Mandatory Data Breach Reporting – What you need to start doing right now

  • there has been unauthorised access to, or disclosure of, personal information and a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the access or disclosure; or
  • personal information is lost in circumstances that are likely to give rise to unauthorised access to, or disclosure of, the information and a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals.

Examples of a data breach would include and not be limited to:

  • Loss of a computer or data storage device containing personal information
  • Unauthorised access to personal information as a result of a hacking attack or data breach
  • Employees or contractors accessing or disclosing personal information outside the bounds of their employment
  • Emailing, sending or simply providing personal information to the incorrect people

What constitutes serious harm?

Serious harm, in this context, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.

In making an assessment of the level of harm, an organisation needs to consider the nature and sensitivity of the personal information, whether the information is protected by some type of security measures (e.g. encryption), who has obtained or accessed, or could obtain or access, the information, and the nature of the harm to affected individuals.

What does notification entail?

In the event of an eligible data breach, an entity is required to notify the Commissioner and affected individuals as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (unless an exception applies). The notification statement must include:

  • the identity and contact details of the entity
  • a description of the serious data breach
  • the kinds of information concerned, and
  • recommendations about the steps that individuals should take in response to the serious data breach
  • Notification must occur as soon as practicable after the preparation of the statement and may be made using the method normally used by the entity in communicating with the individuals. Depending on the situation, other methods of notification are permissible, for example, if an entity is unable to notify each affected individual, notification via the entity's website if one exists, would be satisfactory.

Tags notification lawsend point securityOffice of the Australian Information Commissioner (OAIC)breach notificationprivacy policycommissionerPrivacy Act 1988CyberRiskWayne Tufekserious data breachMandatory Data Breach Reportingeligible data breachNotifiable Data Breaches

Show Comments