Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

What to include in an eligible data breach statement

Key points

  • The NDB scheme requires entities to notify individuals about an eligible data breach (see Identifying eligible data breaches).

  • Entities are also required to prepare a statement and provide a copy to the Australian Information Commissioner (the Commissioner) (s 26WK). The OAIC’s online form may help entities to do this.

  • The statement must include the name and contact details of the entity, a description of the eligible data breach, the kind or kinds of information involved, and what steps the entity recommends that individuals at risk of serious harm take in response to the eligible data breach (s 26WK(3))

  • Entities must notify affected individuals about the contents of this statement or, if this is not practicable, publish a copy of the statement on the entity’s website and take reasonable steps to publicise the contents of the statement (s 26WL(2)) (see Notifying individuals about an eligible data breach).

Back to Contents

What must be included in the statement

A statement about an eligible data breach must include:

  • the identity and contact details of the entity (s 26WK(3)(a))
  • a description of the eligible data breach (s 26WK(3)(b))
  • the kind or kinds of information involved in the eligible data breach (s 26WK(3)(c))
  • what steps the entity recommends that individuals take in response to the eligible data breach (s 26WK(3)(d)).

Identity and contact details of the entity

Where an entity’s company name is different to the business or trading name, the OAIC recommends that entities also include the name that is most familiar to individuals. The entity must also include information about how an individual can contact it. Depending on the nature and scale of the breach, the entity may wish to consider whether to provide its general contact details, or establish a dedicated phone line or email address to answer queries from individuals.

Description of the eligible data breach

An entity is required to include ‘a description’ of the data breach in its statement.

The OAIC expects that the statement will include sufficient information about the data breach to allow affected individuals the opportunity to properly assess the possible consequences of the data breach for them, and to take protective action in response.

Information describing the eligible data breach may include:

  • the date, or date range, of the unauthorised access or disclosure
  • the date the entity detected the data breach
  • the circumstances of the data breach (such as any known causes for the unauthorised access or disclosure)
  • who has obtained or is likely to have obtained access to the information
  • relevant information about the steps the entity has taken to contain or remediate the breach.

In general, the OAIC does not expect entities to identify the specific individuals who have accessed information, unless this is relevant to the steps the entity recommends individuals might take in response. For example, where information has been accidentally disclosed in a family violence situation known to the entity, this would be important information for the individual to know.

Usually, however, it would suffice to provide a general description of the type of person who has obtained the information, such as ‘an external third party’ or ‘former employee’.

The kind or kinds of information concerned

The statement must include the kind or kinds of information involved in the data breach. Knowing what kind of personal information has been breached is critical to assessing what action should be taken by individuals following a data breach.

Entities, in assessing the data breach, should clearly establish what information was involved in the data breach, including whether the breach involved ‘sensitive information’[1] (such as information about an individual’s health), government related identifiers (such as a Medicare number or driver licence number), or financial information.

The statement must include recommendations individuals should take in response to the data breach, to mitigate the serious harm or likelihood of serious harm from the data breach.

The nature of recommendations will depend on the entity’s functions and activities, the circumstances of the eligible data breach, and the kind or kinds of information that were involved. Recommendations should include practical steps that are easy for the individuals to action.

For example, to help reduce the risk of identity theft or fraud, recommendations in response to a data breach that involved individuals’ Medicare numbers might include steps an individual can take to request a new Medicare card. Or in the case of a data breach that involved credit card information, putting individuals at risk of identity theft, recommendations might include that an individual contact their financial institution to change their credit card number, and also contact a credit reporting body to establish a ban period on their credit report.

Where the entity does not have the requisite knowledge or capacity to provide advice to affected individuals, they should seek specialist advice or assistance in preparing this section. In limited circumstances, after seeking advice, the entity may use this section to advise individuals that no steps are required.

Back to Contents

Additional information to provide

Other entities involved in the data breach

If more than one entity holds personal information that was compromised in an eligible data breach, only one entity needs to prepare a statement and notify individuals about the data breach (s 26WM, and see Data breaches involving more than one organisation). This may occur when an entity outsources the handling of personal information, is involved in a joint venture, or where it has a shared services arrangement with another entity.

When a data breach affects more than one entity, the entity that prepares the statement may include the identity and contact details of the other entities involved (s 26WK(4)). Whether an entity includes the identity and contact details of other involved entities in its statement will depend on the circumstances of the eligible data breach, and the relationship between the entities and the individuals involved. The Privacy Act 1988 (Cth) (Privacy Act) does not require this information to be included on the statement, and it is open to entities to assess whether it is useful to provide this information to individuals.

The OAIC recognises that in some instances the identity and contact details of a third party may not be relevant to an individual whose personal information is involved in an eligible data breach, for example, where the individual does not have a relationship with the other entity. In these circumstances, rather than include the identity and contact details of the third party or parties, the entity that prepares the statement may wish to describe the nature of the relationship with the third party in its description of the data breach.

Back to Contents

When to provide a copy of the statement to the Commissioner

Entities must prepare and give a copy of the statement to the Commissioner as soon as practicable after becoming aware of the eligible data breach (s 26WK(2)).

What is a ‘practicable’ timeframe will vary depending on the entity’s circumstances, and may include considerations of the time, effort, or cost required to prepare the statement. The OAIC expects that once an entity becomes aware of an eligible data breach, it will provide a statement to the Commissioner promptly, unless there are circumstances that reasonably hinder the entity’s ability to do so.

It may be appropriate in some circumstances for an entity to advise individuals about the contents of the statement before or at the same time that it gives the statement to the Commissioner, rather than waiting.

While a statement provided to the Commissioner and individuals must include certain information outlined above (s 26WK(3)), where additional relevant information becomes available after submitting this statement, the entity may provide this to the OAIC. The OAIC will include instructions about how to provide any supplementary information upon receipt of the statement.

Back to Contents

How to provide the statement to the Commissioner

The OAIC has an online form for entities to lodge all eligible date breach statements under section 26WK of the Privacy Act.

If you are unable to use the online form, please contact the OAIC enquiries line to make alternative arrangements.

Back to Contents

Footnotes

[1] See s 6(1) of the Privacy Act for categories of personal information that are covered by the definition of ‘sensitive information’.

Back to Contents