Notifiable Data Breaches Scheme
Mandatory notification of eligible data breaches likely to result in serious harm to any affected individual.
What OAIC NDB actually is.
The NDB scheme sits inside the Privacy Act 1988 and applies to all APP entities. When an entity has reasonable grounds to believe there has been an eligible data breach - unauthorised access, disclosure or loss of personal information likely to result in serious harm - it must promptly notify the individuals at risk and the OAIC. Where the entity is only suspicious, it has 30 days to assess whether the breach is notifiable. Practical cybersecurity programs tie detection, containment and decision-making inside this 30-day window.
Any entity covered by the Privacy Act 1988, including APP entities, credit reporting bodies, credit providers, TFN recipients and health service providers.
The control areas the framework covers.
Summary of the control families and outcomes the framework drives. Always validate against the official publication for the authoritative wording.
-
01
Preventative controls
Reasonable security under APP 11 to prevent eligible data breaches in the first place.
-
02
Assessment within 30 days
Assessment of whether a suspected breach is likely to result in serious harm.
-
03
Remedial action
Steps taken to contain the breach and mitigate harm before notification may not be required.
-
04
Notification
Prompt notification to affected individuals and a statement to the OAIC describing the breach, information involved, and steps being taken.
Read it from the issuing body.
For anything with a regulator or certification body behind it, the authoritative text is what counts - not our summary.
Notifiable Data Breaches Scheme
oaic.gov.au/privacy/notifiable-data-breaches
Content on this page is a plain-language summary for programme planning. It is not legal or regulatory advice, and it does not replace a current copy of the issuer's publication.
How Vectra delivers against OAIC NDB.
Assessment, engineering and operational services that line up with the framework's control areas.
Incident Response Retainer
Contracted response hours with defined SLAs - containment in minutes, not days.
Managed Detection & Response
Sovereign Australian XDR powered by nine global SOCs, AWS Australia hosting and 24x7 human-verified response.
Virtual CISO
Fractional security leadership embedded with your executive team.
Where OAIC NDB shows up.
Sectors where Vectra most commonly applies this framework. Click through for the industry-specific program view.
Healthcare & Pharma
Cybersecurity for hospitals, health services, life-sciences and aged care - where patient safety and sensitive health data never pause.
Banking & Finance
APRA CPS 234 and CPS 230 aligned cybersecurity for banks, insurers, superannuation funds and RSE licensees.
eCommerce & Retail
PCI DSS 4.0, bot defence and checkout-fraud protection for retailers, marketplaces and D2C brands.
Government
IRAP-assessed, PROTECTED-cleared cybersecurity for Commonwealth, state and local agencies operating under the ISM and PSPF.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.