Australia

A company suffered a data breach exposing my personal details. Are they required to notify me?

30 days
Notification deadline
Serious harm
Threshold for notification
OAIC
Regulator notified
APP 11
Relevant Privacy Principle
The Short Answer

Yes, if the breach is likely to result in serious harm to you, the company must notify you and the OAIC within 30 days under Australia’s Notifiable Data Breaches (NDB) scheme.

What the Law Says

Australia’s privacy laws require organisations to notify individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm.

The requirement comes from the Notifiable Data Breaches (NDB) scheme, introduced in 2018 as an amendment to the Privacy Act 1988. It applies to all entities bound by the Australian Privacy Principles (APPs), including most businesses with an annual turnover over $3 million, health service providers, and credit reporting bodies.

An 'eligible data breach' occurs when there is unauthorised access to, or unauthorised disclosure of, personal information — or loss of personal information — that a reasonable person would conclude is likely to result in serious harm to any of the individuals affected.

Once an organisation becomes aware that an eligible data breach has occurred, it must prepare a statement and notify both the affected individuals and the OAIC as soon as practicable — and no later than 30 days after becoming aware.

Statutory Text

An entity must notify the Commissioner and affected individuals about an eligible data breach as soon as practicable after the entity becomes aware that the breach has occurred.

Privacy Act 1988, s. 26WE — Notification of eligible data breaches
Statutory Text

An eligible data breach occurs if: (a) there is unauthorised access to, or unauthorised disclosure of, personal information; or (b) personal information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and a reasonable person would conclude that the access, disclosure or loss would be likely to result in serious harm to any of the individuals to whom the information relates.

Privacy Act 1988, s. 26WE(2) — Definition of eligible data breach

What to Do

1

Check your email, SMS, or postal mail for a formal notification from the company — it must include details of the breach, the information involved, and recommended steps to protect yourself.

2

Contact the company directly if you haven’t received notification but suspect your data was compromised.

3

Report concerns to the OAIC via their website if you believe the company failed to notify you when required.

4

Take protective actions: monitor bank accounts, change passwords, and consider placing a fraud alert with credit reporting bodies.

Sources

statutePrivacy Act 1988, s. 26WE — Notification of eligible data breachesstatutePrivacy Act 1988, s. 26WE(2) — Definition of eligible data breachstatuteAustralian Privacy Principle (APP) 11 — Security of personal information

Same Question, Other Jurisdictions

CanadaIrelandSingaporeEuropean UnionIndiaSouth KoreaUKUS-CaliforniaUS-New YorkCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.