Notifiable Data Breaches scheme for Australian law firms
The Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth) requires APP entities — which includes most Australian law firms — to assess suspected eligible data breaches quickly and notify the Office of the Australian Information Commissioner (OAIC) and affected individuals where serious harm is likely. Law firms carry heightened exposure because they hold concentrated sensitive client material.
Coverage
Law firms covered by the Privacy Act 1988 (Cth) — in practice, those with annual turnover above $3 million and many smaller firms that handle health or sensitive information or provide services to government. The safer assumption is that the NDB scheme applies to almost every Australian law firm.
Legal basis
Privacy Act 1988 (Cth) Part IIIC (Notifiable Data Breaches). Australian Privacy Principle 11 (security of personal information). OAIC Notifiable Data Breaches scheme guidance.
The obligations
Take reasonable steps to prevent breaches
Maintain security controls proportionate to the sensitivity of the information — including access controls, encryption, patching and staff training.
Operate a written data breach response plan
Keep a documented response plan setting out roles, decision points, communications and escalation paths for suspected breaches.
Triage suspected breaches quickly
When a breach is suspected, begin a prompt assessment — the Privacy Act sets an outer limit of 30 days to decide whether the breach is notifiable.
Apply the serious harm test
Assess whether unauthorised access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Consider remedial action that prevents harm
If remedial action prevents the risk of serious harm, the breach may not be notifiable — but remedial action must be more than hopeful.
Notify the OAIC as soon as practicable
If the breach is an eligible data breach, prepare a statement for the OAIC as soon as practicable, including the information required by the Privacy Act.
Notify affected individuals
Take such steps as are reasonable to notify affected individuals of the breach, the kinds of information involved and the steps they can take to protect themselves.
Preserve evidence and manage legal privilege
Preserve logs, forensic images and communications relevant to the breach, and manage the engagement of forensic and legal advisers so privilege is maintained where possible.
Co-operate with regulators and report to others where required
Co-operate with the OAIC and consider other reporting obligations — for example, ASIC, APRA, state Legal Services Commissioner, or overseas regulators.
Run a post-incident review and remediation
After the breach, review the root cause and implement improvements — and document lessons learned in the firm's security program.
What happens if you do not comply
Serious or repeated interferences with privacy can attract civil penalties of up to $50 million for body corporates (or 30% of adjusted turnover, whichever is greater) under recent Privacy Act amendments, together with determinations, enforceable undertakings and reputational consequences.
Reporting requirements
Eligible data breaches must be reported to the OAIC via the NDB form and to affected individuals as soon as practicable. The statement must describe the kinds of information, circumstances of the breach, and steps individuals can take.
What firms should do today
- Keep a written data breach response plan and test it at least once a year
- Train every staff member on how to recognise and report a suspected incident
- Pre-appoint the firm's forensic, communications and legal responders so they can be engaged in hours, not days
- Run a 24-hour triage process that starts the 30-day assessment clock from the moment a breach is suspected
- Document every decision, including decisions not to notify, with supporting reasoning
Compliance with Quillio
Quillio runs on Australian-hosted infrastructure and never uses client content to train public models — reducing the surface area for cross-border data disclosure during a breach response. See /resources/security.
This guide is general information about the Notifiable Data Breaches scheme only — not legal or compliance advice. Actual breach response should be led by the firm's privacy officer, IT security advisers and external counsel.
Build compliance into your stack.
Quillio is built around AU compliance from the ground up — SOC 2 Type II + ISO 27001 + Australian data sovereignty. The free trial requires no credit card.
Start your free trial