How the Notifiable Data Breaches scheme applies when an AI system is involved in a breach, and what the OAIC expects of Australian businesses.
dgm is an independent osFoundry integration partner — not affiliated with osFoundry’s maker (OS LLC), and dgm has no completed client integrations yet.
When an AI system is involved in a data breach, Australia’s Notifiable Data Breaches scheme still applies. Here is what it requires and how AI changes the picture.
| Item | Detail |
|---|---|
| What | Notifiable Data Breaches (NDB) scheme under the Privacy Act |
| Trigger | An ‘eligible data breach’ likely to result in serious harm |
| Obligation | Notify affected individuals and the OAIC |
| Assess | Promptly (the long-standing standard is within 30 days) |
What the NDB scheme requires
Under the NDB scheme, an entity covered by the Privacy Act that has an eligible data breach — unauthorised access to or disclosure of personal information (or loss) that is likely to result in serious harm and cannot be remediated — must notify the affected individuals and the OAIC. An entity that suspects an eligible breach must assess it promptly (the long-standing standard is within 30 days; confirm against the current OAIC guidance).
How AI changes the risk
AI systems concentrate data — training sets, prompt logs, vector stores and outputs can all contain personal information. A breach of an AI pipeline (a leaked prompt log, an exposed vector database) is a notifiable breach like any other, so AI components must be secured and access-logged.
Reducing the risk
Minimise the personal information AI systems hold, secure and log access, and prefer architectures you can audit. osFoundry’s managed cloud pins data to the US, EU or Japan — it does not currently offer an Australian managed region. For data that must stay in Australia, the honest path is self-hosting osFoundry (BYO Cloud) inside an Australian cloud region such as AWS (Sydney or Melbourne), Microsoft Azure (Australia East, Australia Southeast or Australia Central in Canberra) or Google Cloud (Sydney or Melbourne), or running models locally on-device. Self-hosting sensitive AI workloads reduces the number of parties who could be the source of a breach.
Where dgm fits
dgm is an independent integration partner that helps Australian businesses adopt osFoundry — scoping a first use case, handling the build, and connecting AI to the systems you already run. dgm is independent of osFoundry’s maker (OS LLC) and has no completed client integrations yet, so everything described here is a service offered, not a past result. If you want to scope a practical first project, dgm can help you map it out.