What the NDB scheme actually requires
Under the Privacy Act, an organisation that is aware of an "eligible data breach" must notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable[1][3]. There is no 72-hour clock in the Australian scheme (that is GDPR). The Australian rule is a practicability standard, and the OAIC has been explicit that "as soon as practicable" should be measured in days, not weeks, unless investigation reasonably requires longer.
An "eligible" breach is one likely to result in serious harm to the individuals concerned, where remedial action has not prevented that harm. The judgement of "eligible" is the operational pivot. Most mid-market boards have a policy that describes who makes that call; far fewer have an exercised capability to make it.
What the OAIC actually sees
The OAIC now publishes NDB statistics through a six-monthly dashboard, which replaced its old long-form reports in November 2025[2]. Malicious or criminal attack remains the largest single cause, but human error has been climbing, reaching 37% of breaches in the first half of 2025. Health service providers and the finance sector are consistently among the top reporting industries. Calendar 2024 was a record year, with 1,113 notifications, the highest since the scheme began.
Reading the latest OAIC dashboard against your own organisation is a board exercise worth doing every six months. If your sector is in the top three for breach volume, your operational readiness should reflect that.
Where mid-market organisations consistently fall short
- The detection clock and the awareness clock are conflated. The notification window starts when the entity is aware, but detection is what gives you the chance to be aware.
- The "eligible breach" assessment depends on understanding what personal information was affected. Most organisations cannot produce that information within hours of a suspected incident.
- The notification to individuals requires identifying who the affected individuals are. Backups and exports rarely structure data in a way that supports this on short notice.
- The MSP’s incident response process and the entity’s NDB notification process are rarely tested together.
- Board minutes describe a notification policy; few describe the last live test of that policy.
The board’s standing operational questions
- Who is the named decision maker for the "eligible breach" call, and who is the backup?
- What is the documented mean time to determine whether an incident involves personal information?
- When was the last tabletop exercise that ended with a written draft notification?
- Which of our personal-information datasets could we identify affected individuals from within four hours?
- What is the OAIC notification template our team would actually use, and who has reviewed it recently?
Aligning the MSP with NDB obligations
The MSP usually carries the operational detection and containment role; the entity carries the regulatory notification obligation. Where the two come unstuck is at the handoff: the MSP completes a "security incident" investigation by their internal definition while the entity’s regulator-facing clock has been running for days[5]. Independent oversight closes the gap by exercising the handoff itself before an incident makes it mandatory.
Breach cost itself is rarely the dominant exposure for mid-market organisations: the average $4.44 million global breach cost figure[4] tracks larger organisations. The mid-market exposure is more often reputational, contractual (B2B customers walking), and regulatory (sustained OAIC engagement that distracts an executive team for months). All three are reduced by readiness, not by insurance.