Notifiable Data Breach

What is it? What to do if your business experiences a notifiable data breach.

You have a legal obligation to protect sensitive information you hold about employees or customers.

In February 2018, the Office of the Australian Information Commissioner (OAIC) Notifiable Data Breach scheme came into effect. You can learn more about the NDBS here.

In summary, this scheme requires certain businesses in Australia to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as is practicable after becoming aware of a breach.

Businesses that must adhere to the NDB Scheme include:

  • businesses and not-for profit organisations that have an annual turnover of more than AU$3 million
  • private sector health service providers
  • entities that trade in personal information
  • tax file number (TFN) recipients.

What is a data breach?

  • A data breach occurs when personal information​ an organisation or agency holds is lost or subjected to unauthorised access or disclosure. For example, when:
  • a device with a customer’s personal information is lost or stolen
  • a database with personal information is hacked
  • personal information is mistakenly given to the wrong person.

An business that experiences a breach must report the breach to the Office of the Australian Information Commissioner (OAIC) if they fit into the NDB criteria.

The Government takes the privacy and security of Australians personal information very seriously.

Not only this, but the potential financial, reputational and legal consequences to a business that suffers a data breach can have serious long-term ramifications.

It is crucial that every business takes an active role in protecting the sensitive and personal information it holds about its customers.

Have you experienced a data breach?

We can help with the remediation. Get in touch now.

** Update ** New fines announced in the wake of the Optus Data Breach

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:
  • $50 million;
  • three times the value of any benefit obtained through the misuse of information; or
  • 30 per cent of a company’s adjusted turnover in the relevant period.

Key statistics about Notifiable Data Breaches from the Office of the Australian Information Commissioner

These are the guys who get involved when an organisation has a data breach (we imagine Optus and Medicare are keeping them quite busy at the moment!) 

Learn more here


of data breaches were the result of malicious or criminal attacks


of breaches were caused by human Error


Of all data breaches resulted from cyber security incidents

Dont become a statistic - get your business cyber secure today!

Get in touch