Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Draft: What to include in an eligible data breach statement

pdfPrintable version413.13 KB

The Office of the Australian Information Commissioner (OAIC) published this resource as an exposure draft on 27 September 2017. Comments are now closed.

September 2017

Key points

  • The NDB scheme requires entities to notify individuals about an eligible data breach (see Identifying eligible data breaches).
  • Entities are also required to prepare a statement and provide a copy to the Australian Information Commissioner (the Commissioner) (s 26WK). The OAIC’s online form may help entities to do this.
  • The statement must include the name and contact details of the entity, a description of the eligible data breach, the kind or kinds of information involved, and what steps the entity recommends that individuals at risk of serious harm take in response to the eligible data breach (s 26WK(3))
  • Entities must notify affected individuals about the contents of this statement or, if this is not practicable, publish a copy of the statement on the entity’s website and take reasonable steps to publicise the contents of the statement (s 26WL(2)) (see Notifying individuals about an eligible data breach).

Back to Contents

What must be included in the statement

A statement about an eligible data breach must include:

  • the identity and contact details of the entity (s 26WK(3)(a))
  • a description of the eligible data breach (s 26WK(3)(b))
  • the kind or kinds of information involved in the eligible data breach (s 26WK(3)(c))
  • what steps the entity recommends that individuals take in response to the eligible data breach (s 26WK(3)(d)).

Identity and contact details of the entity

Where an entity’s company name is different to the business or trading name, the OAIC recommends that entities also include the name that is most familiar to individuals. The entity must also include information about how an individual can contact it. Depending on the nature and scale of the breach, the entity may wish to consider whether to provide its general contact details, or establish a dedicated phone line or email address to answer queries from individuals.

Description of the eligible data breach

An entity is required to include ‘a description’ of the data breach in its statement.

The OAIC expects that the statement will include sufficient information about the data breach to allow affected individuals the opportunity to properly assess the possible consequences of the data breach for them, and to take protective action in response.

Information describing the eligible data breach may include:

  • the date of the unauthorised access or disclosure
  • the date the entity detected the data breach
  • the circumstances of the data breach (such as any known causes for the unauthorised access or disclosure)
  • who has obtained or is likely to have obtained access to the information
  • relevant information about the steps the entity has taken to contain the breach.

The kind or kinds of information concerned

The statement must include the kind or kinds of information involved in the data breach. Knowing what kind of personal information has been breached is critical to assessing what action should be taken by individuals following a data breach.

Entities, in assessing the data breach, should clearly establish what information was involved in the data breach, including whether the breach involved ‘sensitive information’[1] (such as information about an individual’s health), government related identifiers (such as a Medicare number or driver licence number), or financial information.

The statement must include recommendations individuals should take in response to the data breach, to mitigate the serious harm or likelihood of serious harm from the data breach.

The nature of recommendations will depend on the entity’s functions and activities, the circumstances of the eligible data breach, and the kind or kinds of information that were involved. Recommendations should include practical steps that are easy for the individuals to action.

For example, to help reduce the risk of identity theft or fraud, recommendations in response to a data breach that involved individuals’ Medicare numbers might include steps an individual can take to request a new Medicare card. Or in the case of a data breach that involved unencrypted or partially encrypted credit card information, recommendations might include that an individual contact their financial institution to change their credit card number, and also contact a credit reporting body to establish a credit alert.

Back to Contents

Additional information to provide

Other entities involved in the data breach

If more than one entity holds personal information that was compromised in an eligible data breach, only one entity needs to prepare a statement and notify individuals about the data breach (s 26WM, and see Notifying individuals about an eligible data breach). This may occur when an entity outsources the handling of personal information, is involved in a joint venture, or where it has a shared services arrangement with another entity.

When a data breach affects more than one entity, the entity that prepares the statement may include the identity and contact details of the other entities involved (s 26WK(4)). Whether an entity includes the identity and contact details of other involved entities in its statement will depend on the circumstances of the eligible data breach, and the relationship between the entities and the individuals involved. The Privacy Act does not require this information to be included on the statement, and it is open to entities to assess whether it is useful to provide this information to individuals.

The OAIC recognises that in some instances the identity and contact details of a third party may not be relevant to an individual whose personal information is involved in an eligible data breach, for example, where the individual does not have a relationship with the other entity. In these circumstances, rather than include the identity and contact details of the third party or parties, the entity that prepares the statement may wish to describe the commercial relationship with the third party in its description of the data breach.

Back to Contents

When to provide a copy of the statement to the Commissioner

Entities must prepare and give a copy of the statement to the Commissioner as soon as practicable after becoming aware of the eligible data breach (s 26WK(2)).

What is a ‘practicable’ timeframe will vary depending on the entity’s circumstances, and may include considerations of the time, effort, or cost required to prepare the statement. The OAIC expects that once an entity becomes aware of an eligible data breach, it will provide a statement to the Commissioner promptly, unless there are circumstances that reasonably hinder the entity’s ability to do so.

It may be appropriate in some circumstances for an entity to advise individuals about the contents of the statement before or at the same time that it gives the statement to the Commissioner, rather than waiting.

Back to Contents

How to provide the statement to the Commissioner

The OAIC has created an online form that may assist entities when preparing a statement about an eligible date breach under section 26WK of the Privacy Act.

Alternatively, an entity may wish to prepare a statement using the Word document form [108 KB DOCX] option, and provide it to the Commissioner by sending it to:

Email: enquiries@oaic.gov.au
Fax: +61 2 9284 9666
Post: GPO Box 5218
Sydney NSW 2001

Back to Contents

Footnotes

[1] See s 6(1) of the Privacy Act for categories of personal information that are covered by the definition of ‘sensitive information’.

Back to Contents