The Notifiable Data Breaches (NDB) scheme is the data-breach notification regime in Part IIIC of the Privacy Act 1988. It has been in force since 22 February 2018 and applies to all organisations subject to the Privacy Act, including Commonwealth agencies and APP entities.
An eligible data breach is one where (a) there has been unauthorised access to, unauthorised disclosure of, or loss of personal information, and (b) this is likely to result in serious harm to an individual, and (c) the entity has been unable to prevent that likely harm by remedial action. Where these three tests are met, the entity must notify the OAIC and affected individuals as soon as practicable.
For APRA-regulated entities, NDB sits alongside the CPS 234 §35 obligation to notify APRA within 72 hours of a material information-security incident. The two timing obligations are different, the audiences are different, and well-prepared firms maintain a single incident-response playbook that satisfies both.