top of page

Introduction to Notifiable Data Breaches (NDB)

A notifiable data breach occurs when personal information held by an organisation is accessed, disclosed without authorisation, or lost in a manner that is likely to result in serious harm to any individual affected. These breaches are not only detrimental to the privacy rights of individuals but also pose significant risks to organisational integrity and reputation.

Criteria for Notifying

Under the Australian Notifiable Data Breach (NDB) scheme, a data breach must be reported to the Office of the Australian Information Commissioner (OAIC) if:

  1. There is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity.

  2. The breach is likely to result in serious harm to one or more individuals.

  3. The entity has not been able to prevent the likely risk of serious harm with remedial action.

Reporting a Breach: Timeline and Process

Entities must assess the incident within 30 days of becoming aware of the breach. If it is determined that the breach meets the criteria above, the OAIC and affected individuals must be notified promptly. The notification must include the following information:

  • A description of the data breach.

  • The kinds of information concerned.

  • Recommendations about the steps individuals should take in response to the breach.

Penalties and Fines

Failure to comply with the NDB scheme can result in significant penalties. The OAIC can impose fines of up to $2.22 million for serious or repeated breaches. These fines are aimed at ensuring that entities take privacy obligations seriously and implement adequate security measures to protect personal information.

Take the stress out of investigating and possible reporting with

bottom of page