Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Business warned to be ready for data breaches

Over 180 business leaders representing some of Australia’s largest organisations met today to discuss how to prevent a data breach, and how to respond to one, if or when it occurs.

Australian Privacy Commissioner Timothy Pilgrim said that there is evidence to suggest that data breaches are on the rise.

“The Office of the Australian Information Commissioner (OAIC) was notified of 56 data breaches in the last financial year, equivalent to a data breach a week. This is up from 44 in the previous year, an increase of 27 per cent,” Mr Pilgrim said.

However, the Privacy Commissioner also noted that he opened a further 59 investigations into other breaches where he wasn’t notified of the incident.

Data breaches can occur in a number of ways. From lost or stolen laptops, portable storage devices and paper records, to databases being ‘hacked’ into or organisations mistakenly providing information to the wrong person.

“Serious harm can befall people when the security of their personal information is compromised”, Mr Pilgrim said. “It is our view that whenever there is a real risk of serious harm, affected individuals should be notified.”

Data breach notification is not a mandatory obligation applying generally to government and business in Australia.  However, there is increased pressure on the Government to introduce laws to make it a general legal requirement as it is elsewhere — data breach notification is already a mandatory requirement in Europe, the UK and the United States.

“As legislative change is considered by the Government, the OAIC has updated a guide to assist agencies and organisations to respond to data breaches,” Australian Information Commissioner John McMillan said in launching the revised guidelines.

Data breach notification: A guide to handling personal information security breaches outlines four steps to consider when responding to a breach or suspected breach and also outlines preventative measures that should be taken as part of a comprehensive information security plan.

Professor McMillan said that there are benefits to organisations that voluntarily choose to notify.

“We can work with organisations to resolve issues quickly and help them contain a breach. This can help mitigate further harm to affected individuals.”

The Privacy Commissioner warned that in some circumstances, it may be a breach of the Privacy Act not to notify as organisations covered by the Privacy Act must take reasonable steps to protect the information they hold.

For interview requests please contact Ms Leila Daniels     0407 663 968

Background information

Data breach notification: A guide to handling personal information security breaches is available here:

The OAIC has also launched 10 steps to protect other people’s personal information, available here:

Privacy Awareness Week is a joint initiative of the Asia Pacific Privacy Authorities forum. More information on what is happening around the region can be found here: