What is the Notifiable Data Breaches scheme?

The Notifiable Data Breaches (NDB) scheme requires organisations covered by the Privacy Act to notify the OAIC and affected individuals when a data breach is likely to result in serious harm. You must assess eligible breaches within 30 days and notify promptly if the threshold is met.

Do I need a privacy policy?

Yes, if your business is covered by the Privacy Act — which includes most businesses with annual turnover above $3 million, and all health service providers and businesses that trade in personal information regardless of size. Your privacy policy must explain what personal information you collect, how you use it, and how individuals can access or correct it.

What are the Australian Privacy Principles?

The Australian Privacy Principles (APPs) are 13 principles in the Privacy Act that govern how organisations collect, use, store, and disclose personal information. They cover everything from open and transparent management of data to cross-border disclosure and direct marketing.

What happens if my business has a data breach?

You must conduct a reasonable and expeditious assessment of whether the breach is likely to cause serious harm. If it is, you must notify the OAIC and affected individuals. Failing to comply can result in significant civil penalties. Having an incident response plan in place before a breach occurs makes the process considerably faster.

Data Security & Privacy Lawyers, Sydney

Privacy law isn’t just a compliance checkbox

If your business collects personal information — and it almost certainly does — you have obligations under the Privacy Act 1988. For tech companies, those obligations show up everywhere: in your product design, your vendor contracts, your data flows, and your incident response plans.

We help businesses treat privacy as a design constraint, not an afterthought. That’s cheaper, more effective, and what the OAIC actually expects.

Privacy policies that reflect reality

Most privacy policies We review bear little resemblance to what the business actually does with data. We wrote an open-source privacy policy template because we were tired of seeing the same generic, lawyer-drafted documents that nobody reads and nobody follows. We draft privacy policies, collection notices, and consent mechanisms that accurately describe your data practices — because that’s what the Australian Privacy Principles require.

Data breach response — when speed matters

When a breach happens, you need to quickly assess whether it triggers the Notifiable Data Breaches scheme, notify the OAIC if required, communicate with affected individuals, and coordinate with your technical team on containment. We help clients work through this process under pressure, which is when having someone who already understands your systems and data flows makes a real difference.

Privacy by design saves money

Working with your product and engineering teams to build privacy into new features is significantly cheaper than retrofitting compliance after launch. We review data architectures, consent flows, and retention policies during development — not after the OAIC comes knocking.

Vendor and third-party risk

When you share personal information with third-party providers, you remain responsible for how they handle it. We conduct privacy and security assessments of vendors, negotiate data processing agreements, and help you understand what your exposure actually is. This matters especially when your data crosses borders to cloud providers or overseas teams.

Whether you’re sharing data with partners, integrating via APIs, or participating in broader data ecosystems, the agreements need to clearly define what data flows where, how it can be used, and what happens when the relationship ends. We draft these regularly for tech and SaaS businesses.

Privacy done well is a competitive advantage — especially when your customers and partners have their own compliance obligations. If you want to get ahead of it, get in touch.