Trust Center

NDB and incident response

Last reviewed: 2026-05-25

This page is the public summary of how Compliance Care prepares for and responds to a security incident, including obligations under the Australian Notifiable Data Breaches (NDB) Scheme (Part IIIC of the Privacy Act 1988 (Cth)).

The full internal runbook lives at docs/security/ndb-workflow.md and docs/runbooks/incident-response.md. Customers and auditors can request to walk through the internal runbook under NDA.

How we detect

How we respond

The runbook works to fixed time targets from the point of awareness:

PhaseTargetWhat happens
Isolate1 hourContain the suspected blast radius. Rotate any credential believed exposed. Disable affected sessions. Snapshot for forensics.
Assess4 hoursScope: which tenants, which data classes, what likelihood of access by an unauthorised party. Decide preliminary severity.
Notify affected providers24 hoursContact each affected tenant's nominated point of contact with what is known so far, what we are doing, and when we will next update them. Updates continue at least daily until resolution.
OAIC NDB notificationWithin 30 days of awareness, or sooner if assessment concludes the event is an Eligible Data BreachNotify the Office of the Australian Information Commissioner using the standard form. Notify affected individuals as required under the Scheme.

NDB Scheme readiness — summary

Compliance Care holds personal information in the course of acting as a service provider to NDIS providers. We treat ourselves as bound by the NDB Scheme in respect of personal information we hold.

We maintain:

What we publish after an incident

For every incident that results in any notification to a tenant (whether or not it becomes an Eligible Data Breach), a post-incident summary is published here within 30 days of resolution. The summary includes: the date and duration; the data classes potentially affected; the root cause; and the remediation actions. Tenant-identifying information is not published.

DateSummary
(none yet)

Reporting an incident to us

Acknowledged within two business days. High-severity reports trigger the runbook immediately on receipt.

Change log

DateChange
2026-05-25Initial publication.

← Back to the Trust Center