Notifiable Data Breach Report to OAIC (NDB Scheme)

Issuing authority

Office of the Australian Information Commissioner (OAIC)

Official source

How to apply

1. Determine whether the incident is an 'eligible data breach' under the Privacy Act 1988 (Cth) — there must be unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm to one or more individuals.
2. Conduct a timely assessment of the breach — you generally have 30 days from becoming aware of the incident to assess whether it is an eligible data breach before mandatory notification is triggered.
3. Notify affected individuals promptly once you have reasonable grounds to believe an eligible breach has occurred, including a description of the breach and recommended steps they should take.
4. Access the online Notifiable Data Breach notification form at: https://webform.oaic.gov.au/prod?entitytype=DBN&layoutcode=DataBreachWF
5. Complete Part 1 of the form: provide your organisation or agency name and contact details, a description of what happened, the kinds of personal information involved, and steps individuals can take to protect themselves.
6. Complete Part 2 of the form (held in confidence by the OAIC on request): provide additional detail about containment, remediation efforts, and how the breach occurred.
7. Submit the completed form electronically via the OAIC web portal — no paper form is accepted for standard NDB notifications.
8. Retain a copy of your submission and any supporting documentation for your organisation's records and for potential OAIC follow-up.
9. Respond promptly to any OAIC follow-up enquiries — the OAIC may conduct an assessment or investigation following receipt of your notification.

Related topics

Related forms

• Commonwealth Ombudsman Complaint
• Anti-Discrimination Complaint (Federal — AHRC)
• Privacy Complaint (OAIC)
• Police Misconduct Complaint (VIC — IBAC)
• Police Misconduct Complaint (NSW — LECC)