Back to blog
CIO247 Team

The Notifiable Data Breaches Scheme: A Practical Response Plan

A practical guide to the Notifiable Data Breaches scheme under the Privacy Act 1988 for Australian SMBs, including a first-72-hours breach response runbook.

Cybersecurity
Compliance
Privacy
NDB Scheme
Incident Response
Australian Business
The Notifiable Data Breaches Scheme: A Practical Response Plan

A data breach is no longer a question of "if" but "when." For Australian organisations, the moments after a breach are governed by a clear legal framework—the Notifiable Data Breaches (NDB) scheme. Yet many small and mid-market businesses only discover their obligations in the middle of a crisis, when they can least afford the distraction.

This guide explains what the NDB scheme requires, who it applies to, and how to build a response plan you can actually use under pressure. It finishes with a step-by-step runbook for your critical first 72 hours.

A note before we begin: This article is general guidance, not legal advice. Privacy obligations turn on the specific facts of each incident. Always verify your position with a qualified privacy professional or lawyer before making notification decisions.

What Is the Notifiable Data Breaches Scheme?

The NDB scheme operates under Part IIIC of the Privacy Act 1988 (Cth) and is administered by the Office of the Australian Information Commissioner (OAIC). It came into force on 22 February 2018.

In plain terms, the scheme requires covered organisations to notify both the OAIC and affected individuals when a data breach is likely to result in serious harm to those individuals. The goal is twofold: to give people the chance to protect themselves (by changing passwords, watching for fraud, or cancelling cards) and to drive better security practices across the economy.

Failing to comply can attract regulatory action and significant civil penalties, alongside the reputational damage that follows a poorly handled incident.

Who Does It Apply To?

The NDB scheme applies to entities already covered by the Australian Privacy Principles (APP entities). For most readers, that means:

  • Businesses and not-for-profits with an annual turnover of more than $3 million
  • Organisations of any size that handle particular categories of information, including:
    • Private sector health service providers
    • Businesses that trade in personal information
    • Credit reporting bodies and credit providers
    • Tax File Number (TFN) recipients
    • Contractors providing services under a Commonwealth contract

A common trap for smaller organisations is assuming the $3 million threshold lets them off the hook. If you run a medical practice, allied health clinic, or any business that buys or sells personal data, the scheme likely applies regardless of turnover. When in doubt, treat yourself as covered and confirm with a professional.

What Counts as an 'Eligible Data Breach'?

Not every security incident triggers a notification. The scheme is concerned with an eligible data breach, which has three components. An eligible data breach occurs when:

  1. There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an organisation; and
  2. This is likely to result in serious harm to one or more individuals; and
  3. The organisation has not been able to prevent that likely serious harm through remedial action.

That third point matters. If you act quickly—for example, by remotely wiping a lost laptop with encrypted, recoverable controls before any data is accessed—you may prevent the serious harm and remove the obligation to notify.

Assessing 'Serious Harm'

"Serious harm" is not defined exhaustively, but it can include physical, psychological, emotional, financial, or reputational harm. When assessing likelihood, consider:

  • The kind and sensitivity of the information (health records and financial details rank far higher than a business email address)
  • Whether the information was encrypted or otherwise protected
  • Who has obtained the information and their likely intent
  • Whether the breach combines multiple data points that, together, enable identity theft or fraud

The 30-Day Assessment Obligation

If you only suspect an eligible data breach may have occurred, you are not immediately required to notify. Instead, you must carry out a reasonable and expeditious assessment to determine whether the criteria are met.

The Privacy Act gives you a maximum of 30 calendar days from when you become aware of the grounds for suspicion to complete this assessment. Two things are worth stressing:

  • 30 days is a ceiling, not a target. The law requires you to act expeditiously, so a low-complexity breach should be assessed far sooner.
  • Document everything. Record when you became aware, the steps you took, who was involved, and the reasoning behind your conclusion. If the OAIC ever asks, your assessment trail is your evidence of good-faith compliance.

If your assessment confirms an eligible data breach, the obligation to notify is triggered as soon as practicable.

When and How to Notify

Once you have concluded an eligible data breach has occurred, you must prepare a statement and notify two audiences.

Notifying the OAIC

You notify the Commissioner by completing the online Notifiable Data Breach form on the OAIC website. The statement must set out:

  • The identity and contact details of your organisation
  • A description of the breach
  • The kinds of information involved
  • The steps you recommend individuals take in response

Notifying Affected Individuals

You must also notify the individuals at likely risk of serious harm. The scheme provides three options, in order of preference:

  1. Notify each individual at likely risk of serious harm directly.
  2. Notify all individuals whose information was involved, if you cannot reasonably identify the specific at-risk subset.
  3. Publish the statement on your website and take reasonable steps to publicise it, if neither of the above is practicable.

Direct notification can be by email, phone, SMS, or letter—use whatever channel you normally use to communicate with those people. Keep the language clear, calm, and actionable so recipients know exactly what to do next.

Building Your Incident Response and Breach Notification Plan

The worst time to design a response process is during an active breach. Build it now while you have the luxury of clear thinking. A workable plan should bring together your technical incident response and your privacy notification obligations into one playbook.

Core elements to put in place

  • A named response team. Identify your breach lead, IT/security contact, legal or privacy adviser, communications owner, and executive sponsor. List names, roles, and after-hours contact details.
  • A clear escalation path. Define who declares a potential breach, who authorises notification, and who speaks to the media.
  • A data map. You cannot assess harm if you do not know what personal information you hold, where it lives, and how sensitive it is. Maintain a simple register.
  • Pre-drafted templates. Prepare a holding statement, an OAIC statement skeleton, and individual notification templates in advance.
  • A contact list. Include your cyber insurer, external forensic provider, the OAIC, and relevant authorities such as the Australian Cyber Security Centre and, where fraud is involved, the police.
  • Logging discipline. Agree where the incident log lives and who maintains it from minute one.

Test it before you need it

Run a tabletop exercise at least once a year. Walk the team through a realistic scenario—a ransomware hit, a misdirected email containing client records, or a lost device—and time how long it takes to make decisions. The gaps you find in a drill are far cheaper than the ones you find in a real event.

The First 72 Hours: A Breach Response Runbook

When an incident lands, work through this checklist methodically. Print it and keep it somewhere your team can reach it even if systems are down.

  • [ ] Open the incident log. Record the date, time, and who reported the issue. Timestamp every action from here on.
  • [ ] Activate the response team. Notify your breach lead and convene the core group.
  • [ ] Contain the breach. Isolate affected systems, revoke compromised credentials, and stop the bleeding before evidence is lost or harm spreads.
  • [ ] Preserve evidence. Avoid wiping or rebuilding systems prematurely; capture logs and snapshots for later investigation.
  • [ ] Scope the impact. Identify what personal information was involved, how many individuals are affected, and how sensitive the data is.
  • [ ] Notify your cyber insurer. Most policies require prompt notification and may provide breach-response specialists.
  • [ ] Engage advisers. Bring in your privacy lawyer and, if needed, an external forensic team.
  • [ ] Begin the formal assessment. Decide whether you have grounds to suspect an eligible data breach and start the clock on your reasonable, expeditious assessment.
  • [ ] Attempt remedial action. Determine whether you can prevent serious harm—if so, document how.
  • [ ] Decide on notification. Conclude whether the breach is notifiable and, if so, prepare the OAIC statement and individual notifications.
  • [ ] Notify if required. Submit the OAIC form and notify affected individuals as soon as practicable.
  • [ ] Brief stakeholders. Keep your executive team and, where relevant, key clients informed with consistent messaging.

After the Dust Settles

Once the immediate crisis passes, hold a post-incident review. Capture what worked, what slowed you down, and which controls would have prevented or limited the breach. Feed those lessons back into your security roadmap—whether that means tighter access controls, better email safeguards, mandatory MFA, or improved staff awareness training.

A breach is a painful way to learn, but organisations that treat it as a forcing function for genuine improvement come out stronger and more resilient.

Getting Help

The NDB scheme is one part of a broader privacy and security obligation set that includes the Australian Privacy Principles, the Essential Eight, and any sector-specific rules that apply to you. Pulling these together into a coherent, tested plan takes time and experience that many lean teams simply do not have in-house.

If you would like a second set of eyes on your incident response and breach notification readiness—before you need it—we can help.

Worried about whether your organisation is ready for a notifiable data breach? Contact CIO247 for a practical review of your incident response and privacy readiness, tailored to Australian requirements.

Published on February 26, 2024

Continue reading

Essential Eight in Plain English for SMBs

A practical guide to implementing ACSC Essential Eight cybersecurity controls for small and medium Australian businesses.

Jan 15, 2024

Fractional vs Full-Time CIO: When Each Makes Sense for Australian SMBs

A practical, honest guide for Australian SMB founders and ops leaders on choosing between a fractional, interim, or full-time CIO—including real cost comparisons and a decision framework.

Feb 19, 2024