Is Your Business Data Breach Ready? The NDB Scheme Checklist for Queensland Businesses

The question facing Queensland businesses in 2026 is no longer whether they will experience a data security incident; it is whether they will be legally and operationally ready when it happens. In the 2023–2024 financial year alone, the Office of the Australian Information Commissioner (OAIC) received over 1,000 data breach notifications under the Notifiable Data Breaches scheme.¹ Ransomware, phishing, accidental disclosures, rogue employees, and third-party vendor incidents affect businesses of every size, across every sector, including professional services, retail, healthcare, hospitality, and real estate on the Gold Coast.

The legal consequence of being unprepared has never been more serious or more personal. Since 10 June 2025, your clients can sue your business directly in court for serious privacy invasions without filing a complaint with any regulator. Since 4 February 2025, businesses covered by the Cyber Security Act 2024 (Cth) must report ransomware payments to the Australian Signals Directorate within 72 hours. The penalty ceiling for serious Privacy Act breaches sits at $50 million or more. And the $3 million annual turnover exemption that has historically protected small businesses from Privacy Act obligations is in the process of being legislatively removed.

This guide explains the full current legal framework, examines each layer of obligation and liability, and provides a practical readiness checklist that Queensland businesses can use to assess and build their compliance posture before a breach event occurs.

What Is the Notifiable Data Breaches Scheme?

The Notifiable Data Breaches (NDB) scheme operates under Part IIIC of the Privacy Act 1988 (Cth) and has been in force since 22 February 2018.² It requires certain Australian entities to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach occurs that is likely to result in serious harm to those individuals.

Before the NDB scheme, Australian businesses had no universal legal obligation to inform customers or regulators when their personal information was compromised. A business could discover that its entire client database had been exfiltrated by a cybercriminal and (beyond the reputational consequences) face no mandatory legal reporting obligation. The NDB scheme changed this by imposing affirmative notification requirements enforceable with substantial civil penalties.

The scheme operates within the broader privacy regulatory framework established by the 13 Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act, which are the core substantive obligations governing how personal information is collected, used, stored, and disclosed by covered entities.³ A data breach serious enough to trigger NDB notification is almost invariably accompanied by a contravention of one or more APPs; most commonly APP 11, which requires entities to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.⁴ The NDB notification obligation and the APP 11 security obligation are therefore related but distinct: APP 11 requires prevention; the NDB scheme governs response when prevention fails.

Who Does the NDB Scheme Apply To?

Understanding whether your business is a covered entity is the threshold question for every Gold Coast and Queensland business that holds personal information. The coverage analysis has become more significant with the phased removal of the small business exemption.

The $3 Million Turnover Threshold, and Its Removal

Historically, the primary coverage test has been whether a business or not-for-profit organisation has an annual turnover of more than $3 million.⁵ Entities above this threshold are “APP entities” subject to the Privacy Act and, by extension, the NDB scheme.

However, the Government committed in its response to the Privacy Act Review to remove the $3 million small business exemption as part of the Privacy Act reform process.⁶ The Privacy and Other Legislation Amendment Act 2024 (Cth) commenced phased enforcement from early 2025, and the removal of the small business threshold is part of the broader reform package. The practical consequence for Queensland businesses is clear: if you do not currently meet the $3 million threshold but hold meaningful volumes of personal information about clients, customers, or employees, you should be building NDB-ready practices now, not when the formal commencement date arrives. Building compliant systems retrospectively after an incident has already occurred is significantly more costly and legally exposed than building them in advance.

Covered Regardless of Turnover

Certain categories of business have always been covered by the Privacy Act regardless of annual turnover. For Gold Coast and South East Queensland businesses, the most practically significant categories include:

• Private health service providers: Every business that provides health services for a fee: general practitioners, allied health practitioners (physiotherapists, psychologists, occupational therapists), dentists, optometrists, pharmacists, private hospitals, and aged care facilities; regardless of size or turnover.
• Businesses that trade in personal information: Any entity that buys or sells personal information as a commodity is covered, regardless of other characteristics
• Tax file number (TFN) recipients: Every employer that collects, holds, or uses tax file numbers of employees is covered. This captures virtually all Queensland employers regardless of size.
• Credit providers and credit reporting bodies: Businesses that provide consumer credit and those that hold credit-related personal information
• Operators of residential tenancy databases: Relevant for the Gold Coast rental market, which is serviced by numerous residential tenancy database operators
• Real estate agents: To the extent they handle personal information about tenants and prospective tenants in connection with residential tenancy databases
• Entities under Commonwealth contracts: Where a business provides services to a Commonwealth government agency under contract, the contract terms typically impose Privacy Act obligations, and many such contracts expressly require NDB compliance regardless of the contractor’s turnover

Queensland Government Entities

State and territory government agencies, including Queensland Government departments, statutory bodies, and local government entities, are generally not covered by the Commonwealth Privacy Act 1988. They are instead subject to the Information Privacy Act 2009 (Qld), which imposes its own mandatory data breach notification obligations administered by the Office of the Information Commissioner Queensland (OIC Qld).⁷ Businesses that contract with Queensland Government entities may have parallel obligations under both regimes depending on the nature of the information involved.

What Is Personal Information and Sensitive Information?

The NDB scheme’s notification obligations are triggered by breaches involving personal information as defined in section 6 of the Privacy Act.⁸ Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable, regardless of whether the information or opinion is true, and regardless of the format in which it is held. This is a deliberately broad definition that captures:

• Full names combined with contact details, addresses, or identification numbers
• Financial information including account numbers, credit card details, and tax file numbers
• Employment information, including salary, performance records, and disciplinary history
• Online identifiers including IP addresses, usernames, and device identifiers where these relate to an identifiable individual
• Location data where it identifies or could identify a person

Sensitive information is a subset of personal information that receives heightened protection under the APPs and carries a greater risk of serious harm in a breach context.⁹ It includes:

• Health information and genetic information
• Biometric information (fingerprints, facial recognition data)
• Racial or ethnic origin
• Political opinions
• Religious beliefs or affiliations
• Sexual orientation or practices
• Criminal record

When sensitive information is involved in a breach, the threshold for serious harm is more readily satisfied, and the OAIC applies closer scrutiny to both the breach response and the adequacy of the pre-breach security measures.

What Is an Eligible Data Breach?

The NDB scheme does not require notification of every incident involving personal information. Notification is triggered only by an eligible data breach as defined in section 26WE of the Privacy Act.¹⁰ Three criteria must all be satisfied.

Criterion 1: Unauthorised Access, Disclosure, or Loss

There must have been one of three things:

• Unauthorised access to personal information: a person who was not entitled to access the information did so. This includes hacking, access by a rogue employee beyond their authorised scope, or accidental disclosure to the wrong email recipient.
• Unauthorised disclosure of personal information: information has been shared, published, transmitted, or otherwise provided to a person who should not have received it.
• Loss of personal information: the physical or logical location of the information can no longer be established. There is a real possibility it has been or will be accessed by unauthorised parties; for example, a lost laptop or USB drive containing unencrypted client data, or a cloud misconfiguration that exposed data to an unknown period of public access.

It is worth noting that internal access, an employee accessing personal information about colleagues or clients outside the scope of their employment duties, constitutes unauthorised access and can trigger the scheme. The NDB scheme is not limited to external cyber attacks.

Criterion 2: Likely to Result in Serious Harm

The breach must be likely to result in serious harm to one or more of the affected individuals.¹¹ The Privacy Act provides a non-exhaustive list of factors relevant to assessing serious harm likelihood:

• The nature and sensitivity of the information; health records, financial account details, and identification documents carry materially higher serious harm risk than a business contact’s publicly available phone number.
• Whether security measures that would need to be overcome to use the information are in place: encrypted data that would require significant technical resources to decrypt presents lower immediate serious harm risk than plaintext data.
• The identity and characteristics of the person who accessed the information: a ransomware group known to monetise stolen data presents a different risk profile from an accidental internal email.
• The nature and extent of the potential harm: financial fraud, identity theft, physical danger, reputational harm, emotional distress, and discrimination are all forms of harm the scheme is designed to address.

The OAIC’s published guidance makes clear that the likelihood assessment should be conducted conservatively. Entities should not place excessive weight on speculative grounds for believing harm is unlikely. Where there is genuine uncertainty, the presumption should favour notification.

Criterion 3: Remedial Action Cannot Prevent Serious Harm

Even where the first two criteria are satisfied, a breach is not an eligible data breach if the entity has taken, or is able to take, remedial action that prevents the likely serious harm before it actually occurs.¹² This is a narrow carve-out. If a misdirected email containing personal information is identified immediately, the recipient is contacted within minutes and confirms deletion without having forwarded or accessed the content, and there is no realistic further risk, remedial action may remove eligibility.

However, the remedial action must genuinely prevent the harm, not merely reduce it. Once data has been exfiltrated by a ransomware group, published on a dark web forum, or accessed by an identity fraudster, it is almost always impossible to argue that remedial action has prevented serious harm. Entities should not use this criterion as grounds for avoiding notification without clear factual basis and, ideally, legal advice.

The Response Timeline: What the Law Requires

Once your business becomes aware that a data breach may have occurred, the Privacy Act activates a mandatory response sequence. Understanding the trigger points and timeframes is essential, the OAIC treats the 30-day assessment window as a firm requirement, not a guide.

Stage 1—Suspect: Begin Assessment Immediately

Under section 26WH of the Privacy Act, the moment your business becomes aware of reasonable grounds to suspect that an eligible data breach may have occurred, the 30-day clock starts. You must take all reasonable steps to complete an assessment of whether the suspected breach is an eligible data breach as quickly as possible and in any event within 30 days.

The critical point is that the clock starts on suspicion, not on confirmation of a breach. A business that waits to commence its assessment until it is certain a breach has occurred has already failed this requirement. The OAIC’s enforcement record shows that delay in commencing assessment is one of the most common findings in investigations following major incidents.

A compliant assessment should document:

• The circumstances that gave rise to the suspicion (the triggering event: an alert, a staff report, an IT anomaly, a ransom demand).
• The scope of the incident: what systems were affected, what data was potentially involved, and how many individuals.
• Whether the three eligibility criteria are satisfied
• Whether any remedial action has been taken or is available that would prevent serious harm
• The conclusion of the assessment and the date it was completed

Stage 2—Believe: Notify as Soon as Reasonably Practicable

Once the assessment is complete and you have reasonable grounds to believe an eligible data breach has occurred, you must provide notification to the OAIC and to affected individuals as soon as reasonably practicable.¹³

OAIC notification is submitted via the online NDB notification form on the OAIC website. The notification must include, under section 26WK of the Privacy Act:

• The identity and contact details of the notifying entity
• A description of the eligible data breach: what happened, when, and how it was discovered.
• The kinds of personal information involved.
• Recommendations about the steps individuals should take in response to the breach.
• The steps the entity has taken, or intends to take, in response.

The New Legal Landscape: Three Major 2025 Changes

The Privacy and Other Legislation Amendment Act 2024 (Cth) and the Cyber Security Act 2024 (Cth) together represent the most significant transformation of Australia’s data security and privacy legal framework since the NDB scheme commenced. Queensland businesses need to understand three specific developments.

Change 1—Statutory Tort for Serious Invasions of Privacy (10 June 2025)

From 10 June 2025, the Privacy and Other Legislation Amendment Act 2024 (Cth) introduced a statutory tort for serious invasions of privacy into Australian law.¹⁴ This is a landmark development. For the first time, individuals have a direct cause of action to sue an organisation (or individuals within it) for a serious privacy invasion in the courts, without first making a complaint to the OAIC, and without the OAIC needing to take any regulatory action.

The tort applies where all of the following elements are established:

• Invasion: There was an intrusion upon the plaintiff’s seclusion (for example, accessing private communications or data without authorisation) or a misuse of the plaintiff’s private information (for example, disclosing sensitive personal data without basis)
• Intentional or reckless: The defendant’s conduct was intentional or reckless, not merely negligent. A data breach caused by wilfully inadequate security where management was aware of the deficiency and chose not to address it may satisfy this element.
• Highly offensive: A reasonable person in the plaintiff’s position would regard the privacy invasion as highly offensive
• Public interest balance: The public interest in privacy outweighs any competing public interest (such as media freedom, safety, or accountability)

Change 2—Ransomware Payment Reporting (4 February 2025)

From 4 February 2025, Part 3 of the Cyber Security Act 2024 (Cth) created a mandatory obligation to report ransomware and cyber extortion payments to the Standard Australian Signals Directorate (ASD) via the ReportCyber portal within 72 hours of the payment being made.¹⁵

The obligation applies to reporting entities under the scheme, which includes:

• Non-corporate Commonwealth entities
• Bodies corporate that are systems of national significance (SoNS) designated under the Security of Critical Infrastructure Act 2018 (Cth)
• Bodies corporate that are responsible entities for critical infrastructure assets under the SOCI Act

Change 3—Tiered Civil Penalties and Infringement Notices

The Privacy and Other Legislation Amendment Act 2024 (Cth) introduced a tiered civil penalty framework providing the OAIC with enforcement tools that are proportionate to the severity of the contravention.¹⁶

The NDB Readiness Checklist for Queensland Businesses

✅ Phase 1—Before a Breach: Building Readiness

1. Confirm your coverage and upcoming obligations

• Determine current turnover threshold ($3M) or special category coverage
• Identify Critical Infrastructure (SOCI Act) status for 72-hour reporting
• Monitor small business exemption removal dates

2. Map your personal information holdings

• Identify every category of personal information held
• Map storage locations and staff access permissions
• Identify third-party vendor access and offshore storage

3. Review and update your privacy documentation

• Current, accurate APP 1 Privacy Policy ($66K infringement risk)
• Review collection notices and onboarding forms
• Update for statutory tort exposure post-June 2025

4. Implement a written Data Breach Response Plan

• Designate Privacy Officer and internal escalation path.
• Include 30-day assessment and 72-hour ransomware reporting paths.
• Ensure plan is physically or digitally accessible to all key staff.

5. Review all third-party contracts

• Vendor notification and cooperation clauses
• APP 8 cross-border disclosure terms

6. Assess your technical security measures

• Encryption at rest and in transit
• Mandatory MFA for all personal information access points
• Regular backup testing and patch management

7. Review your cyber liability insurance

• Coverage for assessment, notification, and civil claims (such as the statutory tort).
• Check notification requirements: typically 24–72 hours.

🚨 Phase 2—During a Breach: The Response Sequence

Step 1—Contain (Day 0)

• Isolate affected systems, revoke credentials, and preserve evidence
• Notify cyber insurer and Designated Breach Lead

Step 2—Assess (Days 1–30)

• Document triggering event and scope of data involved
• Apply 3-step eligibility criteria and document conclusion
• ASD report (if payment made) within 72 hours

Step 3—Notify (As soon as practicable)

• OAIC online notification
• Direct individual notification (or public if direct is not possible)

🔍 Phase 3—After a Breach: Remediation and Review

• conduct root cause analysis and implement security remediation.
• Proactively support affected individuals: credit monitoring.
• Assess statutory tort litigation exposure.

Conclusion: Protecting Your Business Through Informed Readiness

The interplay between the Privacy Act 1988, the Cyber Security Act 2024, and the new statutory tort created in 2025 means that data breach readiness is no longer just an IT issue, it is a central legal and commercial pillar for Queensland business owners. The decisions made in the first 72 hours of a breach event will define your regulatory and litigation exposure for years to come.

Bell & Senior Lawyers advises Gold Coast and South East Queensland businesses on technology law and privacy obligations. Contact us at the earliest opportunity for a confidential assessment of your compliance posture.

Related Topics

• Commercial Law FAQ: Business Contracts & Disputes
• Cyber Security: Practice Information
• Gold Coast Property Settlement Timeline
• Mediation vs Court: Which is Faster in QLD?
• Commercial Law Practice Area

Does your business have a compliant data breach response plan? Bell & Senior Lawyers works with Gold Coast and South East Queensland businesses on privacy compliance, NDB scheme readiness, and data breach response. Call (07) 5532 8777 or make an enquiry online .