Mandatory Data Breach Reporting: What Your Startup Needs to Know Under the Notifiable Data Breaches Scheme

If your startup collects personal information — and in 2026, it almost certainly does — you need to understand Australia’s Notifiable Data Breaches (NDB) scheme. It’s not optional. It’s not something you can deal with after a breach happens. And as the OAIC’s first-ever civil penalty of $5.8 million against Australian Clinical Labs demonstrated in late 2025, the regulator is now prepared to enforce these obligations with real consequences.

Here’s what the scheme requires, when it applies to your startup, and how to make sure you’re ready.

What Is the Notifiable Data Breaches Scheme?

The NDB scheme was introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and has been in force since 22 February 2018. It sits within Part IIIC of the Privacy Act 1988 (Cth) and applies to all organisations and agencies covered by the Privacy Act.

The core obligation is straightforward: if your organisation experiences a data breach that is likely to result in serious harm to any individual whose personal information is involved, you must notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC).

This isn’t a “best practice” recommendation. It’s a statutory obligation backed by civil penalties.

Does the NDB Scheme Apply to Your Startup?

The scheme applies to all entities covered by the Privacy Act 1988. For startups, the critical question is whether you fall within the Act’s coverage.

You’re covered if your startup has an annual turnover of more than $3 million. But even if your turnover is below that threshold, the small business exemption doesn’t apply if you:

• Trade in personal information. If your business model involves collecting, using, or disclosing personal information for a benefit, service, or advantage — which describes most SaaS platforms, marketplaces, and ad-tech businesses — you’re covered regardless of turnover.
• Provide a health service. Health tech startups, telehealth platforms, and digital health companies are covered.
• Are related to an entity covered by the Act. If your startup is a subsidiary of a larger company that’s covered, you may be too.
• Hold records under a Commonwealth contract. If you’ve contracted with a government agency to handle personal information, you’re covered.
• Have opted in. Any organisation can voluntarily opt in to coverage under the Privacy Act.

The practical reality is that most technology startups are covered, either because they exceed the turnover threshold or because they trade in personal information. If your product involves user accounts, customer data, analytics, or any form of data-driven service, assume you’re covered until you’ve confirmed otherwise.

It’s also worth noting that the Australian Government has agreed in principle to remove the small business exemption entirely as part of its broader Privacy Act reforms. The second tranche of reform legislation is expected to progress in 2026, and when it does, all Australian businesses will be subject to the NDB scheme regardless of turnover. Building your compliance framework now is not just legally prudent — it’s inevitable.

What Is an “Eligible Data Breach”?

Not every security incident triggers a notification obligation. The NDB scheme only applies to “eligible data breaches,” which are defined in section 26WE of the Privacy Act. A data breach is eligible if:

1. There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by the entity.
2. A reasonable person would conclude that the breach is likely to result in serious harm to any of the individuals to whom the information relates.

The “serious harm” threshold is the critical test. The OAIC’s guidance identifies several factors relevant to assessing whether serious harm is likely:

• The kind of information involved. Sensitive information (health records, financial details, tax file numbers, biometric data) is more likely to cause serious harm than, say, a name and email address. But context matters — a list of email addresses tied to a mental health app could cause serious harm through the association alone.
• Whether the information is protected by security measures. If the compromised data was encrypted and the encryption key was not compromised, serious harm may be less likely.
• Who obtained the information. A breach where data was accessed by a malicious actor is more likely to result in serious harm than an accidental disclosure to a trusted party.
• The nature of the harm that could result. This includes identity theft, financial fraud, reputational damage, emotional distress, and physical harm.

There’s also an important exception under section 26WF: if you take remedial action after a breach and, as a result, a reasonable person would no longer conclude that the breach is likely to result in serious harm, the notification obligation doesn’t arise. This is why rapid response matters — swift containment can prevent a security incident from becoming a notifiable breach.

The 30-Day Assessment Window

When your startup becomes aware that there are reasonable grounds to suspect a data breach has occurred, section 26WH of the Privacy Act requires you to conduct an assessment of whether the breach is an eligible data breach. You must take all reasonable steps to complete that assessment within 30 days.

This is not 30 days to decide whether you feel like reporting it. It’s a statutory deadline for completing a formal assessment. If the assessment confirms an eligible data breach, notification must follow as soon as practicable.

In practice, 30 days is tight — especially for a startup without a dedicated security team. You need to identify the scope of the breach, determine what data was affected, assess the likelihood of serious harm, and make a decision. Having a data breach response plan in place before anything goes wrong is the only way to meet this timeline reliably.

What You Must Include in a Notification

If a breach is notifiable, you must prepare a statement for the OAIC and notify affected individuals. Under section 26WK, the notification must include:

• The identity and contact details of your organisation.
• A description of the data breach.
• The kinds of information involved.
• Recommendations about the steps individuals should take in response to the breach.

The notification to individuals can be made directly (if practicable) or, if direct notification isn’t practicable, by publishing a statement on your website and taking reasonable steps to bring it to the attention of affected individuals.

The OAIC provides an online form — the Notifiable Data Breach Statement — which is the standard mechanism for notifying the Commissioner. It’s straightforward, but it requires specific detail about the breach, the information involved, and the steps you’ve taken.

The Enforcement Reality: Australian Clinical Labs

For years, the NDB scheme operated without significant enforcement action. That changed in October 2025 when the Federal Court ordered Australian Clinical Labs (ACL) to pay $5.8 million in civil penalties — the first penalties ever imposed under the Privacy Act.

The case involved a 2022 cyberattack on Medlab Pathology (a subsidiary of ACL) that exposed the personal information of approximately 223,000 individuals, including highly sensitive health and financial data. The Court found that ACL had failed to take reasonable steps to protect the personal information it held (a breach of Australian Privacy Principle 11.1) and had failed to conduct a reasonable and expeditious assessment of whether the breach was notifiable.

The penalty sends two clear messages. First, the OAIC is willing to litigate. Second, delays and inadequate responses will be punished. ACL’s failures weren’t just about the breach itself — they were about the response. The company took too long to assess the breach and notify affected individuals.

Under the enhanced penalty regime introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth), maximum penalties for serious or repeated interferences with privacy are now the greater of $50 million, three times the benefit derived from the conduct, or 30% of adjusted turnover. The ACL penalty was imposed under the previous, lower penalty regime. Future penalties are likely to be significantly larger.

What Your Startup Should Do Now

1. Map Your Data

You can’t protect what you don’t know you have. Conduct a data mapping exercise to identify what personal information your startup collects, where it’s stored, who has access to it, and how it flows through your systems. Pay particular attention to sensitive information — health data, financial information, identity documents, and biometric data.

2. Build a Data Breach Response Plan

The OAIC explicitly recommends that all entities covered by the Privacy Act maintain a data breach response plan. Your plan should cover:

• Roles and responsibilities. Who leads the response? Who makes the notification decision? If you don’t have a dedicated privacy officer, designate a senior team member.
• Containment procedures. Steps to stop the breach, recover compromised data, and limit further exposure.
• Assessment process. A structured framework for evaluating whether the breach meets the “likely to result in serious harm” threshold.
• Notification procedures. Templates and processes for notifying the OAIC and affected individuals within the required timeframes.
• Post-breach review. How you’ll investigate the root cause and prevent recurrence.

3. Implement Reasonable Security

APP 11 requires you to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. For startups, “reasonable” is assessed relative to your size, resources, and the sensitivity of the data you hold. At a minimum:

• Enforce multi-factor authentication across all systems that handle personal information.
• Encrypt personal information at rest and in transit.
• Implement access controls — not everyone in your startup needs access to all customer data.
• Keep software and infrastructure patched and up to date.
• Conduct regular security reviews, even if informal.

4. Review Your Vendor Agreements

If you use third-party service providers that handle personal information on your behalf — cloud hosting, analytics platforms, customer support tools — your obligation to protect that information doesn’t disappear. Review your contracts to ensure they include appropriate data security obligations, breach notification requirements, and clear allocation of responsibility. If a vendor is breached, you may still be the entity required to notify the OAIC.

5. Train Your Team

A data breach response plan is only useful if your team knows it exists and understands their role. Ensure that employees — particularly those who handle personal information — know how to recognise and escalate a potential breach. The 30-day assessment clock starts when you become aware of reasonable grounds to suspect a breach. If an employee spots something suspicious and doesn’t report it internally, you may lose critical time.

The Bottom Line

The NDB scheme is not a compliance afterthought — it’s a core legal obligation for any startup that handles personal information. The OAIC’s willingness to impose significant penalties, combined with the ongoing expansion of Privacy Act coverage, means that early-stage compliance is no longer optional.

The good news is that the fundamentals aren’t complex: know what data you hold, secure it appropriately, have a plan for when things go wrong, and act quickly when they do. Most breaches aren’t caused by sophisticated attacks — they’re caused by missing patches, weak passwords, misconfigured access controls, and human error. Addressing the basics goes a long way.

If you need help building a data breach response plan, reviewing your privacy obligations, or assessing whether the NDB scheme applies to your startup, get in touch. We help Australian startups build privacy compliance frameworks that work in practice, not just on paper.