HomeBlogWhat Is the NDB Scheme?
🛡️ Cybersecurity7 min read

What Is the Notifiable Data Breaches Scheme?
Your Legal Obligations Explained

Since February 2018, businesses covered by the Privacy Act must report eligible data breaches to the OAIC and notify affected individuals. With AI accelerating cyber attacks, breaches are becoming more frequent — and most businesses don't have a response plan. Here's what the law requires and how to prepare.

What the NDB scheme requires

The Notifiable Data Breaches (NDB) scheme has been in force since 22 February 2018. It requires organisations covered by the Australian Privacy Act to:

  1. Assess suspected data breaches promptly
  2. Notify the OAIC (Office of the Australian Information Commissioner) if the breach is likely to result in serious harm
  3. Notify affected individuals so they can take steps to protect themselves

This isn't optional. Failure to comply is an interference with privacy under the Privacy Act — carrying penalties of up to $50 million.

What counts as an "eligible data breach"

A breach triggers NDB obligations when all three conditions are met:

  1. Unauthorised access to, disclosure of, or loss of personal information — someone who shouldn't have seen the data now has it, or the data is gone
  2. A reasonable person would conclude it's likely to result in serious harm — consider the type of data (financial, health, identity), the people affected, and who now has access
  3. The organisation hasn't been able to prevent the serious harm through remedial action — if you can contain the breach and prevent harm entirely, notification may not be required

Examples of eligible breaches

  • A database containing customer names, emails, and credit card numbers is accessed by an attacker
  • An employee accidentally emails a spreadsheet of client health records to the wrong recipient
  • A laptop containing unencrypted customer files is stolen
  • Ransomware encrypts your customer database and you can't confirm the data wasn't exfiltrated
  • A cloud storage bucket containing personal information is left publicly accessible

Examples that may NOT require notification

  • An email sent to the wrong internal team member who immediately deletes it (contained, no serious harm likely)
  • A stolen laptop where all data is encrypted with strong encryption (data is inaccessible)
  • A breach where you remotely wipe the device before any data is accessed (remedial action prevents harm)

The notification timeline

The law requires notification "as soon as practicable" after you become aware of an eligible breach. In practice:

  • Assessment: You have a maximum of 30 days to assess whether a suspected breach is eligible. If you can't determine within 30 days, you must treat it as eligible and notify
  • OAIC notification: Submit a statement to the OAIC through their online Notifiable Data Breach form as soon as you've confirmed the breach is eligible
  • Individual notification: Notify affected individuals at the same time or as soon as practicable after notifying the OAIC

Cyber Security Act 2024 addition: If your business makes a ransomware payment, you must report it to the Australian Signals Directorate within 72 hours. This is separate from the NDB scheme and applies regardless of whether data was actually accessed.

What the notification must include

Your notification to the OAIC and affected individuals must contain:

  • Your organisation's name and contact details
  • A description of the breach — what happened and when
  • The type of information involved — names, emails, financial data, health records, etc.
  • Recommendations about what affected individuals should do — change passwords, monitor bank accounts, contact credit reporting agencies

Why AI threats make NDB readiness urgent

The connection between AI-powered cyber attacks and the NDB scheme is direct:

  • More breaches, more often: AI has made attacks cheaper and faster. The OAIC received 527 breach notifications in the first half of 2025 alone — a number that will increase as AI lowers the barrier to attack
  • Faster exploitation: When AI can find and exploit vulnerabilities in hours, your 30-day assessment window shrinks in practice. By the time you've confirmed a breach, the damage is done
  • Ransomware acceleration: AI-generated ransomware is becoming more targeted and harder to detect. The 72-hour ransomware reporting requirement under the Cyber Security Act 2024 means you need a response plan ready before the attack happens
  • Data volume: AI can exfiltrate and process more data, faster. A breach that used to involve hundreds of records now involves millions

Most businesses aren't prepared

The OAIC's enforcement actions reveal a consistent pattern of unpreparedness:

  • No breach response plan: When a breach occurs, most businesses scramble to figure out what happened, who's affected, and what they're legally required to do — losing critical response time
  • No data inventory: If you don't know what personal information you hold or where it's stored, you can't assess the impact of a breach
  • No communication templates: Drafting notification letters under pressure leads to unclear, legally risky communications
  • No designated response team: Without clear roles and escalation procedures, the response is ad hoc and delayed
  • No relationship with regulators: The OAIC expects proactive engagement, not radio silence followed by a panicked form submission

How to prepare: your NDB readiness programme

1. Build a data inventory

Know what personal information you hold, where it's stored (cloud, local servers, SaaS tools, email, physical files), who has access, and what purpose it serves. You can't assess a breach if you don't know what data was at risk.

2. Create a breach response plan

A documented, tested plan that covers:

  • Detection: How breaches are identified (monitoring, alerts, staff reports)
  • Assessment: The process for determining if a breach is "eligible" — with decision trees
  • Containment: Immediate actions to stop the breach and prevent further access
  • Notification: Templates for OAIC submission and individual notification letters
  • Escalation: Who is responsible at each stage — with names, contact details, and after-hours procedures
  • Documentation: Records of every action taken (the OAIC will ask for this)

3. Prepare notification templates

Pre-drafted templates for different breach scenarios — customisable but legally compliant — so your team isn't writing from scratch under pressure.

4. Train your team

Every employee who handles personal information should know: how to recognise a potential breach, who to escalate to, and what not to do (don't delete evidence, don't try to fix it without authority).

5. Test your plan

A tabletop exercise — a simulated breach scenario — tests whether your plan actually works. Run one at least annually.

Is your business ready for a data breach?

RabbiiCo Studio's Privacy and NDB Readiness programme gives you the response plan, templates, data inventory, and staff training to meet your legal obligations — before a breach forces you to improvise.

Learn about Privacy & NDB Readiness →