Identifying whether the data breach is notifiable

A data breach will become notifiable if it is an “eligible data breach”.

An eligible data breach will occur where:

  • there is unauthorised access to or disclosure of information; or
  • information is lost where unauthorised access to or disclosure of the information is likely to occur; and
  • a reasonable person would be likely to conclude that such circumstances would likely result in serious harm to individuals to whom the information relates to.

If an eligible data breach is suspected to have occurred but not confirmed, entities must carry out a reasonable and expeditious assessment to determine whether there are reasonable grounds to establish an eligible data breach.