When an organisation or agency the Privacy Act 1988 covers has reasonable grounds to believe an eligible data breach has occurred, they must promptly notify any individual at risk of serious harm. They must also notify us.

An eligible data breach occurs when the following criteria are met:

  • There is unauthorised access to or disclosure of personal information held by an organisation or agency (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
  • This is likely to result in serious harm to any of the individuals to whom the information relates.
  • The organisation or agency has been unable to prevent the likely risk of serious harm with remedial action.

If you want to notify us about a data breach involving your own personal information, please make a privacy complaint.

What your notification must include

When you notify us and any affected individuals include:

  • your organisation or agency’s name and contact details
  • a description of the data breach
  • the kinds of information involved
  • recommendations about the steps individuals should take in response to the data breach.

For more information on notifications, see Data Breach Preparation and Response.

Complete our online form

To notify us of a data breach, you should use our online Notifiable Data Breach form. To see the type of information we need, view this read only training version.

The more information you tell us about the circumstances of the data breach, what you’ve done to contain the data breach and any remedial action you’ve taken, will help us respond to your notification. Remember to attach a copy of your template notification to affected individuals when completing our online Notifiable Data Breach form.