All resources
Guide · Privacy & Compliance

Notifiable Data Breaches: what Australian boards still get wrong

Under the Privacy Act, an eligible data breach must be notified to the OAIC and affected individuals "as soon as practicable". Most mid-market organisations discover the gap between policy and capability only after the clock has started.

By , Founder11 min readPublished 29 May 2026

What the NDB scheme actually requires

Under the Privacy Act, an organisation that is aware of an "eligible data breach" must notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable[1][3]. There is no 72-hour clock in the Australian scheme (that is GDPR). The Australian rule is a practicability standard, and the OAIC has been explicit that "as soon as practicable" should be measured in days, not weeks, unless investigation reasonably requires longer.

An "eligible" breach is one likely to result in serious harm to the individuals concerned, where remedial action has not prevented that harm. The judgement of "eligible" is the operational pivot. Most mid-market boards have a policy that describes who makes that call; far fewer have an exercised capability to make it.

What the OAIC actually sees

The OAIC now publishes NDB statistics through a six-monthly dashboard, which replaced its old long-form reports in November 2025[2]. Malicious or criminal attack remains the largest single cause, but human error has been climbing, reaching 37% of breaches in the first half of 2025. Health service providers and the finance sector are consistently among the top reporting industries. Calendar 2024 was a record year, with 1,113 notifications, the highest since the scheme began.

Reading the latest OAIC dashboard against your own organisation is a board exercise worth doing every six months. If your sector is in the top three for breach volume, your operational readiness should reflect that.

Where mid-market organisations consistently fall short

  • The detection clock and the awareness clock are conflated. The notification window starts when the entity is aware, but detection is what gives you the chance to be aware.
  • The "eligible breach" assessment depends on understanding what personal information was affected. Most organisations cannot produce that information within hours of a suspected incident.
  • The notification to individuals requires identifying who the affected individuals are. Backups and exports rarely structure data in a way that supports this on short notice.
  • The MSP’s incident response process and the entity’s NDB notification process are rarely tested together.
  • Board minutes describe a notification policy; few describe the last live test of that policy.

The board’s standing operational questions

  • Who is the named decision maker for the "eligible breach" call, and who is the backup?
  • What is the documented mean time to determine whether an incident involves personal information?
  • When was the last tabletop exercise that ended with a written draft notification?
  • Which of our personal-information datasets could we identify affected individuals from within four hours?
  • What is the OAIC notification template our team would actually use, and who has reviewed it recently?

Aligning the MSP with NDB obligations

The MSP usually carries the operational detection and containment role; the entity carries the regulatory notification obligation. Where the two come unstuck is at the handoff: the MSP completes a "security incident" investigation by their internal definition while the entity’s regulator-facing clock has been running for days[5]. Independent oversight closes the gap by exercising the handoff itself before an incident makes it mandatory.

Breach cost itself is rarely the dominant exposure for mid-market organisations: the average $4.44 million global breach cost figure[4] tracks larger organisations. The mid-market exposure is more often reputational, contractual (B2B customers walking), and regulatory (sustained OAIC engagement that distracts an executive team for months). All three are reduced by readiness, not by insurance.

Research sources

Evidence-based, transparently sourced.

All statistics and research findings on this page are supported by authoritative sources. Behind The SLA is committed to evidence-based advisory and transparent methodology.

  1. [1]
    Office of the Australian Information Commissioner (OAIC). Notifiable data breaches scheme
    The NDB scheme requires notification of eligible data breaches to the OAIC and affected individuals "as soon as practicable". The OAIC publishes statistics on notifications received every six months.
    View source
  2. [2]
    Office of the Australian Information Commissioner (OAIC). Notifiable data breaches statistics
    Since November 2025 the OAIC publishes NDB statistics via a six-monthly dashboard. Calendar 2024 was a record 1,113 notifications; January to June 2025 saw 532, with human error rising to 37% of breaches. Health and finance are consistently among the top reporting sectors.
    View source
  3. [3]
    Australian Government. Privacy Act 1988 (Cth), Part IIIC (Notifiable Data Breaches)
    The statutory basis of the NDB scheme. APP 11 requires entities to take reasonable steps to protect personal information.
    View source
  4. [4]
    IBM Security. (2025). Cost of a Data Breach Report
    Average global data breach cost: US$4.44 million; 241 days on average to identify and contain.
    View source
  5. [5]
    Behind The SLA. (2025). Proprietary client engagement data
    Across mid-market client engagements the most common gap is not the policy (which usually exists), but the operational capability to determine whether a breach is "eligible" within the time the regulator and affected individuals reasonably expect.

Methodology Note: Behind The SLA conducts independent research validation for all published statistics. Where proprietary research is cited, it is based on aggregated, anonymised data from client engagements spanning 15+ years of MSP industry experience.

Want this applied to your organisation?

An independent advisory conversation costs nothing, and clarifies whether what you have read here is relevant to where you actually are.

Schedule a conversation