A notifiable data breach occurs when personal information is lost, stolen, or accessed without permission and is likely to cause serious harm to the people affected. Under the Notifiable Data Breaches (NDB) framework, businesses covered by the Privacy Act must report these incidents to the Office of the Australian Information Commissioner (OAIC) and notify affected individuals.
For small and medium businesses, this is not just a legal checkbox. A single unreported breach can result in heavy fines, lost customers, and long-term damage to your reputation. Knowing what to do and when can make the difference between a manageable incident and a business-ending crisis.
Table of Contents
What Is the Notifiable Data Breaches Scheme?
What Counts as an Eligible Data Breach?
Your Legal Obligations Under the Privacy Act
How to Report a Data Breach to the OAIC?
What to Do After a Data Breach: SME Checklist
How to Reduce Your Breach Risk?
What Is the Notifiable Data Breaches Scheme?
The Notifiable Data Breaches (NDB) scheme came into effect in February 2018. It sits under the Australian Privacy Act breach requirements and applies to organisations that handle personal information.
The scheme has one core purpose. If your business experiences a data breach that is likely to cause serious harm, you must act fast. You must assess the situation, report it to the OAIC, and tell the people whose data was exposed.
This is not optional. It is the law.
Who Does It Apply To?
The NDB scheme applies to organisations with an annual turnover of $3 million or more. It also applies to some smaller businesses regardless of turnover. These include:
- Health service providers
- Businesses that trade in personal information
- Credit reporting bodies
- Tax file number recipients
If you are unsure whether your business qualifies, assume it does and seek advice. The cost of being wrong is far higher than the cost of being prepared.
What Counts as an Eligible Data Breach?
Not every breach triggers a mandatory report. Under the data breach notification Australia rules, a breach is eligible when three things happen together:
- There is unauthorised access to, or disclosure of, personal information
- The business loses personal information
- The breach is likely to result in serious harm to one or more individuals
Serious harm includes financial loss, identity theft, physical harm, or serious psychological damage. If your assessment concludes that serious harm is unlikely, you may not need to notify. But you still need to document your assessment.
Your Legal Obligations Under the Privacy Act
Once you identify an eligible breach, the clock starts. You have 30 days to complete your assessment and decide whether notification is required.
The 30-Day Rule
From the moment you become aware of a potential breach, you have 30 days to assess it. If you confirm it is an eligible data breach, you must notify the OAIC and affected individuals as quickly as possible.
Waiting too long is a common mistake. Many SMEs delay because they are unsure if the breach qualifies. Start your assessment immediately. Do not wait for certainty.
What Information Must You Report?
Your notification to the OAIC must include:
- Your organisation’s name and contact details
- A description of the breach
- The type of information involved
- What steps have you taken or plan to take
Keep your report factual. Do not speculate. Stick to what you know.
How to Report a Data Breach to the OAIC?
OAIC data breach reporting is done through the OAIC’s online portal. The process is straightforward but must be done carefully.
Step-by-Step Reporting Process
1: Confirm the breach is eligible under the NDB scheme.
2: Prepare your statement of notifiable data breach using the OAIC’s official form.
3: Submit the form through the OAIC website.
4: Notify affected individuals directly, by email, letter, or phone, depending on what contact details you have.
5: Document everything. Keep records of what happened, what you reported, and who was notified.
Who Else Do You Need to Notify?
In some cases, you may also need to notify:
- Your cyber insurance provider
- Your legal counsel
- Industry regulators (for example, APRA for financial services businesses)
- Law enforcement if criminal activity is involved
Do not assume the OAIC is your only obligation. Check your contracts and industry regulations.
What to Do After a Data Breach: SME Checklist
SME data breach compliance in Australia starts with having a clear response plan. Here is a practical checklist:
Immediate Actions: First 24 to 48 Hours
| Action | Done? |
| Contain the breach, stop further access or loss | ☐ |
| Identify what data was affected | ☐ |
| Identify how many people are affected | ☐ |
| Notify your IT team or security provider | ☐ |
| Begin documenting the incident | ☐ |
| Notify senior management | ☐ |
Short-Term Actions: First 30 Days
| Action | Done? |
| Complete your eligibility assessment | ☐ |
| Submit notification to the OAIC if required | ☐ |
| Notify affected individuals | ☐ |
| Review how the breach occurred | ☐ |
| Implement fixes to prevent recurrence | ☐ |
| Update your incident response plan | ☐ |
Having this checklist ready before a breach happens saves critical time when it matters most.
Penalties for Non-Compliance
Ignoring your obligations under the notifiable data breach scheme in Australia is expensive.
Financial Penalties
The Privacy Act allows the OAIC to seek civil penalties for serious or repeated breaches of privacy obligations. Penalties for serious interferences with privacy can reach up to $50 million for corporations, or three times the benefit gained, or 30% of adjusted turnover, whichever is greater.
For an SME, even a mid-range penalty can be devastating.
Reputational Damage
Money is not the only cost. Customers lose trust fast after a breach. If they find out you failed to notify them, the damage is far worse. One breach handled badly can undo years of brand-building overnight.
How to Reduce Your Breach Risk?
The best way to handle a breach is to prevent one. Data breach laws for small businesses in Australia are getting stricter, not looser. Getting ahead of the risk now is smarter than reacting later.
Basic Cyber Controls Every SME Needs
- Multi-factor authentication on all systems
- Regular software and security updates
- Staff training on phishing and social engineering
- Encrypted storage for sensitive customer data
- Regular data backups are stored securely offsite
Why a Compliance Framework Helps?
A structured compliance framework, like ISO 27001 or the Essential Eight, gives your business a repeatable system for managing risk. It reduces the chance of a breach and makes your response faster and more organised if one does occur.
Most SMEs do not need enterprise-level security. They need the right controls, applied consistently.
Conclusion
Data breaches are not a question of if; they are a question of when. Understanding your obligations under the notifiable data breaches Australia framework puts you ahead of most small businesses. Know the rules, have a plan, and act fast when something goes wrong.
If you are unsure whether your business is compliant or ready to respond to a breach, Security Solution Consultants can help. We work with Australian SMEs to build practical compliance frameworks that protect your business and meet your legal obligations.
Talk to our compliance team today →
FAQs
Q1. What is the Notifiable Data Breaches scheme in Australia?
The NDB scheme requires organisations covered by the Privacy Act to notify the OAIC and affected individuals when a data breach is likely to cause serious harm. It has been in effect since February 2018.
Q2. Does the NDB scheme apply to small businesses?
It applies to businesses with an annual turnover above $3 million. Some smaller businesses, including health providers and those that trade in personal information, are also covered regardless of turnover.
Q3. How long do I have to report a data breach in Australia?
You have 30 days from becoming aware of a potential breach to assess it. If it qualifies as an eligible breach, notify the OAIC and affected individuals as soon as possible within that window.
Q4. What happens if I don’t report a data breach to the OAIC?
Failure to comply can result in civil penalties of up to $50 million for corporations. It also exposes your business to serious reputational damage and loss of customer trust.
Q5. What should I do immediately after a cyber incident?
Contain the breach first. Then identify what data was affected, notify your IT provider, and begin documenting the incident. Start your eligibility assessment within 24 hours, and do not wait to act.
