Under the Notifiable Data Breaches (NDB) scheme any organisation or agency the Privacy Act 1988 covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.

A data breach occurs when personal information an organisation or agency holds is lost or subjected to unauthorised access or disclosure. For example, when:

  • a device with a customer’s personal information is lost or stolen
  • a database with personal information is hacked
  • personal information is mistakenly given to the wrong person.

The notification to individuals must include recommendations about the steps they should take in response to the data breach. You should notify the OAIC using our online Notifiable Data Breach form. For more information, see Report a Data Breach.

If you think your personal information may be involved in a data breach, see our information for individuals on data breaches.

Our role in the NDB scheme


  • receive notifications of eligible data breaches
  • encourage compliance with the NDB scheme, including by handling complaints, conducting investigations and taking other regulatory action
  • offer advice and guidance to regulated organisations
  • provide information to the community about the operation of the NDB scheme.

For more information on complying with the NDB scheme, see Data Breach Preparation and Response