How long do I have to report a data breach in Australia?

If you suspect an eligible data breach, you must assess it expeditiously, generally within 30 days. If confirmed, you must notify the OAIC and affected individuals as soon as practicable.

What is serious harm under the NDB scheme?

Serious harm can include physical, psychological, emotional, financial or reputational harm. Whether a breach is likely to cause it depends on factors such as the sensitivity of the information and the protections in place, like encryption.

Do backups help with data breach obligations?

Yes, indirectly. Backups support recovery and remedial action after destructive incidents and help you understand what data was affected, which can reduce harm and assist your assessment and response.

Notifiable Data Breaches: your obligations under the Privacy Act

Lose control of personal information and you may be legally required to tell both the regulator and the people affected. Australia’s Notifiable Data Breaches scheme sets out when and how. Understanding it before an incident is far better than reading it during one.

Key takeaways

The NDB scheme sits within the Privacy Act 1988 and is overseen by the OAIC.
It applies to entities already covered by the Privacy Act’s security obligations.
An eligible breach is one likely to result in serious harm that you cannot prevent through remedial action.
You must assess suspected breaches expeditiously — generally within 30 days.

What the scheme is

The Notifiable Data Breaches (NDB) scheme is part of the Privacy Act 1988 and is administered by the Office of the Australian Information Commissioner (OAIC). It requires covered entities to notify affected individuals and the OAIC when a data breach is likely to cause serious harm. The goal is to let people take protective steps — changing passwords, watching for fraud — and to keep organisations accountable.

Who it applies to

The scheme applies to organisations already bound by the Privacy Act’s security requirements — including many businesses, and entities handling certain types of information such as tax file numbers and health records. If you are obliged to protect personal information, you are likely obliged to report eligible breaches involving it.

What counts as an eligible data breach

An eligible data breach arises when three things hold:

There is unauthorised access to, disclosure of, or loss of personal information.
This is likely to result in serious harm to any affected individual.
You have not been able to prevent that harm through remedial action.

That third point matters: if you can contain the breach so serious harm is no longer likely, notification may not be required.

The timeline

If you suspect an eligible breach, you must carry out a reasonable and expeditious assessment, generally within 30 days. If you confirm it is eligible, you must promptly notify the OAIC and affected individuals with prescribed details, including the nature of the breach and recommended steps.

Where backups come in

Backups will not prevent unauthorised access, but they directly support the "remedial action" and recovery side. If data is destroyed or ransomed, a clean backup lets you restore and demonstrate continuity. Good records also help you assess what was affected — and being able to show tamper-evident, retained copies strengthens your overall privacy posture. Pair this with disciplined access hygiene to reduce the chance of a breach in the first place.

What the scheme is

Who it applies to

What counts as an eligible data breach

The timeline

Where backups come in

Frequently asked questions

How long do I have to report a data breach in Australia?

What is serious harm under the NDB scheme?

Do backups help with data breach obligations?

ATO record-keeping rules: how long must you keep your records?

Securing your Xero account: MFA, OAuth and access hygiene

Immutable backups and WORM storage, explained