment; assisting with forensic investigation when an incident occurs; and helping draft the OAIC notification and individual communications. Whether you engage Managed IT Support, Remote IT Support, or Co-Managed IT Support, ensuring your provider has clear contractual obligations around incident notification is itself a component of your NDB compliance.

Frequently Asked Questions

Does the NDB scheme apply to my small business?

It applies to businesses with annual turnover above $3 million, all private health service providers, and businesses that trade in personal information, regardless of size. If you are unsure whether you are covered, the OAIC provides eligibility guidance at oaic.gov.au.

What is the 30-day assessment period?

Once you become aware of a suspected breach, you have 30 calendar days to assess whether it meets the eligible data breach threshold. If it does, you must notify the OAIC and affected individuals as soon as practicable after completing that assessment.

What information must I include when notifying affected individuals?

Your notification must describe the breach, the types of information involved, steps you recommend affected individuals take, and your contact details for further enquiries.

Do I need to notify every individual affected?

Direct notification is required where practicable. Where it is not, you may publish a prominent notice on your website after consulting with the OAIC about the appropriate approach.

How can a managed service provider help?

An MSP can implement monitoring to detect breaches earlier, maintain the audit logs needed for your assessment, help draft OAIC notifications, and build and test your breach response plan. For Melbourne businesses, Managed IT Services in Melbourne that include cybersecurity coverage are the most effective way to maintain ongoing readiness.

Conclusion

Australia’s data breach notification obligations are not complex once you understand the framework, but they do require preparation, documentation, and a clear internal process. The 30-day assessment window passes quickly, and the cost of non-compliance, both in penalties and reputational damage, far exceeds the investment in readiness. If your business handles personal information, now is the time to review your breach response plan, ensure your team knows what to do, and confirm your IT provider has the tools to support you when an incident occurs.

Talk to Otto IT about your breach notification obligations. Our team can help you build a documented response plan, implement monitoring controls, and ensure your business meets its Privacy Act requirements. Contact us today.

For further reading within this compliance series, see our cybersecurity compliance checklist for Melbourne businesses, our guide on third-party cybersecurity risk and vendor vetting, and our cybersecurity audit preparation guide for Melbourne SMBs.