What is a notifiable data breach?

Last updated: 14 August 2019

On this page

  • When and how you must be told about a data breach
  • What to do if you weren’t told about a data breach
  • How to avoid scam notifications

Under the Notifiable Data Breaches scheme, an organisation or agency that must comply with Australian privacy law has to tell you if a data breach is likely to cause you serious harm.

Examples of serious harm include:

  • identity theft, which can affect your finances and credit report
  • financial loss through fraud
  • a likely risk of physical harm, such as by an abusive ex-partner
  • serious psychological harm
  • serious harm to an individual’s reputation

An organisation or agency must also tell us about a serious data breach.

Generally, an organisation or agency has 30 days to assess whether a data breach is likely to result in serious harm.

When a data breach occurs, we expect an organisation or agency to try to reduce the chance that an individual experiences harm. If they’re successful, and the data breach is not likely to result in serious harm, the organisation or agency doesn’t need to tell the individual about the data breach.

How you’ll be told of a data breach

An organisation or agency may tell you about a data breach in an email, text message or phone call. The notification should include:

  • the organisation or agency’s name and contact details
  • the kinds of personal information involved in the breach
  • a description of the data breach
  • recommendations for the steps you can take in response

If an organisation or agency isn’t able to contact everyone they need to, they must put the data breach notification on their website. They must also promote this data breach notification, for example, through social media, news articles or advertisements.

Find out what to do when you get a data breach notification.

If you think you’ve not been told about a data breach

If you think that a data breach may affect your personal information and you’ve not been told, contact the organisation or agency that experienced the breach and ask them for information about the data breach (including whether your personal information was affected).

If they don’t respond to your complaint, or you’re not satisfied with their response, you may complain to us.

How to spot a phishing scam

A phishing scam is an attempt by scammers to trick you into giving them your personal information, such as your bank account details or passwords.

Avoid clicking on links in emails, or sharing your personal information on the phone or by email, unless you’re certain the organisation or agency that has contacted you is genuine. Contact the organisation or agency instead through publicly available contact details (such as the phone book or their website).

For more information about protecting yourself against scams, visit Scamwatch

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au