What is a notifiable data breach?
On this page
- When and how you must be told about a data breach
- What to do if you weren’t told about a data breach
- How to avoid scam notifications
Examples of serious harm include:
- identity theft, which can affect your finances and credit report
- financial loss through fraud
- a likely risk of physical harm, such as by an abusive ex-partner
- serious psychological harm
- serious harm to an individual’s reputation
An organisation or agency must also tell us about a serious data breach.
Generally, an organisation or agency has 30 days to assess whether a data breach is likely to result in serious harm.
When a data breach occurs, we expect an organisation or agency to try to reduce the chance that an individual experiences harm. If they’re successful, and the data breach is not likely to result in serious harm, the organisation or agency doesn’t need to tell the individual about the data breach.
How you’ll be told of a data breach
An organisation or agency may tell you about a data breach in an email, text message or phone call. The notification should include:
- the organisation or agency’s name and contact details
- the kinds of personal information involved in the breach
- a description of the data breach
- recommendations for the steps you can take in response
If an organisation or agency isn’t able to contact everyone they need to, they must put the data breach notification on their website. They must also promote this data breach notification, for example, through social media, news articles or advertisements.
If you think you’ve not been told about a data breach
If you think that a data breach may affect your personal information and you’ve not been told, contact the organisation or agency that experienced the breach and ask them for information about the data breach (including whether your personal information was affected).
If they don’t respond to your complaint, or you’re not satisfied with their response, you may complain to us.
How to spot a phishing scam
A phishing scam is an attempt by scammers to trick you into giving them your personal information, such as your bank account details or passwords.
Avoid clicking on links in emails, or sharing your personal information on the phone or by email, unless you’re certain the organisation or agency that has contacted you is genuine. Contact the organisation or agency instead through publicly available contact details (such as the phone book or their website).
For more information about protecting yourself against scams, visit Scamwatch