Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Draft: Assessing a suspected data breach

pdfPrintable version409.11 KB

The Office of the Australian Information Commissioner (OAIC) published this resource as an exposure draft on 27 September 2017. Comments are now closed.

September 2017

Key points

  • If an entity has grounds to believe that it has experienced an eligible data breach, it must promptly notify individuals and the Commissioner about the breach, unless an exception applies
  • In contrast, if an entity suspects that it may have experienced an eligible data breach, it must quickly assess the situation to decide whether or not there has been an eligible breach
  • An assessment must be reasonable and expeditious, and organisations may develop their own procedures for assessing a suspected breach.

Back to Contents

When must entities assess a suspected breach?

The NDB scheme is designed so that only serious (‘eligible’) data breaches are notified (see Identifying eligible data breaches). If an entity is aware of reasonable grounds to believe that there has been an eligible data breach, it must promptly prepare a statement about the eligible data breach for the Commissioner and notify individuals at risk of serious harm (see Notifying individuals about an eligible data breach).

On the other hand, if an entity only has reason to suspect that there may have been a serious breach, it needs to move quickly to resolve that suspicion by assessing whether an eligible data breach has occurred. If, during the course of an assessment, it becomes clear that there has been an eligible breach, then the entity needs to promptly comply with the notification requirements.

The requirement for an assessment is triggered if an entity is aware that there are reasonable grounds to suspect that there may have been a serious breach (s 26WH(1)).

Whether an entity is ‘aware’ of a suspected breach is a factual matter in each case, having regard to how a reasonable person who is properly informed would be expected to act in the circumstances. For instance, if a person responsible for compliance or personnel with appropriate seniority are aware of information that suggests a suspected breach may have occurred, an assessment should be done. An entity should not unreasonably delay an assessment of a suspected eligible breach, for instance by waiting until its CEO or Board is aware of information that would otherwise trigger reasonable suspicion of a breach within the entity.

The OAIC expects entities to have practices, procedures, and systems in place to comply with their information security obligations under APP 11, enabling suspected breaches to be promptly identified, reported to relevant personnel, and assessed if necessary.

If a data breach affects one or more other entities, and one entity has assessed the suspected breach, the other entities are not required to also assess the breach (s 26WJ). If no assessment is conducted, depending on the circumstances, each entity that holds the information may be found to be in breach of the assessment requirements. The NDB scheme does not prescribe which entity should conduct the assessment in these circumstances. Entities should establish clear arrangements where information is held jointly, so that assessments are carried out quickly and effectively.

Back to Contents

How quickly must an assessment be done?

An entity must take all reasonable steps to complete the assessmentwithin 30 calendar days after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach (s 26WH(2)).

The OAIC expects that wherever possible entities treat 30 days as a maximum time limit for completing an assessment, and endeavour to complete the assessment in a much shorter timeframe, as the risk of serious harm to individuals often increases with time.

Where an entity cannot reasonably complete an assessment within 30 days, OAIC recommends that it should document this, so that it is able demonstrate:

  • that all reasonable steps have been taken to complete the assessment within 30 days,
  • what were the reasons for delay, and
  • the assessment was reasonable and expeditious.

Back to Contents

How is an assessment done?

Entities must carry out a ‘reasonable and expeditious’ assessment (s 26WH(2)(a)). The Privacy Act does not set out how entities should assess a data breach, and organisations may develop their own procedures for assessing a suspected breach.

The OAIC expects entities to take a risk-based approach to assessments. The amount of time and effort expended in an assessment should be proportionate to the likelihood of the breach and its apparent severity.

The OAIC expects that an entity’s business as usual approach to data breach management, including its data breach response plan, will be reviewed and updated to incorporate the requirements of the NDB scheme for assessing suspected eligible data breaches.

While the Act does not specify how an assessment should occur, the OAIC suggests that an assessment could be a three-stage process:

  1. Initiate: decide whether an assessment is necessary and identify which person or group will be responsible for completing it
  2. Investigate: quickly gather relevant information about the suspected breach, including, for example, what personal information is affected, who may have had access to the information and the likely impacts, and
  3. Evaluate: make a decision, based on the investigation, about whether the identified breach is an eligible data breach (see Identifying eligible data breaches).

The OAIC’s Data breach notification — A guide to handling personal information security breaches may also assist when designing and reviewing an entity’s assessment procedures.

The OAIC recommends that entities document the assessment process and outcome.

Back to Contents

Remedial action

At any time, including during an assessment, an entity can, and should, take steps to reduce any potential harm to individuals caused by a suspected or eligible data breach. If remedial action is successful in preventing serious harm to affected individuals, notification is not required (as explained in Identifying eligible data breaches).

Back to Contents

Breach established – what next?

Once an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach – whether during the course of an assessment, or when the assessment is complete – it must promptly notify affected individuals and the OAIC about the breach (see What to include in an eligible data breach statement and Notifying individuals about an eligible data breach).

Back to Contents