If your business gets hit by a data breach that’s likely to seriously harm the people whose data you hold, the law gives you a tight window: assess it fast, then notify the regulator and the affected individuals as soon as practicable. Get the timing wrong and the penalties now run into the millions.
That’s the short version of the notifiable data breaches scheme, and it catches far more Melbourne SMEs than most directors realise. Here’s what it actually requires, who it covers, and the incident-handling steps you should have ready before anything goes wrong.
What the NDB scheme actually is
The notifiable data breaches scheme sits under Part IIIC of the Privacy Act 1988 (Cth) and has been in force since February 2018. It’s administered by the Office of the Australian Information Commissioner (OAIC). The core obligation is simple to state and harder to live by: if you experience an eligible data breach, you must notify both the OAIC and every affected individual.
It isn’t a “tell us if you feel like it” arrangement. Notification is mandatory once the threshold is met, and the clock starts the moment you have reason to suspect something has gone wrong. The scheme exists so people can take protective steps — change passwords, watch their bank accounts, put a credit ban in place — before stolen data is used against them.
Who the Privacy Act covers
The Act applies to “APP entities” — organisations bound by the Australian Privacy Principles. The headline test is annual turnover. If your business turns over more than $3 million a year, you’re almost certainly covered. Plenty of directors stop reading there and assume they’re exempt. That’s a mistake, because the exceptions sweep in a lot of smaller operators.
You’re covered regardless of turnover if you:
- Are a health service provider that holds health information — this includes GPs, allied health, dentists, physios, psychologists and pharmacies, no matter how small the practice.
- Trade in personal information (buying or selling it).
- Are a credit reporting body or provide credit.
- Are a contractor delivering services under a Commonwealth contract.
- Are a tax file number recipient (most employers handle TFNs).
A three-chair dental practice in Camberwell with $1.2 million turnover is covered because it holds health information. A logistics broker handling TFNs and credit checks gets pulled in through those activities. The $3 million line is a floor for ordinary businesses, not a free pass for everyone under it. If you handle health data specifically, our write-up on healthcare IT support and OAIC obligations goes deeper on the sector rules.
What counts as an “eligible data breach”
Not every lost laptop or misdirected email triggers notification. An eligible data breach has three ingredients:
- There’s unauthorised access to, or unauthorised disclosure of, personal information you hold — or that information is lost in circumstances where unauthorised access or disclosure is likely.
- A reasonable person would conclude the breach is likely to result in serious harm to one or more affected individuals.
- You haven’t been able to prevent that likely serious harm through remedial action.
That third point matters. If you act quickly enough that serious harm is no longer likely — say, you remotely wipe a stolen, encrypted laptop before anyone could read it — the breach may not be notifiable at all. Remediation is a genuine off-ramp, but only if it’s fast and effective.
The “serious harm” test
“Likely to result in serious harm” is the pivot the whole scheme turns on, and there’s no fixed checklist. The OAIC asks you to weigh factors including the kind of information involved (health records and financial details rank high; a publicly listed business name does not), its sensitivity, whether it was encrypted or otherwise protected, who is now likely to have it, and what they could do with it.
Serious harm can be physical, psychological, emotional, financial or reputational. A breach exposing identity documents and bank details is far more likely to clear the bar than one exposing a marketing mailing list. The judgement is yours to make, but you have to be able to defend it — the OAIC can and does ask to see your reasoning.
The timeframes you have to hit
This is where SMEs get caught out, so be precise about the two clocks.
The assessment clock. If you only suspect an eligible data breach has occurred — you’re not yet sure it clears the serious-harm threshold — you must carry out a reasonable and expeditious assessment. The word “expeditious” means you start straight away, not when it’s convenient. The Act sets an outer limit of 30 calendar days from when you became aware of the grounds for suspicion. Thirty days is a ceiling, not a target. If you can resolve it in three, do it in three.
The notification clock. Once you’ve decided you have an eligible data breach, you must notify the OAIC and affected individuals as soon as practicable. There’s no fixed day count here — “as soon as practicable” is judged on your circumstances — but it is not weeks of internal deliberation. You prepare a statement, lodge it with the Commissioner through the OAIC’s online form, and notify individuals by whatever method you normally use to contact them.
People often talk about a “72-hour rule” for data breaches. That figure comes from the EU’s GDPR, not the Australian Privacy Act. Australia’s standard is the “as soon as practicable” test, with the 30-day assessment ceiling sitting behind it. Treating 72 hours as your internal working deadline is sensible discipline — just don’t mistake it for the letter of Australian law.
The 2024 reforms and the new penalty regime
The penalties for getting this wrong are no longer trivial. Reforms that began with the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 and continued through the Privacy and Other Legislation Amendment Act 2024 sharpened the OAIC’s teeth considerably.
For serious or repeated interferences with privacy, the maximum penalty for a body corporate is now the greater of $50 million, three times the value of any benefit obtained from the misuse of information, or 30 per cent of the entity’s adjusted turnover for the relevant period. That’s a dramatic jump from the old cap and it’s aimed squarely at organisations that treat privacy as optional.
The 2024 reforms also introduced a statutory tort for serious invasions of privacy, gave the Commissioner new mid-tier and low-tier civil penalty powers for less severe contraventions, and added powers to issue infringement notices. The practical effect for an SME: there is now a graduated enforcement ladder, so even a moderate compliance failure can attract a penalty rather than just a stern letter. Australia’s privacy framework is being progressively tightened, and the direction of travel is more obligations, not fewer.
What an SME should have ready before a breach
The businesses that handle a breach well aren’t the ones that read the Privacy Act after the fact — they’re the ones who decided in advance who does what. A data breach response plan doesn’t need to be a 40-page document. It needs to answer a handful of questions before the pressure is on.
| Element | What good looks like |
|---|---|
| Response lead | One named person who owns the assessment and can convene the team within the hour. |
| Detection | Logging and alerting that actually tells you when data is accessed or exfiltrated — not a customer phoning to ask why their details are on a forum. |
| Assessment template | A repeatable way to record what was breached, who’s affected, and your serious-harm reasoning, dated and saved. |
| Containment runbook | Steps to isolate systems, revoke credentials and preserve evidence without destroying it. |
| Notification drafts | Pre-drafted OAIC statement and individual notice you only have to fill in, not write from scratch at 11pm. |
| Contact list | OAIC, your insurer, your lawyer, your MSP and the ACSC’s ReportCyber — current numbers, not guesswork. |
A construction firm in Box Hill we work with discovered a compromised mailbox after a finance staffer’s credentials were phished. Because the logging was already in place, we could see exactly which messages and attachments the attacker had opened, scope the affected individuals within a day, and confirm that the exposed data did clear the serious-harm threshold. The notification went out fast and clean — not because they panicked well, but because the plan already existed. That kind of visibility is exactly what our cybersecurity services and managed detection and response are built to deliver.
Where most breaches actually start
In practice, the overwhelming majority of breaches we see trace back to compromised credentials and email — phishing, business email compromise, reused passwords. The single highest-value control for an SME is strong identity protection: multi-factor authentication everywhere, conditional access on Microsoft 365, and monitoring that flags anomalous sign-ins. Tightening identity is cheaper than any post-breach notification exercise, and it’s the foundation the Essential Eight is built on.
How TechAssist helps
TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk. Our 24/7 NOC operates out of Tecoma in the eastern suburbs, with a second office in the Melbourne CBD at 575 Bourke Street. When a breach is unfolding, response time is everything: we target sub-15-minute response on critical incidents, which is the difference between containing a compromise and explaining it to the OAIC.
The realistic goal isn’t never having an incident — it’s detecting fast, containing faster, and being able to make a defensible serious-harm decision inside your timeframes. If you’re not confident you could do that today, that’s the gap worth closing. Have a look at our broader managed IT services, or get in touch and we’ll pressure-test your breach readiness before something forces the issue.
Frequently asked questions
Does the NDB scheme apply to my business if I turn over under $3 million?
Possibly. The $3 million turnover threshold is the general rule, but exceptions bring in any size of business that provides health services, handles credit information, trades in personal information, or operates under a Commonwealth contract. Most healthcare providers are covered regardless of turnover.
Is there really a 72-hour deadline to report a data breach in Australia?
No — the 72-hour figure is a GDPR (European) rule. Under the Australian Privacy Act you must notify the OAIC and affected individuals “as soon as practicable” after deciding you have an eligible data breach, and you have up to 30 days to assess a suspected breach. Acting within 72 hours is good practice, not the legal test.
What if I fix the breach quickly — do I still have to notify?
Not necessarily. If you take remedial action fast enough that serious harm is no longer likely, the breach may not be “eligible” and notification isn’t required. The catch is that the remediation has to genuinely remove the risk, and you need to document why it did.
Who do I actually notify, and how?
You notify the OAIC by lodging a statement through its online Notifiable Data Breach form, and you notify affected individuals directly using your usual contact method. If you can’t reasonably contact individuals one by one, you publish the statement and take steps to publicise it.
What happens if I don’t comply?
Failing to comply is an interference with privacy and can attract enforcement by the OAIC. Following the 2024 reforms, penalties for serious or repeated breaches reach the greater of $50 million, three times any benefit gained, or 30 per cent of adjusted turnover — alongside new mid- and low-tier penalty powers for lesser failures.
