Free tool

NDB notification timer

When you become aware of a suspected data breach, you have up to 30 days to assess whether it's an “eligible data breach” under the Privacy Act. Once confirmed eligible, you must notify the OAIC and affected individuals “as soon as practicable”. This tool tracks both clocks and surfaces the next steps for each stage.

Breach details

When did you first become aware?Approximate affected individuals

Includes health information (raises the sensitivity threshold).We have current contact details for affected individuals (direct notification practicable).

Current stage

Suspected — we're investigating but haven't formed a viewActively assessing under s 26WH (30-day clock running)Confirmed eligible — notification trigger reachedAssessed not eligible — closing the matter

on trackAware 0 day(s) ago

Assessment window: 30 day(s) remaining.

30-day assessment deadline: 21 June 2026

Recommended next steps

Activate your incident response plan. Designate an incident owner and a privacy officer point of contact.
Contain the breach — preserve logs, suspend affected accounts, isolate affected systems.
Begin the assessment under s 26WH — you have a maximum 30 days to determine whether it's an eligible breach.
Start a contemporaneous breach register entry: time of awareness, who knew, actions taken, evidence preserved.

Sources

Reference tool only — not legal advice. The OAIC, your privacy officer, and (where applicable) an Australian-admitted lawyer should be consulted on serious or complex breaches. Cyber insurers usually require notification within 24 hours — check your policy too.