Notifiable data breach readiness.
30 days to assess. Act fast.
The NDB scheme gives you 30 days to assess whether a breach is eligible. Your vendor contracts should require notification within 24-48 hours. Most don't. Kontractually reviews vendor contracts against NDB scheme requirements and flags missing breach notification clauses.
7-day free trial. Full platform access. No credit card required.
What changes when your vendor contracts are NDB-ready.
Your IT provider discovers a ransomware attack that accessed customer records. They notify you 12 days later because their contract has no breach notification timeframe. You now have 18 days left in the NDB scheme's 30-day assessment period - and you haven't even started assessing whether the breach is eligible.
Kontractually reviews your IT provider contract and flags the missing breach notification clause. You negotiate a 24-hour notification obligation before signing, giving you the full 30-day assessment window under the Privacy Act when an incident occurs.
A data breach occurs through a SaaS vendor. Your vendor contract says nothing about breach assistance or cooperation obligations. The vendor refuses to provide logs or confirm what data was accessed, making it impossible to complete the 'serious harm' assessment required under the NDB scheme.
Kontractually flags the absence of breach cooperation clauses in the vendor agreement. You add obligations requiring the vendor to provide incident details, access logs, and affected-individual identification within 48 hours of an incident - ensuring you can complete the NDB assessment on time.
Your business has contracts with 8 different SaaS vendors, each with different (or no) breach notification terms. When the OAIC asks about your NDB preparedness during a routine enquiry, you can't demonstrate consistent breach notification coverage across your vendor portfolio.
Kontractually bulk-reviews all 8 vendor contracts against your NDB playbook in one run. Flags 5 contracts missing breach notification clauses, 2 with notification windows longer than 48 hours, and 1 with no data deletion obligation on termination.
6 NDB scheme obligations to review.
The NDB scheme (Part IIIC of the Privacy Act 1988) requires Australian Privacy Act-covered entities to notify the OAIC and affected individuals when an eligible data breach occurs. An eligible data breach involves unauthorised access to or disclosure of personal information that is likely to result in serious harm to affected individuals. The scheme applies to APP entities with annual turnover over $3M, and smaller entities in specific sectors (health, tax file number holders, credit reporting). Serious harm can include financial harm, reputational damage, or physical danger.
There is no fixed day-zero notification deadline under the NDB scheme. The entity has 30 days to complete an assessment of whether an eligible data breach has occurred. Once the entity concludes an eligible breach has occurred (or the 30 days expire without conclusion), it must notify the OAIC and affected individuals 'as soon as practicable.' In practice, this means immediately once the assessment is concluded. Contrast with GDPR, which requires 72-hour notification to the supervisory authority regardless of assessment completion.
The key differences are timing and scope. Under GDPR Article 33, the data controller must notify the supervisory authority within 72 hours of becoming aware of a personal data breach - regardless of whether assessment is complete. The NDB scheme gives 30 days to assess whether a breach is 'eligible' before notification is required. GDPR also requires notifying affected individuals 'without undue delay' when the breach is likely to result in high risk, while the NDB scheme requires notification 'as soon as practicable' after assessment. If your business is subject to both regimes, the GDPR 72-hour obligation will typically trigger first, and meeting it will satisfy the NDB timeline as well.
The Privacy Act defines serious harm to include serious physical, psychological, emotional, financial, or reputational harm. When assessing whether a breach is likely to result in serious harm, the OAIC considers: the kind of information involved (tax file numbers and health data carry higher risk), whether the information is protected by security measures (encrypted data may reduce harm likelihood), the nature of the harm that could result, and who obtained or could obtain the information. The assessment must be completed within 30 days of the entity becoming aware of the potential breach. Kontractually helps by reviewing vendor contracts to ensure breach notification clauses give you enough time to conduct this assessment.
Failure to notify an eligible data breach is an interference with the privacy of an individual under the Privacy Act. The OAIC can seek civil penalties of up to $50 million, three times the value of the benefit obtained from the breach, or 30% of adjusted turnover during the relevant period - whichever is greatest. These penalties were significantly increased by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. Beyond financial penalties, the OAIC can accept enforceable undertakings, make determinations requiring compensation to affected individuals, and publish findings that create reputational damage. Proactive compliance - including NDB-ready vendor contracts - is the most practical risk mitigation.