Back to Blog
Compliance13 January 2026

Mandatory Data Breach Notification: A Step-by-Step Playbook

Under the NDB scheme you've got 30 days to notify the OAIC and affected individuals. Here's the exact process, and what happens if you miss it.

Australia's Notifiable Data Breaches (NDB) scheme has been in force since February 2018, but every year the OAIC's quarterly reports show that the majority of notifications miss the 30-day deadline or arrive incomplete. The scheme isn't going away — it's getting more aggressive, with the 2022 amendments raising the maximum penalty to $50 million. Here's the step-by-step playbook every Australian business should have written down before they need it, and exactly what happens if you get it wrong.

When the NDB scheme applies

Under Part IIIC of the Privacy Act 1988, you must notify the OAIC and the affected individuals if there's been an "eligible data breach" — meaning personal information has been lost, accessed without authorisation, or disclosed without authorisation, AND the breach is likely to result in "serious harm" to one or more affected individuals.

"Serious harm" is broadly defined: psychological, emotional, physical, reputational, economic, and financial harm all qualify. The threshold isn't high — the OAIC's published guidance lists examples that include identity theft risk, financial fraud, embarrassment, damage to relationships, and damage to professional standing. If you find yourself arguing "this probably isn't that serious," you're already in the wrong end of the analysis.

Who's covered

The scheme covers everyone subject to the Privacy Act — most Australian organisations with annual turnover above $3 million, plus the long list of smaller entities also in scope (health service providers, credit reporting bodies, businesses handling TFNs, employee-association handlers, businesses buying or selling personal information). Note: contracted service providers for Commonwealth agencies are caught regardless of turnover. If you're advising a government client, assume you're in scope.

The 30-day clock — calendar days, not business days

From the point you become aware of a suspected eligible breach, you have 30 days to complete the assessment and, if the breach is confirmed eligible, issue the required notifications. The 30 days is calendar days: weekends, public holidays, and Christmas all count.

The typical breakdown of where that 30 days goes:

  • Days 1-5: Internal investigation, evidence preservation, technical containment.
  • Days 6-12: Legal review of breach scope, applicability of the NDB threshold, drafting the OAIC submission.
  • Days 13-20: Drafting individual notifications, internal sign-off, partner / executive review.
  • Days 21-28: Issuing notifications, coordinating with insurance carrier, preparing for follow-up regulatory questions.
  • Days 29-30: The buffer most organisations expected to have, now spent on last-minute coordination.

Most organisations think they have plenty of time. They don't. The 30 days disappears especially fast when the breach is identified late on a Friday or just before a long weekend.

The three-phase response

Phase 1 — Contain (first 24 hours). Stop the bleeding. Revoke compromised access, close the technical gap, preserve evidence. Crucially: do NOT delete anything that might be needed for the investigation or for the OAIC's later review. If a third-party service was compromised, document exactly what was done and when. The audit trail of your response is itself evidence, both for the OAIC and (potentially) for cyber-insurance claims.

Phase 2 — Assess (days 2-14). Work out what information was exposed, to whom, and whether serious harm is likely. Document your reasoning rigorously — you may need to defend it to the OAIC later. If you decide the breach is below the threshold and notification isn't required, you still need contemporaneous records showing how you reached that conclusion. The OAIC has the power to compel that evidence after the fact.

Phase 3 — Notify (by day 30). If notification is required, you need to tell the OAIC (via their online Notifiable Data Breach form) and each affected individual. The notification must include: a description of the breach; the kinds of information involved; the steps the affected individual should consider taking in response; and your organisation's contact details for further questions.

What individual notifications actually look like

The OAIC form is straightforward. The individual notifications are the harder part. The OAIC's guidance is explicit on several points that catch organisations out:

  • Notification must be direct. Email, letter, or phone call to the affected individual. A notice on your website is not sufficient unless it's genuinely impractical to contact individuals directly (a high bar).
  • Plain language is required. Legal boilerplate that obscures what happened doesn't meet the standard. The OAIC has called this out specifically in published determinations.
  • You must offer a way to contact you with questions. A monitored mailbox and a phone number that's actually staffed during business hours.
  • "Reasonable steps" applies to delivery. If a recipient's email bounces, you have to make a reasonable second attempt — not just shrug.

What happens if you miss the deadline or get it wrong

The OAIC's enforcement options scale with the seriousness:

  • Infringement notices. Civil penalties for the breach of the notification obligation itself, separate from the underlying privacy breach.
  • Enforcement proceedings. The OAIC can seek injunctive relief, declarations, and civil penalty orders through the Federal Court.
  • Civil penalty maxima (post-2022 amendments). Up to $2.5 million for individuals; for bodies corporate, the greater of $50 million, three times the benefit obtained, or 30% of the entity's adjusted turnover for the relevant period.
  • Reputational consequences. The OAIC publishes its enforcement actions. Being named in an OAIC determination tends to follow a firm for years; clients ask about it during procurement reviews.

Common mistakes (the playbook is supposed to prevent these)

  • Starting the 30-day clock from the wrong date. The clock starts when you become aware of a SUSPECTED breach, not when you confirm one. The OAIC has called this out in multiple determinations.
  • Deleting evidence "to clean up." An employee deleting suspicious emails out of helpfulness can destroy the audit trail you need. Lock down evidence immediately.
  • Notifying via website notice instead of direct contact. Doesn't meet the threshold unless direct contact is genuinely impractical.
  • Boilerplate language. "Your information may have been involved in a recent security incident" tells the recipient nothing useful and reads as evasive.
  • Not telling your cyber-insurance carrier early. Many policies have notification obligations of their own with their own deadlines, separate from the OAIC's.
  • No prepared playbook. The 30-day clock is brutal on organisations figuring out their response in real time.

The pre-breach checklist (have this written down BEFORE you need it)

  • Named incident lead. One person, not a committee. Usually the COO, CFO, or General Counsel.
  • Approval chain for notifications. Who can authorise the OAIC submission? The individual notifications? Documented in advance, not negotiated under pressure.
  • Evidence preservation procedure. Step-by-step: which logs, where they're stored, who has access, how long they're retained.
  • External advisor relationships. Privacy lawyer on retainer (or at least known and pre-briefed), cyber-insurance broker, PR adviser for serious breaches.
  • Template notifications. Pre-written OAIC submission template, pre-written individual notification template. Edit them in 20 minutes, not write them from scratch in 24 hours.
  • Annual dry-run. 30 minutes a year walking through a hypothetical breach scenario. Saves weeks of panic when it's real.

How ShareAndGo helps reduce the breach probability in the first place

Most notifiable breaches in the OAIC's reports trace back to email misaddressing, oversharing of cloud folders, or stale access permissions after employee turnover. A purpose-built data room reduces all three:

  • Email isn't the sharing channel. Documents stay in the room; recipients access via authenticated session. A misaddressed email becomes "the wrong email got an access link that doesn't work" rather than "the wrong email got the entire document."
  • Access is per-document and per-recipient. No folder-level permissions sprawl. Revoking an individual's access takes one click and is logged.
  • Audit trail is tamper-evident. When an investigation needs to know exactly who saw what, the answer is one query away.
  • Australian-resident, end-to-end. APP 8 cross-border obligations don't compound.

Our first-24-hours playbook covers the technical containment phase. The Privacy Act primer sets out the broader regulatory context. For legal practices we've documented privilege-aware response patterns.

This is general information, not legal advice. Privacy law is technical and the consequences of getting it wrong are large — engage a privacy lawyer before you need one.

Related reading

ComplianceAustralian Data Residency: Why It Matters for Your DocumentsComplianceGDPR for Australian Businesses: Do You Need to Care?ComplianceHow to Draft a Data Sharing Agreement That Actually Protects YouTry it on ShareAndGoShareAndGo for Australian tax auditsSee it for tax audits