Manage365 Docs

Notifiable Data Breaches (NDB) workflow

The Australian Privacy Act 1988 Part IIIC — the NDB scheme — requires APP entities to assess suspected eligible data breaches within 30 days and notify the OAIC and affected individuals “as soon as practicable”. Manage365 tracks this timeline and alerts before deadlines lapse.

Lifecycle

  1. Record incident — when a suspected breach is detected. The detection timestamp starts the 30-day assessment clock; Manage365 also computes a 72-hour notification benchmark (industry standard — the Act itself says “as soon as practicable”).
  2. Assess — investigate: what data was exposed, is serious harm likely, can remediation prevent harm? This is the core NDB determination.
  3. Record decision — either not notifiable (remediation prevents serious harm, or no personal information exposed) or notifiable (eligible data breach). Decision notes are ≥20 characters — OAIC may request these.
  4. Notify OAIC + individuals (if notifiable) — log when notification was completed and link to evidence (OAIC receipt, email to individuals, notification page on a status site).
  5. Close — final state once the obligation is discharged.

Deadline alerts

An hourly sweeper runs server-side. For each open incident it checks:

  • Notification deadline (72h): if incident still in assessing status and <24h remain, raises a high severity alert. If <6h remain, escalates to critical.
  • Assessment deadline (30d): if incident is not yet closed/notified and <7 days remain, raises a medium alert. If <3 days remain, escalates to high.

Alerts dedupe on stage + incident ID so a given deadline raises one alert per incident — it won't re-fire hourly until you acknowledge it.

Where to find it

Tenant detail page → NDB tab. Every action appears in the dashboard activity feed and the tenant audit log.

Evidence bundle

NDB decision notes, notification evidence URLs, and the full audit trail for every mutation are included in the tenant evidence bundle ZIP export — auditor-ready.

What Manage365 does not do

  • Auto-detect breaches. You record incidents manually from Defender alerts, user reports, or HIBP findings. Manage365 doesn't infer that a security alert is a breach — that determination is contextual and lives with the MSP.
  • Submit to OAIC on your behalf. Notification submission goes through the OAIC Notifiable Data Breach Form. Paste the receipt URL into the evidence field when you mark the incident notified.
  • Provide legal advice. When the decision is finely balanced — involve the client's privacy officer or a lawyer. The platform tracks the decision; the judgment is human.