Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Anniversary of Notifiable Data Breaches scheme

One year on from its introduction in February 2018, the Notifiable Data Breaches scheme is driving increased awareness and action on personal information security, Australian Information Commissioner and Privacy Commissioner Angelene Falk said today.

“The first anniversary of the scheme is an opportunity for regulated entities to reflect on the causes of breaches that put personal data at risk and how they are managing their privacy obligations,” Ms Falk said.

“Most of the data breaches reported to us over the past year involved a human factor, like sending information to the wrong person or someone’s login credentials being compromised through phishing or other means and used in a cyber attack.

 “We expect organisations and agencies to act on the risks highlighted by these reports ― whether or not they were directly affected ― and take steps to prevent a similar breach of Australians’ personal data.”

Under the scheme, Australian Government agencies and organisations must carry out an assessment whenever they suspect that there may have been loss of, unauthorised access to or unauthorised disclosure of personal information that they hold.

If serious harm is likely to result, they must notify affected individuals so they can take action to address the possible consequences, such as changing passwords and checking their credit record. They must also notify the Office of the Australian Information Commissioner (OAIC).

From the scheme’s introduction on 22 February to the end of December 2018, 812 data breaches were notified.

“The growing number of data breaches notified to my Office is consistent with trends experienced by our counterparts overseas and indicates agencies and organisations are complying with their notification obligations,” Ms Falk said.

“Individuals are now receiving notices so they can take action to reduce their risk of harm, which also shows the scheme is working as intended.”

Ms Falk said the introduction of the scheme reflected the increasing global focus on data protection, including the European Union General Data Protection Regulation, which commenced in May 2018.

The OAIC website has advice for individuals affected by a data breach, and prevention strategies for organisations developed with the Australian Cyber Security Centre.

The OAIC also provides a guide for agencies and organisations on how to deal with a data breach and when to notify the OAIC.

The December Notifiable Data Breaches quarterly report is available at