NDB Framework

What is the Notifiable
Data Breaches scheme?

A plain-English guide for Australian small businesses. No legal jargon, no unnecessary complexity - just what you need to know and what it means for your business.

The Simple Version

If you hold data on Australians and you get breached, you have to tell them.

The Notifiable Data Breaches (NDB) scheme became law in February 2018 under the Privacy Act 1988 (Cth). It requires Australian businesses with an annual turnover of more than $3 million and certain smaller businesses in regulated industries to notify both the individuals affected and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to cause serious harm.

For real estate agents, insurance brokers, allied health providers and legal professionals, the NDB scheme applies regardless of turnover because of the sensitive nature of the data you handle.

Does this apply to my business?

If you are a real estate agent, insurance broker, health provider, legal professional or accountant - yes, almost certainly, regardless of your turnover. If you are another type of business with annual turnover above $3 million - yes. If you are a small business below $3M in a non-regulated industry - you are currently exempt, but the government has proposed extending the scheme.

What counts as a data breach?

Unauthorised access, disclosure or loss of personal information that is likely to result in serious harm to one or more individuals. This includes a spoofed email used to deceive your clients, ransomware that encrypts client records, or an email sent to the wrong recipient containing personal information.

What do I have to do if breached?

You must notify the OAIC and the affected individuals as soon as practicable, and no later than 30 days after becoming aware of the breach. The notification must describe what happened, what information was involved, and what steps you are taking.

What if I do not notify?

Failing to notify is itself a breach of the Privacy Act and can attract significant civil penalties. The maximum penalty for serious or repeated breaches is $50 million for organisations, or three times the benefit obtained, or 30% of adjusted turnover - whichever is greatest.

Email Security and NDB

Why email is your biggest NDB risk.

The majority of data breaches reported to the OAIC involve email in some way. Misconfigured email domains make your business an easy target.

Business email compromise

A criminal spoofs your domain and sends a fake invoice or payment redirection email to your client. The client pays the criminal. This is an NDB-reportable incident.

Phishing via your domain

Without DMARC, anyone can send email that appears to come from your domain. If that email tricks a client into revealing personal information, you may be liable.

Intercepted communications

Without DKIM, emails can be modified in transit without detection. Client communications containing personal or financial information can be tampered with.

Credential theft

Spoofed emails from your domain are used to harvest passwords from your clients or staff. The resulting account compromise triggers NDB obligations.

For the Technical Reader

The NDB scheme in detail.

Eligible data breach

A data breach is eligible for NDB notification when there has been unauthorised access, disclosure, or loss of personal information, AND the breach is likely to result in serious harm to one or more individuals. Both conditions must be met. The assessment of serious harm considers the sensitivity of the information, the persons who have accessed it, and whether it is protected by security measures such as encryption.

The 30-day assessment window

Once an entity becomes aware that a suspected eligible data breach has occurred, it has 30 days to complete an assessment. If the assessment concludes that the breach is eligible, notification to the OAIC and affected individuals must happen as soon as practicable. The 30-day window is a maximum, not a target - notification should happen as quickly as possible.

What must be included in a notification

The notification to affected individuals and the OAIC must include: the identity and contact details of the entity, a description of the breach, the kinds of information involved, and recommendations about the steps individuals should take in response. Notifications to individuals must be direct where reasonably practicable.

OAIC enforcement powers

The OAIC can investigate complaints, conduct audits, make determinations, and seek civil penalty orders through the Federal Court. Following the Privacy Act amendments in 2022, maximum penalties increased dramatically to $50 million, three times the value of any benefit obtained, or 30% of adjusted turnover - whichever is greatest. The OAIC has demonstrated increasing willingness to use these powers.

Relationship to other frameworks

The NDB scheme operates alongside other obligations including the Australian Consumer Law, sector-specific regulations for health and finance, and state-based privacy laws. Entities subject to My Health Records Act obligations have additional, stricter notification requirements. CipherSoc scan results address the email security controls most directly relevant to NDB compliance, but do not constitute a comprehensive compliance audit.

This page is provided for informational purposes only and does not constitute legal advice. For advice specific to your business and obligations, consult a qualified Australian privacy lawyer or visit the OAIC at www.oaic.gov.au.

Find out where your
business stands today.

Join the CipherSoc waitlist and be first to scan your domain when we launch.

Join the Waitlist