Bell & Senior Logo

Does the NDB scheme apply to my small business in Queensland?

Technology Law

The Notifiable Data Breaches (NDB) scheme applies to all entities covered by the Privacy Act 1988 (Cth). While there was historically a broad exemption for small businesses, the legal landscape for Queensland business owners has changed significantly in 2025 and 2026.

1. The $3 Million Turnover Threshold

The primary test for coverage is whether your business or not-for-profit has an annual turnover of more than $3 million. If you exceed this threshold, you are an “APP entity” and must comply with the NDB scheme.

2. Removal of the Small Business Exemption

The Australian Government has committed to removing the $3 million exemption entirely as part of the Privacy Act reform process. The Privacy and Other Legislation Amendment Act 2024 has already commenced phased enforcement. This means even the smallest Gold Coast startup or local retail shop will eventually be subject to the full weight of the Privacy Act and NDB reporting requirements.

3. Businesses Covered Regardless of Turnover

You may already be covered by the NDB scheme even if your turnover is below $3 million if you fall into certain high-risk categories:

  • Private Health Providers: This captures GPs, dentists, physiotherapists, and pharmacies.
  • Trading in Personal Information: If you buy or sell personal data as a business model.
  • Tax File Number (TFN) Recipients: Virtually every employer is captured here because they hold employee TFNs.
  • Credit Providers: Including businesses that offer consumer credit or payment terms.

4. The 2025 Statutory Tort

It is critical to note that from 10 June 2025, the new statutory tort for serious invasions of privacy applies to all entities, regardless of their turnover or whether they are covered by the Privacy Act. This means you can be sued directly in court for a serious data breach even if the OAIC does not have jurisdiction over your turnover.

Unsure if your business is compliant? Bell & Senior Lawyers provides privacy audits and NDB readiness assessments for Queensland businesses. Call (07) 5532 8777.

Read our Complete Startup Legal Guide for Queensland

Previous Question Does the Retail Shop Leases Act 1994 apply to my lease in Queensland? Next Question Where is the Southport courthouse and what are the hours?
← Back to Commercial Law
Call Us Book Time