Mandatory notifiable data breach reporting for Australian organisations handling PII
The Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth) requires Australian organisations handling personal information to notify the OAIC and affected individuals of eligible data breaches. This guide sets out 10 obligations covering detection, 30-day assessment, containment, notification content, and the interaction with sector-specific regimes (My Health Records, CDR, Tax File Numbers).
Coverage
APP entities (agencies and organisations with annual turnover above $3 million, most health service providers, credit providers, and tax file number recipients). Entities handling My Health Records, CDR data, and Tax File Numbers are caught even if they sit below the turnover threshold.
Legal basis
Privacy Act 1988 (Cth) Part IIIC (Notifiable Data Breaches scheme). My Health Records Act 2012 (Cth) s 75 (parallel scheme). Competition and Consumer Act 2010 (Cth) Part IVD (Consumer Data Right Privacy Safeguard 12). Taxation Administration Act 1953 (Cth) s 355-25 (Tax File Number data breaches). OAIC NDB statutory guidance.
The obligations
Detect suspected data breaches
Maintain detection and monitoring capability so that suspected breaches are identified early. Detection triggers the 30-day assessment clock.
Assess suspected breaches within 30 days
If there are reasonable grounds to suspect an eligible data breach, carry out a reasonable and expeditious assessment within 30 days to determine whether there are reasonable grounds to believe the breach is eligible.
Contain the breach promptly
Take reasonable steps to contain the breach immediately — revoke credentials, isolate systems, recall documents. Containment reduces the likelihood of serious harm and may take a breach out of eligibility.
Determine whether the breach is an eligible data breach
An eligible data breach occurs where (a) there is unauthorised access to, unauthorised disclosure of, or loss of personal information, AND (b) the access, disclosure, or loss is likely to result in serious harm to any affected individuals.
Notify the OAIC as soon as practicable
If the breach is an eligible data breach, notify the OAIC as soon as practicable using the online NDB form. There is no fixed outer deadline once eligibility is established — delay needs to be justified.
Notify affected individuals
Notify affected individuals either directly or by publishing the notification statement if direct notification is not practicable. Notification must contain prescribed content.
Include all required content in the notification statement
The statement must include the entity's identity, a description of the breach, the kinds of information involved, and recommendations for steps individuals can take to mitigate harm.
Apply exceptions where available
Exceptions include remedial action that prevents serious harm before assessment completes, certain law enforcement scenarios, and secrecy provisions in other laws. Reliance on an exception must be documented.
Comply with sector-specific breach regimes
My Health Records breaches are reported under the parallel My Health Records scheme. CDR data breaches engage Privacy Safeguard 12 and OAIC reporting. TFN breaches are covered under the Privacy Act but with additional ATO coordination.
Keep breach records for at least three years
Keep records of the breach, the assessment, containment measures, notification decisions, and supporting evidence. Records support future OAIC investigations and demonstrate compliance with the 30-day assessment obligation.
What happens if you do not comply
Serious or repeated interference with privacy (including NDB non-compliance) attracts civil penalties of up to $50 million for body corporates, 3x the benefit derived, or 30% of adjusted turnover — whichever is greater. The OAIC can also accept enforceable undertakings and publish determinations. Directors and officers may be personally liable for ancillary contraventions.
Reporting requirements
OAIC notification for every eligible data breach (no fixed deadline, but as soon as practicable). Affected individual notifications direct or via publication. My Health Records breaches reported under the parallel scheme. CDR breaches reported per Privacy Safeguard 12. Annual OAIC statistical summary is public.
What firms should do today
- Publish a documented data breach response plan and test it annually
- Build a 30-day assessment workflow with named owners for each step
- Calibrate the serious-harm threshold against OAIC guidance and relevant determinations
- Pre-draft notification templates for the OAIC form and for affected individuals
- Integrate breach response with sector-specific regimes (health, CDR, TFN, SOCI)
- Retain breach evidence for at least three years — longer where another regime applies
Compliance with Quillio
Quillio drafts NDB assessments, containment memos, OAIC notification forms, and affected-individual letters aligned to the current OAIC guidance. Australian-hosted infrastructure keeps breach documentation in jurisdiction. See /resources/security or start a free trial.
This guide is general information about the Notifiable Data Breaches scheme — not legal or privacy advice. Serious harm is a judgement call, and sector-specific regimes add layers. Obtain specialist privacy advice before deciding not to notify or before publishing a breach notification.
Build compliance into your stack.
Quillio is built around AU compliance from the ground up — SOC 2 Type II + ISO 27001 + Australian data sovereignty. The free trial requires no credit card.
Start your free trial