Do you need to notify the OAIC?
Walk through the Privacy Act 1988 (Cth) Part IIIC serious-harm test in 3 minutes. Get a clear outcome and a time-stamped decision record you can file as evidence. No AI, no account, no guesswork.
Do you need to notify the OAIC about this data breach?
An 8-question decision wizard built from Part IIIC of the Privacy Act 1988 (Cth) and the OAIC's Notifiable Data Breach scheme. You get a clear outcome (notify, assess further, not notifiable, or not covered) plus a time-stamped decision record you can file as evidence.
Coverage (s6C/s6D), eligibility (s26WE), serious-harm factors (s26WG), remedial action (s26WF).
Outcome, rationale, and next steps. Email it to yourself as your contemporaneous audit trail.
Deterministic logic, no AI. Same inputs always produce the same decision.
The NDB scheme is a structured test, not a gut call.
When a breach happens, the clock starts. A well-meaning practice manager googles "do I need to notify OAIC", lands on twelve-page PDFs, and ends up guessing. The result is either over-notification (reputational damage, unnecessary panic to patients) or under-notification (regulator attention, civil penalties, loss of trust).
The Privacy Act actually gives you a structured test. Three limbs under s 26WE; a short list of serious-harm factors under s 26WG; a remedial-action exception under s 26WF; and a 30-day assessment pathway under s 26WH. Once you apply the test, the answer is usually clear.
This wizard codifies the test. You answer eight questions; the engine applies each limb; you get an outcome with rationale, next steps, and citations. Email yourself the record and it goes straight into your NDB register, the kind of contemporaneous document regulators look for when they later review your response.
What a data breach looks like in a healthcare practice
Not every breach is notifiable, but all of these should trigger an NDB assessment in your incident register.
| Scenario | Usual NDB path | Key factor |
|---|---|---|
| Clinical note emailed to wrong patient | Assess → often notifiable | Depends on recipient's relationship, whether opened, remedial steps. Health info is high-sensitivity. |
| Lost unencrypted laptop with patient records | Notify | No protection + unknown recipient + high-sensitivity info = eligible breach. |
| Lost encrypted laptop, keys secure | Likely not notifiable | Robust protection under s 26WG factor; document reasoning. |
| Phishing credential compromise | Assess → usually notifiable | Unknown external attacker with credentials to clinical systems. Treat as worst case until proven otherwise. |
| Paper file left on reception counter | Assess | Scale small, remediated quickly, but depends on who saw it. |
| Ex-staff logging into system after leaving | Notify | Unauthorised access by former staff without a legitimate need. Lock credentials, assess scope, notify. |
| Software vendor suffers ransomware | Assess with vendor → often notifiable | Your NDB obligation attaches to information you 'hold'. Coordinate under s 26WN. |
| Misaddressed email recalled before opening | Likely not notifiable | Remedial action under s 26WF. Document and keep evidence. |
Indicative pathways only. The wizard above applies the full test to your specific facts.
For the person answering the incident line at 4:30pm on a Friday
Medical & Allied Health Practices
All health service providers are APP entities regardless of turnover. A missing blood-test fax, a lost USB, or a clinical email to the wrong patient all trigger the NDB test. This tool walks you through it in 3 minutes.
Practice Managers & Privacy Officers
You are the person named on the plan when something happens at 4:30pm on a Friday. This tool gives you a structured, defensible decision record, not a scramble through OAIC PDFs.
MSPs & Outsourced IT
Managed service providers carry NDB exposure through every client. Use this tool to walk clients through the decision in the moment of crisis, and leave them with a written record.
NDIS & Specialist Providers
NDIS participant data sits alongside Medicare and clinical information. A breach here is almost always notifiable. This tool makes the serious-harm analysis explicit.
Four stages, one written decision record
Confirm coverage
Health service providers, APP entities over AUD 3M, TFN recipients, and credit providers are covered. Small businesses outside those categories generally are not.
Characterise the breach
Unauthorised access, unauthorised disclosure, loss, or still only suspected. Each path changes the timeline and the evidence you need.
Weigh the serious-harm factors
Kind of information, sensitivity, protection, recipient, scale, and the likelihood that harm actually materialises. The Act names the factors; the engine weighs them.
Record the decision
Get an outcome (notify, assess further, likely not notifiable, or not covered), plus the rationale, next steps, and a citable list of statute sections.
Every outcome is grounded in a section of the Act.
The engine applies the three limbs of s 26WE in order. Coverage is checked first (s 6C/s 6D, including the s 6D(4)(b) carve-in for health service providers). The breach type is then tested against the statutory definition of "unauthorised access, unauthorised disclosure, or loss". Finally, the serious-harm factors in s 26WG are weighed alongside the remedial-action exception in s 26WF and the 30-day assessment pathway in s 26WH.
The full written record, in your inbox.
We do not host a temporary results page, and we do not ask you to log in to retrieve your decision later. The email you receive is the full, self-contained artefact: save it, forward it to your Privacy Officer or insurer, or file it in your NDB register.
Everything practice teams ask us about the NDB scheme.
If your question is not here, email us. A real human replies within the business day.
What is a notifiable data breach in Australia?
A notifiable data breach (formally an 'eligible data breach' under s 26WE of the Privacy Act 1988 (Cth)) is an incident where (a) there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an APP entity, and (b) a reasonable person would conclude the access, disclosure, or loss is likely to result in serious harm to any of the individuals to whom the information relates, and (c) the entity has not been able to prevent that serious harm through remedial action. If all three limbs are met, the entity must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable.
Do I need to notify the OAIC about every data breach?
No. You only need to notify the OAIC when a breach is an 'eligible data breach', meaning when a reasonable person would conclude serious harm is likely, and you have not prevented that harm through remedial action. Minor breaches (for example, a misaddressed email recalled before opening, or an encrypted laptop recovered with keys intact) typically do not require notification. Voluntary notification is always an option and the OAIC will accept it.
What counts as 'serious harm' under the NDB scheme?
Section 26WG sets out factors, not a closed definition. Serious harm can be physical (e.g., risk of family violence from leaked address), psychological (distress from exposure of sensitive information), emotional, financial (identity theft, fraud), or reputational (exposure of health, sexuality, political views, criminal history). The test is objective: a reasonable person's view, weighing the kind of information, its sensitivity, whether it was protected, who obtained it, and the likelihood of harm actually materialising. Scale matters but is not determinative: a single individual facing identity theft is enough.
Does the Privacy Act apply to a small medical practice?
Yes. All health service providers are APP entities regardless of turnover under s 6D(4)(b) of the Privacy Act 1988 (Cth). Solo GPs, allied health practitioners, dentists, psychologists, physiotherapists, NDIS providers, and specialists are all covered. This is one of the most common misconceptions: the 'small business' exemption does not apply to health service providers. If your practice handles clinical notes, test results, Medicare details, or any health information, you are within the NDB scheme.
How long do I have to notify after discovering a breach?
Two different timeframes apply. If you are certain you have an eligible data breach, you must notify the OAIC and affected individuals as soon as practicable, do not wait. If you reasonably suspect you may have a breach but need more information, s 26WH gives you up to 30 days from the date you became aware of the suspicion to carry out a reasonable and expeditious assessment. If at any point during that 30 days you confirm the breach is eligible, notify immediately. The 30-day window is a maximum, not a target.
What is the remedial action exception?
Section 26WF provides that where an entity takes action before serious harm results, such that a reasonable person would conclude serious harm is no longer likely, the breach is not an eligible data breach and notification is not required. Examples: a misaddressed email recalled before the recipient opens it, a lost encrypted device recovered with keys uncompromised, credentials reset before exploitation, or a trusted recipient confirming deletion. The evidentiary burden is on the entity: document the action, the reasoning, and the facts you relied on. The OAIC expects contemporaneous records.
Is this tool legal advice?
No. The Notifiable Data Breach Decision Tool is a decision-support utility built from the plain text of the Privacy Act 1988 (Cth) Part IIIC and the OAIC's published guidance. It is not legal, privacy, or cybersecurity advice, and it does not create a lawyer-client relationship. Use it to structure your thinking, produce a defensible decision record, and identify the right next steps. For binding advice, consult the OAIC (1300 363 992), a privacy lawyer, or your privacy insurer. Health service providers should also consider their professional indemnity and My Health Records obligations.
What do I include in the notification to the OAIC?
Section 26WK requires a statement that identifies the entity, describes the breach, lists the kinds of information involved, and provides recommendations for steps individuals can take to protect themselves. The OAIC provides an online form. You also need to notify each affected individual directly (or, where direct notification is not practicable, publish the statement prominently on your website). Practical additions: date of breach, date discovered, scope (number of individuals), containment actions, and contact details for follow-up enquiries.
Does encryption remove the need to notify?
Not automatically. Strong, uncompromised encryption (e.g., AES-256 with keys not exposed, full-disk encryption on a device where the key has not been extracted) significantly reduces the likelihood of serious harm and is a key factor under s 26WG. Combined with other factors (prompt remediation, trusted recipient), it can take the breach outside the 'eligible data breach' threshold. But weak encryption, encrypted data plus compromised keys, or encryption bypassed by the attacker does not. You need to assess the effectiveness of the protection in context, not tick a checkbox.
What if the breach involves a third party, not our systems?
If personal information held by your organisation was affected by a breach at a third party (e.g., cloud provider, contractor, SaaS vendor), your NDB obligations still apply because the test is about information you 'hold'. Both entities can assess whether the breach is eligible; only one notification per individual is required, and s 26WN allows one entity to notify on behalf of the other if both agree. Coordinate early: delay is the biggest risk. For healthcare, common scenarios are medical software vendors, pathology labs, and managed IT providers.
Do I need to notify individuals as well as the OAIC?
Yes. Section 26WL requires notification to each individual to whom the breached information relates, where practicable. The notification must contain the same information as the OAIC statement: entity identity, breach description, information involved, and recommended steps. Where direct notification is not practicable (e.g., contact details lost, too many individuals, some unknown), s 26WL(4) permits you to publish the statement on your website and take reasonable steps to publicise it. For healthcare providers, direct notification by mail or secure message is almost always practicable and is what the OAIC expects.
What are the penalties for failing to notify?
Civil penalties for serious or repeated interferences with privacy (which includes failure to comply with the NDB scheme) are significant: up to AUD 2.5 million per contravention for individuals and the greater of AUD 50 million, three times the benefit obtained, or 30 percent of adjusted turnover for bodies corporate (following the 2022 amendments). The Commissioner can also issue infringement notices, determinations, and enforceable undertakings. Beyond penalties, the reputational impact of being named in the OAIC's NDB statistics or a media story typically outweighs the fine.
What is a data breach response plan and why do I need one?
Under APP 1, every APP entity must take reasonable steps to ensure compliance with the APPs, which the OAIC has repeatedly clarified includes maintaining a data breach response plan. The plan should cover: roles (who decides, who notifies), containment steps, assessment process, notification templates, external advisors (lawyer, insurer, IT), and a register of previous incidents. Health service providers in particular should have the plan ready before the incident, not written during one.
Does this tool store my breach details?
No. Every input stays in your browser to compute the decision. If you submit your email to receive the record, we create a Resend contact in our Australian-data-residency region (Sydney) and send you a self-contained email containing your decision, rationale, next steps, and legislation citations. We do not host a temporary results page and we do not retain the breach details server-side. The email is the artefact: save it, forward it, or attach it to your NDB register.
Can I use the emailed decision record as evidence?
Yes, as part of a broader record. The email is a time-stamped contemporaneous document showing you applied the OAIC test, identified the relevant factors, and reached a reasoned conclusion, which is exactly what the OAIC looks for if it later reviews how you handled an incident. Pair it with: the incident report (who, what, when, how), containment and remedial actions taken, communications sent, and any legal or insurer advice received. Together these make a defensible NDB register entry. Retain for at least 7 years.
After the decision, get your response plan in place
NDB drills, privacy policy reviews, and cyber tabletop exercises scheduled into your year as .ics events.
Find the privacy, data breach response, and cyber-incident policies your practice needs before the breach happens.
Privacy policy, data breach response plan, and cyber incident register templates aligned to RACGP and APP 1.
Ten-question self-assessment covering incident and complaints handling, critical areas alongside NDB.
Auditors expect a working NDB register. Get the audit-cost picture before you walk in.
The full library of free compliance tools for Australian healthcare practices.
Keep your NDB register, response plan, and privacy evidence in one place.
ClinicComply ships with an NDB register, data breach response plan template, and privacy-evidence mapping aligned to APP 1 and the OAIC's response guide. Start free for 30 days, no credit card.