Under the Notifiable Data Breach (NDB) scheme an organisation or agency must notify affected individuals and the OAIC about an eligible data breach.

An eligible data breach occurs when:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
  • this is likely to result in serious harm to one or more individuals, and
  • the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.

An organisation or agency that suspects an eligible data breach may have occurred must quickly assess the incident to determine if it is likely to result in serious harm to any individual.

A data breach that occurred before 22 February 2018 is not an eligible data breach for the purposes of the NDB scheme. However, certain data breaches occur over a period of time. While a system may have been compromised before 22 February 2018, data may have been accessed after that date. While the circumstances will need to be assessed, we suggest that an organisation or agency in this situation should assume the data breach is subject to the NDB scheme.

For how to notify individuals or us about a data breach, see Report a Data Breach

Related pages

About the Notifiable Data Breaches scheme

Who must be notified when an eligible data breach occurs

Arrow

Data breaches (for individuals)

What to do if you're affected by a data breach

Arrow
OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia