Compliance glossary
Privacy & Data Protection

Notifiable Data Breach(NDB)

Also known as: NDB scheme, eligible data breach, data breach notification

Definition

A notifiable data breach is unauthorised access to, disclosure of, or loss of personal information that is likely to result in serious harm to an individual. Under the Notifiable Data Breaches scheme in the Privacy Act 1988, an Australian healthcare practice that has one must notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC).

Why this matters for your practice

Every Australian medical practice holds health information, and health information is the most sensitive category of personal information under the Privacy Act 1988. That means the Notifiable Data Breaches (NDB) scheme applies to your practice regardless of its size or turnover. The $3 million annual turnover threshold that exempts many small businesses from the Privacy Act does not apply to organisations that provide a health service and hold health records. A two-room GP clinic carries the same notification obligations as a hospital network.

When a breach happens and you fail to notify, the consequences are not limited to reputational damage. The OAIC can pursue civil penalties for serious or repeated interferences with privacy, and since the 2022 reforms those penalties run into the tens of millions of dollars for bodies corporate. The breach itself is rarely what regulators punish. The failure to assess it properly and notify on time is.

What counts as a notifiable data breach

A breach is only notifiable when it meets the test for an eligible data breach. Three conditions must all be satisfied:

  1. There is unauthorised access to, unauthorised disclosure of, or loss of personal information that your practice holds.
  2. This is likely to result in serious harm to one or more individuals.
  3. Your practice has not been able to prevent that likely serious harm through remedial action.

Examples that commonly meet the test in a healthcare setting include a laptop or unencrypted USB containing patient records being lost or stolen, a ransomware attack that exposes your clinical database, an email containing patient information sent to the wrong recipient, or a staff member accessing records they had no clinical reason to view.

What the OAIC expects you to do

The NDB scheme sets a clear sequence, and the timing is where most practices come unstuck:

  • Suspect a breach: assess within 30 days. If you have reasonable grounds to suspect an eligible data breach but are not yet sure, you must carry out a reasonable and expeditious assessment and complete it within 30 calendar days. The 30 days is a maximum, not a target. Regulators expect you to move faster where you can.
  • Confirm a breach: notify as soon as practicable. Once you are satisfied there has been an eligible data breach, you must prepare a statement and notify the OAIC, and notify the affected individuals, as soon as practicable.
  • Tell people what to do. The notification must describe the breach, the kinds of information involved, and the steps individuals should take in response.
  • Keep the evidence. Document your assessment, the decision you reached, and why. If you decide a breach is not notifiable, the reasoning is exactly what the OAIC will ask for if a complaint is later made.

The single most important thing a practice can have ready before a breach is a written data breach response plan that names who leads the assessment, sets the 30-day clock running on day one, and pre-drafts the notification wording.

Common mistakes practices make

  • Assuming the small-business exemption applies. It does not, for health service providers. This is the most frequent and most costly misunderstanding.
  • Starting the clock late. The 30-day assessment window starts when you become aware of reasonable grounds to suspect a breach, not when you finish investigating.
  • Notifying the OAIC but not the patients (or vice versa). Both notifications are required for an eligible data breach.
  • Confusing the NDB scheme with the 72-hour ransomware payment report. They are separate obligations under separate laws, and a serious cyber incident can trigger both at once.

Frequently asked questions

Does the Notifiable Data Breaches scheme apply to a small GP clinic?

Yes. The Privacy Act's small-business exemption does not apply to organisations that provide a health service and hold health information, so every Australian medical and allied health practice is covered by the NDB scheme regardless of turnover or staff numbers.

How long do I have to report a notifiable data breach?

If you suspect an eligible data breach, you must complete a reasonable assessment within 30 days. Once you confirm an eligible data breach has occurred, you must notify the OAIC and the affected individuals as soon as practicable, not at the end of a fixed countdown.

What is the difference between a data breach and a notifiable data breach?

A data breach is any unauthorised access, disclosure, or loss of personal information. It only becomes a notifiable data breach when it is likely to result in serious harm and you cannot remediate that harm in time, which is the test that triggers your obligation to notify.

Related terms

Personal InformationSerious Harm

Go deeper

GuideHealthcare Data Breach Obligations Australia (2026 NDB Guide)GuideRansomware Reporting: 72-Hour Cyber Security Act Deadline for HealthcareTemplateData Breach Response Plan Template — Notifiable Data Breaches SchemeTemplatePrivacy Policy Template for Australian General PracticesToolNotifiable Data Breach Decision Tool

Last reviewed

30-day free trial, no credit card

Be the practice the assessor compliments.

Set up your frameworks this weekend. Walk into your next visit with every criterion linked to current evidence, and nothing left to chase.

Start your 30-day free trialBrowse free templates
No credit card required
Australian data residency (Sydney)
Cancel anytime