# NDB Incident Drafter > Draft and validate the Statement to the Commissioner and Notification to Individuals under Australia's Notifiable Data Breaches (NDB) scheme. Ensures the four mandatory sections under Privacy Act s 26WK are present and supports assessment of likelihood of serious harm by data type (e.g. TFN, Medicare). Tags: Australia, Privacy, OAIC, NDB, Compliance, Data Breach ## Example Prompts - Draft the Statement to the Commissioner for our data breach involving customer names and Medicare numbers - Check that our NDB notification includes all four mandatory sections under s 26WK - Assess likelihood of serious harm for a breach involving TFN and health information URL: https://rakenne.app/skills/ndb-incident-drafter/index.md Try this skill: https://rakenne.app/a/?skill=ndb-incident-drafter ## Overview Draft and validate the Statement to the Commissioner and Notification to Individuals under Australia's Notifiable Data Breaches (NDB) scheme. Ensures the four mandatory sections under Privacy Act s 26WK are present and supports assessment of likelihood of serious harm by data type (e.g. TFN, Medicare). Applies to APP entities and other covered entities (e.g. > $3m turnover, TFN recipients, health service providers); regulated by the OAIC. ## Tools - **validate_ndb_statement** — Checks that a Statement to the Commissioner or Notification to Individuals includes all four mandatory sections under s 26WK: entity/contact details, description of the breach, kinds of information involved, and recommendations for individuals. Run on the draft before submission. - **harm_threshold_check** — Evaluates likelihood of serious harm based on the data types involved (e.g. TFN, Medicare number, health information, financial, name, email). Use when assessing whether a breach is notifiable or when drafting the “kinds of information” section. ## Example > **You:** We've had a breach involving customer names, emails and Medicare numbers. Can you draft the Statement to the Commissioner and then check it? > > **Agent:** I'll run a harm-threshold check for those data types, then draft the statement. *(Runs harm_threshold_check.)* The assessment is HIGH — Medicare numbers strongly support notifiability. I've created a draft from the template with all four sections. *(Runs validate_ndb_statement.)* All four mandatory sections are present. You can now tailor the description and recommendations to your incident and submit to the OAIC and notify individuals. ## Excerpt of a generated document The following is an excerpt from a Statement to the Commissioner the agent might produce (the validator would confirm all four s 26WK sections are present): ```markdown ## 1. Entity identification and contact details [Entity Name] (ABN 12 345 678 901) [Address], [Email], [Phone] Contact: [Name], [Role] ## 2. Description of the eligible data breach On [date], we became aware that [describe unauthorised access, disclosure or loss]. The incident involved [circumstances]. We have [containment/remediation steps]. ## 3. Kinds of personal information concerned The following kinds of personal information were involved: name, email address, and Medicare number (and, where applicable, Medicare card expiry). ## 4. Recommendations for individuals We recommend affected individuals: monitor bank accounts and statements; consider placing a credit ban or obtaining a credit report; be alert to phishing or scam contact; and consider contacting IDCare (idcare.org) for support. ``` ## Getting Started Add your incident details (or an existing draft) to the project workspace, then activate the *NDB Incident Drafter* skill. Use the bundled template and run the validator after drafting to ensure s 26WK compliance before notifying the OAIC and affected individuals. --- Back to [Skill Library](https://rakenne.app/skills/index.md)