Notifiable Data Breaches scheme

Australian Business & Compliance

Also: NDB scheme · Notifiable Data Breaches

What it isA duty to report serious data breaches
Triggers whenA breach is likely to cause serious harm
You mustNotify people and the regulator promptly
Sits underThe Privacy Act

Quick definition

The Notifiable Data Breaches scheme is the part of the Privacy Act that forces organisations to report serious data breaches. If personal information is exposed in a way likely to cause serious harm, you must notify the affected individuals and the Office of the Australian Information Commissioner promptly. It turns a quiet breach into a public, time-pressured obligation.

How it varies across Australia

The breaches that become public crises are rarely the most sophisticated. They are the avoidable ones, an exposed database, a misconfigured tool, a marketing list left open. The scheme means the cost is no longer just the breach, it is the disclosure, the brand damage and the loss of trust that follow.

See how data and tracking maturity varies across Australian industries

What it actually means

The Notifiable Data Breaches scheme is the disclosure arm of the Privacy Act. It says that if personal information your organisation holds is lost, stolen or exposed in a way likely to result in serious harm to the people involved, you cannot keep it quiet. You must notify the affected individuals and the Office of the Australian Information Commissioner without unreasonable delay.

The trigger is the likelihood of serious harm. A minor exposure that genuinely poses no real risk may not be notifiable, but the assessment has to be made quickly and documented, and the safer path when in doubt is to notify.

For marketers the relevance is direct, because marketing is often the largest collector of personal information in the business. Email lists, customer data platforms, lead databases and the data flowing through tracking tools are all in scope. A misconfigured form, an exposed list or a breached third-party tool can all become a notifiable event.

The scheme reframes data collection. Every record you gather is a record you are responsible for protecting and, if it leaks, a record you may have to publicly disclose losing. That cost belongs in the decision about how much to collect in the first place.

The scheme changes the maths on data. Every record you collect is now a record you may one day have to admit you lost.

How it shows up

Exposure shows up wherever personal information sits in the marketing stack without clear ownership or security: open forms, shared spreadsheets of leads, third-party tools holding customer data, lists exported and forgotten. The practical check is to know where every store of personal information is, who secures it, and whether you could detect a breach quickly enough to notify.

The Australian context

The Notifiable Data Breaches scheme is the Australian regime under the Privacy Act and is overseen by the Office of the Australian Information Commissioner. It differs in detail from breach notification rules in other markets such as the European General Data Protection Regulation, so a global incident response plan needs an Australian-specific path. The Privacy Act reforms underway are expected to strengthen these obligations further.

Where people get this wrong

Forgetting marketing data is in scope.Email lists, lead databases and tracking data all hold personal information. Marketing is often the largest and least secured collector, which makes it a common source of notifiable breaches.
Treating a breach as a quiet internal problem.Where serious harm is likely, the scheme requires notifying affected individuals and the regulator promptly. A breach you tried to handle silently can become a worse problem when the failure to notify surfaces.
Hoarding data on the chance it is useful.Every record is a potential disclosure if it leaks. Data you never use carries breach risk with no offsetting value, which is why the scheme is an argument for collecting less.

Related terms

Privacy Act 1988Australian Business & ComplianceAustralian Privacy PrinciplesAustralian Business & CompliancePrivacy Act vs GDPRAustralian Business & ComplianceFirst-Party DataData & TrackingConsent ManagementData & Tracking

Common questions

What is the Notifiable Data Breaches scheme?

The part of the Privacy Act that requires organisations to report serious data breaches. If personal information is exposed in a way likely to cause serious harm, you must notify the affected people and the Office of the Australian Information Commissioner promptly.

When does a breach have to be notified?

When it is likely to result in serious harm to the individuals whose information was exposed. The assessment must be made quickly and documented. When the risk is genuinely uncertain, notifying is the safer course.

Does the scheme apply to marketing data?

Yes. Email lists, lead databases, customer data platforms and tracking data all hold personal information and are in scope. Marketing is often the largest collector in the business, which makes it a frequent source of notifiable breaches.

How does the scheme change data collection decisions?

It makes every record a potential future disclosure. Data you collect but never use carries breach risk with no value, which is a strong argument for minimisation: collect what you will use, secure it, and delete the rest.

Keep exploring

About New Rebellion

New Rebellion is a marketing intelligence consultancy. We build tools, score Australian businesses on how their marketing actually performs, and publish Debrief every day. This dictionary is part of how we work in the open.

How we think →