Overview: Notifying of an eligible data breach
Identifying when notification is required
Notification to both the Privacy Commissioner and affected individuals will be required when an entity becomes aware that there are reasonable grounds to believe an eligible data breach has occurred.
However, notification is not required, or only required in a limited manner, even if an entity has experienced an eligible data breach where:
- the eligible data breach is an eligible data breach of another entity who has already fulfilled notification obligations under this regime;
- notification would be inconsistent with a secrecy provision;
- the Privacy Commissioner has given a declaration that no notification is required in regard to the eligible data breach; or
- notification would be likely to prejudice enforcement-related activities.
See Identifying when notification is required.
Notifying the Privacy Commissioner
An entity is required to prepare a statement notifying the Privacy Commissioner of an eligible data breach and to send it the Privacy Commissioner as soon as practicable.
This statement should contain:
- the entity’s identity and contact details;
- a description of the eligible data breach that the entity has reasonable grounds to believe has happened;
- the kind or kinds of information concerned; or
- recommendations about the steps that individuals should take in response to the eligible data breach.
See Notifying the Privacy Commissioner.
Notifying the affected individuals
After providing a copy of the statement to the Privacy Commissioner, an entity is also required to notify individuals affected by the eligible data breach by one of the following options:
- if practicable, by notifying each individual to whom the relevant information relates;
- if practicable, by notifying each individual who is at risk from the eligible data breach; or
- if neither of the above apply, by publishing a copy of the statement on the entity's website and taking reasonable steps to publicise the contents of the statement.
An entity can notify individuals by whichever communication method it normally uses with those particular individuals.
See Notifying the affected individuals.
Notifying other persons
If a data breach occurs, an entity should also consider the extent to which it is required to, or should, notify the data breach to other persons, such as regulators, insurers or the market.
See Notifying other persons.
For more information, see Data breach preparation and response – A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) on the reporting a data breach to the Office of the Australian Information Commissioner website.