How long do I have to notify OAIC of a data breach?

You have 30 days from becoming aware of grounds to suspect an eligible data breach to complete your assessment. Once you have reasonable grounds to believe the breach is eligible, you must notify OAIC and affected individuals 'as soon as practicable.' The 30-day clock is an outer limit for the assessment, not a deadline for the notification itself — most breaches that are clearly serious should be notified well within that window.

What is an 'eligible data breach' under the NDB scheme?

An eligible data breach is an unauthorised access to, disclosure of, or loss of personal information that a reasonable person would conclude is likely to result in serious harm to one or more of the individuals concerned, and where the entity has not been able to prevent that harm through remedial action. All three limbs must be present — a technical breach without serious harm risk is not notifiable, and a serious-harm risk that has been successfully remediated is also not notifiable.

Does the NDB scheme apply to my organisation?

It applies to all APP entities — generally, Australian Government agencies and most private-sector organisations with annual turnover above AUD $3 million. It also applies regardless of turnover to health service providers, credit reporting bodies, organisations that handle tax file numbers, and a few other categories. Foreign-incorporated companies that operate in Australia or carry on business in Australia and collect Australian personal information are also covered.

Where should I store AWS logs for OAIC compliance?

OAIC does not impose a strict data localisation rule for logs, but APP 11 requires you to take reasonable steps to protect personal information, and OAIC's published guidance after the Optus and Medibank breaches makes clear that comprehensive, retained logs are part of what 'reasonable steps' means. Store CloudTrail and security logs in ap-southeast-2 or ap-southeast-4 with at least 12 months retention; longer if you operate in regulated sectors.

Can I notify OAIC before completing the 30-day assessment?

Yes, and you usually should if the breach is clearly serious. The 30 days is a maximum for the assessment, not a buffer to use. Notifying earlier — even with incomplete information — generally goes down better with OAIC than waiting for full forensic clarity. The notification can be updated as more facts become known.

What if the breach affects users outside Australia too?

The NDB obligation is triggered by the involvement of Australian personal information, not by the residence of the affected individuals. A breach affecting users in Australia, Singapore, and India typically triggers parallel obligations to OAIC, PDPC, and CERT-In, each with its own clock and content requirements. Run them as parallel workstreams, not sequentially.

OAIC Notifiable Data Breach Scheme on AWS: The Australian Playbook

Inside the guide

Australia's Notifiable Data Breach scheme gives APP entities up to 30 days to assess whether a suspected breach is an "eligible data breach," then requires notification to OAIC and affected individuals "as soon as practicable" after the assessment concludes. The deadline is forgiving by APAC standards, but the post-Optus, post-Medibank regulatory environment is not. The risk on this clock is not running out of time — it is conducting a substandard assessment, under-notifying, or missing affected individuals. This guide covers the eligibility test, the assessment process on AWS, and the operational changes that distinguish a credible response from one that draws OAIC scrutiny.

The full regulatory rule, plain-language
An hour-by-hour (or day-by-day) runbook
The pre-incident AWS hardening that meets the standard
Common mistakes seen in practice
What to do this week to get ahead

Frequently asked questions

How long do I have to notify OAIC of a data breach?: You have 30 days from becoming aware of grounds to suspect an eligible data breach to complete your assessment. Once you have reasonable grounds to believe the breach is eligible, you must notify OAIC and affected individuals 'as soon as practicable.' The 30-day clock is an outer limit for the assessment, not a deadline for the notification itself — most breaches that are clearly serious should be notified well within that window.
What is an 'eligible data breach' under the NDB scheme?: An eligible data breach is an unauthorised access to, disclosure of, or loss of personal information that a reasonable person would conclude is likely to result in serious harm to one or more of the individuals concerned, and where the entity has not been able to prevent that harm through remedial action. All three limbs must be present — a technical breach without serious harm risk is not notifiable, and a serious-harm risk that has been successfully remediated is also not notifiable.
Does the NDB scheme apply to my organisation?: It applies to all APP entities — generally, Australian Government agencies and most private-sector organisations with annual turnover above AUD $3 million. It also applies regardless of turnover to health service providers, credit reporting bodies, organisations that handle tax file numbers, and a few other categories. Foreign-incorporated companies that operate in Australia or carry on business in Australia and collect Australian personal information are also covered.
Where should I store AWS logs for OAIC compliance?: OAIC does not impose a strict data localisation rule for logs, but APP 11 requires you to take reasonable steps to protect personal information, and OAIC's published guidance after the Optus and Medibank breaches makes clear that comprehensive, retained logs are part of what 'reasonable steps' means. Store CloudTrail and security logs in ap-southeast-2 or ap-southeast-4 with at least 12 months retention; longer if you operate in regulated sectors.
Can I notify OAIC before completing the 30-day assessment?: Yes, and you usually should if the breach is clearly serious. The 30 days is a maximum for the assessment, not a buffer to use. Notifying earlier — even with incomplete information — generally goes down better with OAIC than waiting for full forensic clarity. The notification can be updated as more facts become known.
What if the breach affects users outside Australia too?: The NDB obligation is triggered by the involvement of Australian personal information, not by the residence of the affected individuals. A breach affecting users in Australia, Singapore, and India typically triggers parallel obligations to OAIC, PDPC, and CERT-In, each with its own clock and content requirements. Run them as parallel workstreams, not sequentially.