Overview: The data breach notification regime

Identifying whether the data breach notification regime applies to you

The mandatory data breach notification regime applies to the following bodies (s 26WE, the Act):

  • APP entities;
  • credit reporting bodies;
  • credit provider; and
  • file number recipients.

The regime will also apply to the above entities where they have disclosed information to an overseas recipient, or a body or person with no Australian link, as if they themselves held the information.

However, notification of a breach is not required under regime where that breach is required to be notified under the My Health Records Act 2012 (Cth).

See Identifying whether the data breach notification regime applies to you.

Identifying whether the data breach is notifiable

A data breach will become notifiable if it is an “eligible data breach”.

An eligible data breach will occur where:

  • there is unauthorised access to or disclosure of information; or
  • information is lost where unauthorised access to or disclosure of the information is likely to occur; and
  • a reasonable person would be likely to conclude that such circumstances would likely result in serious harm to individuals to whom the information relates to.

If an eligible data breach is suspected to have occurred but not confirmed, entities must carry out a reasonable and expeditious assessment to determine whether there are reasonable grounds to establish an eligible data breach.

See Identifying whether the data breach is notifiable.

Taking remedial action to prevent an eligible data breach

If an entity is able to take appropriate remedial action in relation to an incident, it may mean that no individuals are likely to suffer serious harm, which in turn means that the incident will not be an eligible data breach and will not need to be notified.

See Taking remedial action to prevent a notifiable data breach.

See Chapter B — Key concepts.

The types of data breaches being reported

The Office of the Australian Information Commissioner releases a quarterly statistics report which gives an insight into the quantity and types of breach notifications, as well as the industries most affected.

Given the scheme commenced on 22 February 2018, the first Notifiable Data Breach Quarterly Statistics Report only captured part of February, and March 2018 (63 breaches were reported). The second report, for the period between 1 April and 30 June 2018, reveals that there were 242 notifications of which 36% were caused by human error, 59% by malicious or criminal attacks and 5% by system faults. The majority (61%) of data breaches involved personal information of 100 or fewer individuals.

The kind of personal data affected were:

  • predominantly contact information (at 89%);
  • 42% of cases involved financial details;
  • 39% involved identity information; and
  • 25% involved health information.

The industry that had the highest number of breach notifications was health service providers (49%), followed by finance (36%) and legal, accounting and management services (20%).