Notifiable Data Breach: When Do You Have to Report and to Whom?
Most organisations discover they have reporting obligations under Australia's Notifiable Data Breaches (NDB) scheme after a breach has already happened. By then, the clock is ticking, and the decisions about what to report, to whom, and when are being made under pressure. Getting those decisions wrong carries real consequences, including regulatory action by the Office of the Australian Information Commissioner (OAIC).
The NDB scheme applies to organisations covered by the Privacy Act 1988, including most private sector organisations with an annual turnover above $3 million, health service providers, and Commonwealth agencies. State and territory government bodies are generally subject to their own frameworks, though the obligations are broadly similar. Understanding the scheme before an incident is far better than reading the legislation at midnight after one.
What Triggers a Notification Obligation?
Not every data breach is notifiable. The obligation applies where a breach is an "eligible data breach" under Part IIIC of the Privacy Act. An eligible data breach occurs when there is unauthorised access to, or disclosure of, personal information, or when personal information is lost and unauthorised access or disclosure is likely; and the breach is likely to result in serious harm to one or more individuals.
Serious harm is the operative threshold. It includes physical, psychological, financial, and reputational harm. Factors the OAIC considers include the sensitivity of the information involved (financial details, health records, identity documents rank highly), whether it was encrypted, who is likely to have accessed it, and the breadth of the affected population. A spreadsheet of employee names and work emails lost in a phishing incident is unlikely to clear the threshold. A database of health records accessed by an external threat actor almost certainly does.
The 30-Day Assessment Window
Where an organisation suspects it may have experienced an eligible data breach but is not yet certain, it has 30 days to complete an assessment. That assessment should determine whether the breach meets the eligibility threshold. If at the end of that period the organisation concludes it does, or if it cannot rule it out, notification is required.
In our incident response engagements, this assessment window is often tighter in practice than 30 days suggests. The OAIC has made clear that organisations should act expeditiously, not simply bank the available time. Where there is strong evidence of a serious breach early in the investigation, we advise clients to move toward notification rather than waiting out the window. The assessment period is not a delay mechanism; it exists to accommodate genuine uncertainty about scope and impact.
Who Do You Notify and What Do You Say?
Notification under the NDB scheme has two components. First, the OAIC must be notified using the data breach notification form available on their website. Second, affected individuals must be notified directly, either individually or, where direct notification is not practical, by publishing a statement on the organisation's website and taking reasonable steps to publicise it.
The notification to affected individuals must include the identity and contact details of the organisation, a description of the breach, the kinds of information involved, and recommendations about the steps individuals should take in response. This is where many organisations struggle. Drafting a clear, accurate, non-alarmist notification that gives individuals something genuinely useful to do requires care. We typically draft notification language in parallel with the forensic investigation rather than waiting for the investigation to conclude, using placeholder text that can be confirmed or revised as findings come in.
Practical Steps Before an Incident Happens
Organisations should have a documented NDB assessment procedure before an incident, not after. That procedure should identify who holds decision-making authority on notification, which legal and privacy advisors will be engaged, and how the assessment will be documented. The OAIC expects that organisations will be able to demonstrate their assessment process, not just their conclusion.
Key elements to have in place include:
- A data register that identifies what categories of personal information are held and where
- An incident response plan that includes a specific NDB assessment track
- Pre-agreed legal and communications advisors with experience in privacy law
- A documented decision log that records who assessed the breach, what information was available, and what conclusion was reached and why
- Template notification language reviewed in advance by legal counsel
Organisations operating across multiple states should also understand their obligations under state privacy legislation, particularly in the health and public sector, where additional frameworks may apply alongside the federal scheme.
Cyberlinx assists organisations through the full NDB process, from initial breach assessment to OAIC notification and individual communications. If you are working through a potential notifiable breach or want to build your NDB readiness before an incident occurs, contact us at info@cyberlinx.com.au.
Related Articles







