OAIC's Notifiable Data Breaches statistic dashboard

07 November 2025

Hamish Fraser
Partner
Sparke Helmore Lawyers

Hamish Fraser
Partner
Sparke Helmore Lawyers
t: +61 2 9373 3616

Hamish is an accomplished senior technology lawyer with more than 30 years’ experience advising clients on commercial issues and regulatory matters across the information technology and communication industries. Hamish enjoys demystifying the complex interaction of technology and the law.

The Office of the Australian Information Commissioner (OAIC) has created an interactive statistic dashboard of data breach notifications it receives under the Notifiable Data Breach (NDB) Scheme.

Under the Privacy Act 1988 (Cth), the NDB scheme requires APP entities to report to the OAIC if:

data it holds is lost or subject to unauthorised access or disclosure
it is likely to result in serious harm to an individual, and
the APP entity is unable to prevent the likely risk of serious harm with any remedial action.

The statistics dashboard is updated every six months. As Commissioner Kind stated, the dashboard is to ’help reporting entities learn from the experiences of others – those organisations and agencies who have had to notify us of a data breach. We hope the tool is used to improve their own responses and reporting if a data breach occur.'[1]

Some interesting highlights from the dashboard include the following.

Decrease in notifications

The notifications of eligible data breaches were down -10% compared to July to December 2024.

Source of data breaches

Malicious or criminal attacks remain the largest source of data breaches at 59%.

Top 5 reporting sectors

The top 5 sectors to notify data breaches included:

Health service providers - 96
Finance (including superannuation) - 73
Australian Government - 67
Education - 38
Legal, accounting & management services - 37

Top causes of human errors breaches

Personal Information sent to the wrong recipient (email) - 44%
Unauthorised disclosure (unintended release or publication) - 22%
Failure to use BCC when sending email - 9%

Time taken to identify and report breaches

The NDB Scheme requires APP entities to take all reasonable steps to ensure that an assessment of an eligible data breach is completed within 30 days after the entity becomes aware of it.[2] If an APP entity is found to have not taken reasonable steps to conduct an assessment within that 30 day period, it will be taken as an interference with the privacy of an individual.[3] If a APP entity is found to be in contravention of an individual’s privacy this will now attract a civil penalty. It is not a surprise that the highest amount of NDB, being 33%, were reported in under 10 days to the OAIC.

The OAIC has also separately published a blog based around a case study to help APP entities be mindful of the challenges when using outsourcing to third party service providers.

The dashboard provides meaningful insight into trends and patterns in relation to data breaches and serves as an effective tool to help APP entities prepare and build security strategies to be resilient to cyber security threats.

[1] Office of the Australian Information Commissioner, media post, 4 November 2025, ‘OAIC launches new dashboard for data breaches,’ OAIC launches new dashboard for data breaches | OAIC.

[2] s 26WH(2)(b) Privacy Act 1988 (Cth).

[3] s13(4A) Ibid.

We would like to acknowledge the contribution of Jasmine Thai.

26-08-2025 | Building public trust and modernising oversight: OAIC's regulatory action priorities for 2025-26

26-08-2025 | Private schools – are you protecting children's personal data? Consider the proposed Privacy Act 1988 Children's Code

06-08-2025 | Chantal Tipene appointed to the Information and Privacy Advisory Committee

30-07-2025 | Key statistics from the FOI financial year that was – 2024/25

14-05-2025 | How do I finalise my reasons for a decision if my FOI matter has deemed?

11-05-2025 | Case note: 'AUQ' and Department of Health and Aged Care (Freedom of Information)

Media room