Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Receiving data breach notifications

Australian Government agencies and organisations with obligations under the Privacy Act 1988 (Privacy Act) must notify you about certain data breaches under the Notifiable Data Breaches (NDB) scheme. You will be notified about data breaches when an agency or organisation believes you are likely to be at risk of serious harm. It is important to carefully consider the information in a data breach notification, so that you know what personal information has been affected and what steps you can take to reduce the chance of experiencing harm.

If you are not notified by an organisation about a data breach when you should be, you can make a complaint to our office (see What if you’re not notified?).

What is a data breach?

A data breach happens when personal information (such as a person’s name, contact details, medical records, or banking details) is:

  • accessed or released without proper authorisation, or
  • lost and likely to be accessed or released without authorisation.

Examples of a data breach include when:

  • A USB or mobile phone that holds customers’ personal information is stolen
  • A database containing personal information is hacked
  • Someone’s personal information is sent to the wrong person.

Back to Contents

When you might receive a data breach notification

Australian Government agencies and organisations with obligations under the Privacy Act must comply with the ‘Notifiable Data Breaches scheme’ (NDB scheme).

Under the NDB scheme, agencies and organisations must promptly notify you if a data breach is likely to result in ‘serious harm’. This could be serious financial harm, or harm to your mental or physical well-being.

Examples of serious harm include:

  • A likely risk of physical harm, such as by an abusive ex-partner
  • Financial loss through fraud
  • Identity theft, which can affect an individual’s finances and credit report
  • Serious psychological harm
  • Serious reputational harm.

Agencies and organisations might notify you directly (such as by an email) or indirectly by promoting a notification on their website (read more in the How you will be notified section).

Agencies and organisations must also notify the Office of the Australian Information Commissioner (OAIC) about data breaches that are likely to result in serious harm to any individual.

Generally, agencies and organisations have a maximum of 30 days to assess whether a data breach is likely to result in serious harm.

We expect agencies and organisations to take action to reduce the chance that individuals experience harm if a data breach occurs. If this action is successful, and the data breach is not likely to result in serious harm, notification is generally not required under the NDB scheme.

Agencies and organisations with obligations under the Privacy Act that must comply with the NDB scheme include:

  • Most Australian Government agencies
  • Businesses and not-for-profit organisations with an annual turnover of $3 million or more
  • Health service providers (this includes organisations that provide a health service and hold health information, such as private hospitals and medical practitioners, disability service providers, day surgeries, pharmacists, allied health professionals, gyms, child care centres, private schools and private tertiary institutions)
  • Small businesses that trade in personal information
  • Credit reporting bodies and credit providers
  • Tax file number recipients, in cases where a data breach affects tax file number information (tax agents, solicitors, and accountants come under this category).

Is this a real data breach notification, or a phishing scam?

A phishing scam is an attempt by scammers to trick you into giving them your personal information, such as your bank account details or passwords.

Avoid clicking on links in emails, or sharing your personal information on the phone or by email, unless you are certain that the agency or organisation that has contacted you is genuine. Instead, contact the agency or organisation through publicly available contact details (such as the phone book or their website).

Read more about scams on Scamwatch.

Data breach examples

Example 1

An online retail business suspects that they may have experienced a data breach when they receive a few complaints from customers about scam emails that try to get the customer to provide their credit card details.

The business conducts an assessment and finds out that their customer mailing list was stolen. The mailing list has each customer’s name, email address, and home address.

The business finds that the data breach is likely to result in a customer becoming the victim of a scam or experiencing identity theft. The business sends an email notification to each customer affected by the breach, which provides tips on spotting a scam email and advice on what customers should do if they think they are at risk of identity theft.

Example 2

A staff member loses a USB containing clients’ personal information on their way home from work. The USB had client’s names, tax file numbers, and financial information.

The staff member reports the loss to their manager. The organisation believes it is likely that the information on the USB would be used for identity theft. The organisation notifies each of their clients with an email about the data breach and includes recommended steps to lower the risk of identity theft.

Back to Contents

How you will be notified

Direct notification

An agency or organisation may notify you directly in a few different ways. For example, they might:

  • Send you an SMS and direct you to their website
  • Contact you by email
  • Call you.

We recommend that agencies and organisations contact you the way they usually do. For example, if they usually contact you by phone, this may be the best method to notify you about a data breach.

Website notification

If an agency or organisation is not able to contact everyone they must notify about a data breach, they are required to put a notification on their website and to promote this notification. This may mean an agency or organisation will use social media channels, news articles, or advertisements to bring attention to a data breach notification.

Back to Contents

What information should be in a notification?

If a data breach is likely to result in serious harm, an agency or organisation must send you a notification that tells you:

  • the agency/organisation name and contact details
  • the kinds of personal information involved in the breach
  • a description of the data breach
  • recommendations for what steps you can take in response.

Back to Contents

What if you’re not notified?

If you think that a data breach may affect your personal information and you have not been notified, you can contact the agency or organisation and ask them for information about the data breach (including whether your personal information was affected).

You can make a complaint to our office if an agency or organisation is required to comply with the NDB scheme (see our guide on Entities covered by the NDB scheme) and did not promptly notify you about a data breach that:

  1. involved your personal information, and
  2. was likely to result in serious harm

You can also complain to our office if you believe that a data breach raises other privacy issues, such as a failure to reasonably protect personal information. More information about making a privacy complaint can be found on our What can I complain about? page.

Before making a complaint to the OAIC you must first make a complaint to the agency or organisation.

Back to Contents

What to do when you are notified about a data breach

Data breach notifications give you an opportunity to take steps that may reduce the chance of experiencing harm.

Read our tips on What to do after a data breach notification

Back to Contents