Notifiable Data Breaches: A Guide for Australian Small Business Owners

Every year, Australian businesses — including small businesses — suffer data breaches. Ransomware attacks, phishing emails, accidental disclosures, stolen laptops. The risk is real, and for businesses that hold personal information about customers, employees, or clients, a breach triggers legal obligations under the Notifiable Data Breaches (NDB) scheme.

Understanding these obligations before a breach occurs is significantly better than learning them while managing one. For broader context, see our guide to Privacy Act reform. This guide explains what the NDB scheme requires of Australian small businesses.

Who Does the NDB Scheme Apply To?

The NDB scheme (Part IIIC of the Privacy Act 1988 (Cth)) applies to entities that are subject to the Australian Privacy Principles (APPs). This includes:

• Businesses with annual turnover of $3 million or more
• Healthcare providers (regardless of turnover)
• Credit reporting bodies and credit providers (regardless of turnover)
• Tax file number (TFN) recipients
• Some small businesses that have opted in or that are contracted to handle government information

The $3 million exemption: Most very small businesses with turnover below $3 million (and that are not healthcare providers or other included categories) are exempt from the Privacy Act and the NDB scheme. However, this exemption is being reviewed as part of the Privacy Act reform process.

Even if your business is currently exempt, building good data practices is worthwhile — the regulatory direction is toward broader coverage.

What Is an Eligible Data Breach?

A notification obligation is triggered when an eligible data breach occurs. An eligible data breach requires:

1. An eligible event — unauthorised access to, or unauthorised disclosure of, personal information; OR loss of personal information where unauthorised access or disclosure is likely

AND

2. Likely serious harm — the breach is likely to result in serious harm to one or more individuals

Both elements must be present for the notification obligation to arise. Not every breach is notifiable.

What Counts as Serious Harm?

Serious harm includes physical, psychological, emotional, financial, and reputational harm. Relevant factors:

• The sensitivity of the information (financial data, health data, identity information = high sensitivity)
• The potential for misuse (identity theft, fraud, discrimination)
• Whether the data was in an encrypted form
• Whether the data has already been used in a harmful way

For businesses holding sensitive personal information — particularly health data, financial data, or identity documents — the serious harm test is frequently met when a breach occurs.

The Assessment and Notification Process

Step 1: Identify the Breach

When you become aware of a potential breach:

• Establish the nature and extent of the breach
• Identify what information is involved
• Identify who is affected
• Take immediate containment steps where possible

Step 2: Assess (Within 30 Days)

You must conduct a reasonable and expeditious assessment of whether the breach is eligible. The 30-day window is a maximum — the OAIC expects assessment to be completed as soon as practicable.

Document your assessment:

• What information was involved
• How many individuals are affected
• Whether the breach involved unauthorised access, disclosure, or loss
• Whether serious harm is likely, considering the factors above

Step 3: Notify (If Eligible)

If the breach is eligible, you must notify:

The OAIC: Submit a notification via the OAIC's online NDB form. Include:

• Your contact details
• Description of the breach
• Types of information involved
• Recommended steps for affected individuals

Affected individuals: Notify each person whose information was involved. Direct notification (email, phone, letter) is required where reasonably practicable. If not reasonably practicable for all individuals, publish a statement on your website.

Notification must include:

• Your identity and contact details
• Description of the breach
• Types of information involved
• What steps you recommend affected individuals take

Timing

Notification should be as soon as practicable after confirming the breach is eligible. There is no specific statutory deadline (unlike the GDPR's 72-hour rule), but delays without genuine justification will be viewed critically by the OAIC.

Common Breach Scenarios

Ransomware attack: Your IT systems are compromised. Assume data has been accessed unless you have strong evidence the encryption was fully maintained. Engage a cybersecurity firm immediately. Assess and notify.

Misdirected email: You accidentally send personal information to the wrong recipient. Contact the recipient and request deletion. Assess whether the recipient could misuse the information. Many misdirected emails will not be eligible data breaches — but assess promptly.

Stolen device: A laptop or phone containing personal information is stolen. Was the device encrypted? If yes, risk of harm is lower. If no (or uncertain), treat as potentially eligible and assess.

Insider access: A staff member accesses customer records outside the scope of their role. Immediately terminate the access. Assess whether information was disclosed externally. Implement disciplinary action.

Phishing: A staff member clicks a phishing link and enters their credentials, giving an attacker access to email or systems. Assess the scope of access. Assume breach of any information in the compromised system or email account.

Building a Data Breach Response Plan

Before a breach happens, prepare:

A documented response plan covering:

• Who coordinates the response (name and role)
• How to contain the breach
• How to assess whether it's eligible
• Contact details for the OAIC, your legal adviser, and your IT security provider
• Template notification to affected individuals
• Template OAIC notification

Staff training on:

• What counts as a data breach
• How to recognise a potential breach (phishing, suspicious system activity)
• Who to notify immediately when they suspect a breach

Technical security measures:

• Device encryption for all devices holding personal information
• Strong passwords and multi-factor authentication
• Regular backups with tested recovery capability
• Access controls limiting who can see what information
• Email security measures (spam filtering, phishing detection)

Penalties for Non-Compliance

Failure to comply with the NDB scheme is a breach of the Privacy Act. Penalties for serious or repeated interferences with privacy have been significantly increased:

• For companies: up to $50 million (or three times the benefit, or 30% of adjusted turnover — whichever is greatest)
• For individuals: up to $2.5 million

Beyond regulatory penalties, data breaches create customer trust damage, potential class action exposure (under proposed privacy reforms), and significant incident response costs.

How Reguladar Helps

Privacy compliance — including NDB scheme obligations — sits alongside employment, tax, WHS, and licensing requirements in the small business compliance picture for Australian small businesses. Reguladar gives you a single compliance dashboard tracking all your obligations, so your privacy obligations don't get lost in everything else.

Start your free compliance check at Reguladar →