Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Assessing a suspected data breach

Key points

  • If an entity has reasonable grounds to believe that it has experienced an eligible data breach, it must promptly notify individuals and the Commissioner about the breach, unless an exception applies

  • In contrast, if an entity suspects that it may have experienced an eligible data breach, it must quickly assess the situation to decide whether or not there has been an eligible data breach

  • An assessment must be reasonable and expeditious, and entities may develop their own procedures for assessing a suspected data breach.

Back to Contents

When must entities assess a suspected breach?

The NDB scheme is designed so that only serious (‘eligible’) data breaches are notified (see Identifying eligible data breaches). If an entity is aware of reasonable grounds to believe that there has been an eligible data breach, it must promptly notify individuals at risk of serious harm and the Commissioner about the eligible data breach (see Notifying individuals about an eligible data breach).

On the other hand, if an entity only has reason to suspect that there may have been a serious breach, it needs to move quickly to resolve that suspicion by assessing whether an eligible data breach has occurred. If, during the course of an assessment, it becomes clear that there has been an eligible breach, then the entity needs to promptly comply with the notification requirements.

The requirement for an assessment is triggered if an entity is aware that there are reasonable grounds to suspect that there may have been a serious breach (s 26WH(1)).

Whether an entity is ‘aware’ of a suspected breach is a factual matter in each case, having regard to how a reasonable person who is properly informed would be expected to act in the circumstances. For instance, if a person responsible for compliance or personnel with appropriate seniority are aware of information that suggests a suspected breach may have occurred, an assessment should be done. An entity should not unreasonably delay an assessment of a suspected eligible breach, for instance by waiting until its CEO or Board is aware of information that would otherwise trigger reasonable suspicion of a breach within the entity.

The Commissioner expects entities to have practices, procedures, and systems in place to comply with their information security obligations under APP 11, enabling suspected breaches to be promptly identified, reported to relevant personnel, and assessed if necessary.

Back to Contents

How quickly must an assessment be done?

An entity must take all reasonable steps to complete the assessment within 30 calendar days after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach (s 26WH(2)).

The Commissioner expects that wherever possible entities treat 30 days as a maximum time limit for completing an assessment, and endeavour to complete the assessment in a much shorter timeframe, as the risk of serious harm to individuals often increases with time.

Where an entity cannot reasonably complete an assessment within 30 days, the Commissioner recommends that it should document this, so that it is able demonstrate:

  • that all reasonable steps have been taken to complete the assessment within 30 days
  • the reasons for the delay
  • that the assessment was reasonable and expeditious.

Back to Contents

How is an assessment done?

Entities must carry out a ‘reasonable and expeditious’ assessment (s 26WH(2)(a)). The Privacy Act 1988 (Cth) (Privacy Act) does not set out how entities should assess a data breach, and entities may develop their own procedures for assessing a suspected breach.

The Commissioner expects that the amount of time and effort entities will expend in an assessment should be proportionate to the likelihood of the breach and its apparent severity.

The Commissioner expects that an entity’s approach to data breach management, including its data breach response plan, will incorporate the requirements of the NDB scheme for assessing suspected eligible data breaches.

While the Privacy Act does not specify how an assessment should occur, the OAIC suggests that an assessment could be a three-stage process:

  1. Initiate: decide whether an assessment is necessary and identify which person or group will be responsible for completing it

  2. Investigate: quickly gather relevant information about the suspected breach including, for example, what personal information is affected, who may have had access to the information and the likely impacts, and

  3. Evaluate: make a decision, based on the investigation, about whether the identified breach is an eligible data breach (see Identifying eligible data breaches).

The OAIC’s Data breach notification — A guide to handling personal information security breaches may also assist when designing and reviewing an entity’s assessment procedures.

The Commissioner recommends that entities document the assessment process and outcome.

Back to Contents

Remedial action

At any time, including during an assessment, an entity can, and should, take steps to reduce any potential harm to individuals caused by a suspected or eligible data breach. If remedial action is successful in preventing serious harm to affected individuals, notification is not required (as explained in Identifying eligible data breaches).

Back to Contents

Breach established – what next?

Once an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach – whether during the course of an assessment, or when the assessment is complete – it must promptly notify affected individuals and the Commissioner about the breach (see What to include in an eligible data breach statement and Notifying individuals about an eligible data breach).

Back to Contents