What is a Notifiable Data Breach under Australian law?

A Notifiable Data Breach (NDB) occurs when personal information held by an organisation is involved in a security incident — such as unauthorised access, theft, or accidental disclosure — and is likely to result in serious harm to one or more individuals. Organisations covered by the Privacy Act 1988 must notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable after identifying a qualifying breach.

Does my small business need to comply with the Notifiable Data Breaches scheme?

The NDB scheme applies to organisations covered by the Privacy Act 1988, which generally includes businesses with an annual turnover of $3 million or more. However, some smaller businesses are also covered regardless of turnover, including healthcare providers, businesses that handle tax file numbers, credit providers, and businesses that opt in voluntarily. If you are unsure whether your business is covered, DM1 can help you assess your obligations.

What should I do immediately if my business suffers a data breach?

Contain the breach immediately — isolate affected systems, change compromised credentials, and prevent further unauthorised access. Assess what personal information was involved and how many individuals are affected. If you are covered by the NDB scheme and the breach is likely to cause serious harm, you must notify the OAIC and affected individuals within 30 days of becoming aware. Contact DM1 for immediate incident response support.

What is the penalty for failing to report a notifiable data breach in Australia?

Failure to comply with the Notifiable Data Breaches scheme is treated as an interference with privacy under the Privacy Act 1988 and can result in significant financial penalties. Following the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Act 2021, serious or repeated breaches can attract penalties of up to $50 million for organisations, or three times the benefit obtained, or 30 percent of adjusted turnover — whichever is greater.

Notifiable Data Breaches Perth — What Businesses Need to Know

What counts as a notifiable data breach, who you must tell, and how DM1 helps Perth businesses prepare for and respond to data breach incidents.

Talk to DM1 Today View Our Services

What Is a Notifiable Data Breach?

Under the Privacy Act 1988 (Cth), organisations covered by the Australian Privacy Principles must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an eligible data breach occurs.

An eligible data breach occurs when: personal information is accessed by, disclosed to, or lost by, unauthorised persons — AND it is likely to result in serious harm to any of the individuals whose information was involved.

DM1 is an IT provider, not a legal or compliance adviser. This page describes IT controls and incident response processes relevant to data breach prevention and notification. For legal advice on breach notification obligations, consult your legal adviser.

What Causes Notifiable Data Breaches in Small Businesses?

"Compromised employee accounts"

A staff member's Microsoft 365 account is taken over through a phishing attack or credential theft. The attacker accesses emails, files and client data. This is the most common cause.

"Ransomware encryption of client data"

A ransomware attack encrypts business files. Even without exfiltration, this may constitute an eligible breach if personal information was potentially accessed.

"Accidental disclosure to wrong recipient"

Sending a client's personal information to the wrong email address is a data breach. Microsoft 365's DLP policies can warn staff before sending sensitive information externally.

"Lost or stolen device"

A laptop or phone containing personal information that is lost or stolen constitutes an eligible breach if the device is unencrypted and unmanaged. BitLocker and Intune mitigate this.

"Misconfigured cloud storage — data publicly accessible"

A SharePoint site set to "Anyone with the link" makes data publicly accessible. DM1 regularly audits sharing settings and removes inappropriate access.

"Insider access — departing employee downloading client data"

An employee who takes client data when leaving constitutes a breach. DM1's offboarding process revokes access and reviews recent download activity before accounts are disabled.

What to Do If You Suspect a Data Breach

Contain the Breach Immediately

Call DM1 on (08) 6202 6012. DM1 will revoke sessions, disable compromised accounts, isolate affected devices, and stop the breach from spreading. Speed is critical.

Assess the Scope

DM1 reviews Microsoft 365 audit logs and sign-in records to determine what data was accessed, by whom, from where, and for how long.

Notify if Required

If the breach is eligible, the Privacy Act requires notification to the OAIC within 30 days of becoming aware. DM1 provides the technical evidence required — your legal adviser handles the notification itself.

How DM1 Helps Perth Businesses Prevent and Respond to Breaches

DISCOVERED DURING DM1 NEW CLIENT ONBOARDING

Account compromised — breach contained before client data was exported

A DM1-managed Perth professional services firm had a staff email account compromised. DM1 detected the anomalous sign-in through Entra ID alerts, revoked sessions within 20 minutes, and confirmed through audit logs that no client data had been exported before the session was terminated.

DISCOVERED DURING DM1 NEW CLIENT ONBOARDING

SharePoint site publicly accessible for three months — not noticed

A Perth business's SharePoint site had been set to "Anyone with the link" for three months. DM1 discovered this during a routine access audit, immediately restricted sharing, and helped the business conduct a breach assessment.

DISCOVERED DURING DM1 NEW CLIENT ONBOARDING

Laptop stolen from car — remote wipe executed within 30 minutes

A Perth business owner's laptop was stolen from a car. DM1 was called immediately, initiated a remote wipe through Intune, and confirmed the wipe was completed before the laptop was powered on again. No breach notification was required.

This page provides general information about the Notifiable Data Breaches scheme. It does not constitute legal advice. Businesses should consult qualified legal advisers regarding their specific obligations under the Privacy Act 1988 (Cth).

Get Your Data Breach Prevention Controls in Place

DM1 implements the technical controls that reduce breach risk and enable rapid response. Call (08) 6202 6012 to discuss your current IT security posture.

Contact DM1 Today (08) 6202 6012