Browse Skills

NDB Incident Drafter

    Australia Privacy OAIC NDB Compliance Data Breach
    Get Started with This Skill

    Overview

    Draft and validate the Statement to the Commissioner and Notification to Individuals under Australia’s Notifiable Data Breaches (NDB) scheme. Ensures the four mandatory sections under Privacy Act s 26WK are present and supports assessment of likelihood of serious harm by data type (e.g. TFN, Medicare). Applies to APP entities and other covered entities (e.g. > $3m turnover, TFN recipients, health service providers); regulated by the OAIC.

    Tools

    • validate_ndb_statement — Checks that a Statement to the Commissioner or Notification to Individuals includes all four mandatory sections under s 26WK: entity/contact details, description of the breach, kinds of information involved, and recommendations for individuals. Run on the draft before submission.
    • harm_threshold_check — Evaluates likelihood of serious harm based on the data types involved (e.g. TFN, Medicare number, health information, financial, name, email). Use when assessing whether a breach is notifiable or when drafting the “kinds of information” section.

    Example

    You: We’ve had a breach involving customer names, emails and Medicare numbers. Can you draft the Statement to the Commissioner and then check it?

    Agent: I’ll run a harm-threshold check for those data types, then draft the statement. (Runs harm_threshold_check.) The assessment is HIGH — Medicare numbers strongly support notifiability. I’ve created a draft from the template with all four sections. (Runs validate_ndb_statement.) All four mandatory sections are present. You can now tailor the description and recommendations to your incident and submit to the OAIC and notify individuals.

    Excerpt of a generated document

    The following is an excerpt from a Statement to the Commissioner the agent might produce (the validator would confirm all four s 26WK sections are present):

    ## 1. Entity identification and contact details

[Entity Name] (ABN 12 345 678 901)
[Address], [Email], [Phone]
Contact: [Name], [Role]

## 2. Description of the eligible data breach

On [date], we became aware that [describe unauthorised access, disclosure or loss]. The incident involved [circumstances]. We have [containment/remediation steps].

## 3. Kinds of personal information concerned

The following kinds of personal information were involved: name, email address, and Medicare number (and, where applicable, Medicare card expiry).

## 4. Recommendations for individuals

We recommend affected individuals: monitor bank accounts and statements; consider placing a credit ban or obtaining a credit report; be alert to phishing or scam contact; and consider contacting IDCare (idcare.org) for support.

    Getting Started

    Add your incident details (or an existing draft) to the project workspace, then activate the NDB Incident Drafter skill. Use the bundled template and run the validator after drafting to ensure s 26WK compliance before notifying the OAIC and affected individuals.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started