In February 2018, the Australian Privacy Act changed to incorporate data breach obligations and responsibilities for businesses. When unauthorised access or disclosure of personal information that your business holds occurs, the breach needs to be reported to the Office of Australian Information Commissioner (OAIC).
When an organisation or agency the Privacy Act 1988 covers has reasonable grounds to believe an eligible data breach has occurred, they must promptly notify any individual at risk of serious harm. They must also notify us.
An eligible data breach occurs when the following criteria are met:
- There is unauthorised access to or disclosure of personal information held by an organisation or agency (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
- This is likely to result in serious harm to any of the individuals to whom the information relates.
- The organisation or agency has been unable to prevent the likely risk of serious harm with remedial action.
How do you report a breach when it occurs? And who do you report it to?
Legislation requires that any data breach will need to be reported to the Australian Information Commissioner and affected individuals as soon as practicable. The affected individuals could be customers and/or staff.
Eligible breaches include instances of unauthorised access or disclosure of information, loss or theft of a device containing personal information and the hacking of a database.
Depending upon the severity of the breach and the potential for harm, it may be necessary to prepare and submit a formal report.
The report requires the following to be disclosed:
When you notify us and any affected individuals include:
- your organisation or agency’s name and contact details
- a description of the data breach
- the kinds of information involved
- recommendations about the steps individuals should take in response to the data breach
For more information on notifications, see Data Breach Preparation and Response.
When it comes to describing the breach, enough detail should be included to allow individuals to understand the potential impact of the breach. The description might include:
- The date the breach occurred
- The date the organisation became aware of the breach
- The circumstances as they relate to the breach, including any known causes
- Who is responsible for the breach, if known, and who is likely to have access to the information.
When it comes to giving advice to individuals with regard to protecting themselves, this will largely depend upon the kind of information that was involved in the breach. For example, if the breach involved bank account information, you might recommend the person contact their financial institution.
Report A Data Breach Now
You can use the OAIC online form to Report a Data Breach.
With the right cyber security strategy in place, you can minimise the risk of a breach occurring. If you don’t have a strategy, now is the time to establish one. If you do, now is the time to review its currency and relevance to your business and the way it operates today.
How To Prevent Data Breaches
Prevention is better than the cure, especially when it comes to data breaches. Did you know that simple human error was responsible for more than a third of data breaches in Australia in the last year, according to the Australian privacy commissioner. Read more about the practical steps your business can take to implement best-practice procedures and prevent a data breach.