In Australia, a data breach notification is a formal obligation under the Notifiable Data Breaches (NDB) scheme, which is part of the Privacy Act 1988 (Cth). The law requires businesses and organisations to notify both affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm.
This process ensures transparency and allows individuals to take protective steps, such as changing passwords or monitoring their financial activity. It also encourages organisations to improve data protection practices and take accountability for incidents.
A proper data breach notification needs to clearly explain what happened, what type of personal information was involved, and what is being done to contain the damage.
For example, if personal details like driver’s licence numbers, Medicare numbers, or health data were exposed, the notification should explain when the breach occurred, what individuals can do to protect themselves, and who to contact for further information.
The OAIC provides clear guidance on what information must be included, and getting this right is critical—not just for compliance, but for maintaining trust.
In most cases, the organisation that holds or controls the personal information is responsible for notifying affected parties, even if the breach occurred through a third-party service provider or subcontractor.
This responsibility extends across sectors, including healthcare providers, financial institutions, SaaS businesses, government bodies, and any organisation with over $3 million in annual turnover (or any business that handles sensitive personal data). In short, ownership of the data means ownership of the responsibility.
When a breach is assessed as likely to cause serious harm, two main notifications must occur: one to the affected individuals and one to the OAIC.
In some scenarios, broader disclosure may be required. For example, if identity theft or financial fraud is likely, notifying law enforcement or credit monitoring agencies may be advisable. In major breaches, proactive media engagement may also be necessary to manage reputation and provide reassurance.
Failure to notify can lead to significant consequences, ranging from regulatory penalties to reputational damage. The OAIC has the authority to issue penalties of up to $2.5 million for organisations that commit serious or repeated breaches of the Privacy Act.
More critically, failure to communicate transparently can erode customer trust and damage your brand. Consumers expect honesty and speed when their data is compromised, and delays can escalate both the legal and PR fallout.
Effective data breach management starts with communication that is timely, transparent, and legally compliant. Every organisation should have a breach response plan that outlines how to assess the breach, notify stakeholders, and communicate with impacted customers.
Best practices include having pre-approved message templates, designating a communication lead, and offering meaningful support to those affected, such as identity monitoring services or clear instructions on what actions to take.
At Bare Media, we help organisations craft communications that are aligned with the law, but also human, ensuring people feel informed and supported, not abandoned.
Recent events highlight how critical breach response and notification have become. In 2022, Optus suffered a cyberattack that compromised the personal information of almost 10 million Australians. Shortly after, Medibank was breached, with over 9 million records accessed, including sensitive health data.
These events underscore the need for organisations to act swiftly, follow legal requirements, and communicate with empathy and precision.
Technology and regulation are evolving rapidly. Advanced threat detection using AI and machine learning is becoming more common, enabling faster identification of breaches. At the same time, Australian privacy laws are under review, with proposed reforms expected to increase both fines and the scope of responsibilities for businesses.
Staying compliant means more than following the current rules—it means preparing for what's next. Organisations that embed proactive security and clear communication into their operations will be better positioned to navigate the future.
There are several resources to support compliance with breach notification requirements:
In high-pressure scenarios, communication agencies like Bare Media play a critical role—crafting tailored, compliant messages and managing the distribution process quickly and efficiently.
The future of breach notifications will be shaped by a growing focus on consumer rights, stronger regulatory oversight, and rapid advancements in cybersecurity technology. Businesses will need to respond faster, communicate more clearly, and meet higher expectations from both regulators and the public.
The good news? With the right support and preparation, organisations can turn these obligations into an opportunity—to demonstrate responsibility, build trust, and come out stronger on the other side.
Bare Media helps Australian organisations deliver clear, compliant, and effective data breach communications—fast. Whether you're preparing ahead or responding in real time, our team ensures your message is right, your tone is human, and your legal bases are covered.
Digital to Physical Delivery
Business process reengineering
Digital Solutions
Compliance Solutions
© 2025 Bare Media Pty Ltd.
All rights reserved
