Part 1: Data breaches and the Australian Privacy Act
- A data breach is an unauthorised access or disclosure of personal information, or loss of personal information.
- Data breaches can have serious consequences, so it is important that entities have robust systems and procedures in place to identify and respond effectively.
- Entities that are regulated by the Privacy Act should be familiar with the requirements of the NDB scheme, which are an extension of their information governance and security obligations.
- A data breach incident may also trigger reporting obligations outside of the Privacy Act.
What is a data breach?
A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost.
Personal information is information about an identified individual, or an individual who is reasonably identifiable. Entities should be aware that information that is not about an individual on its own can become personal information when it is combined with other information, if this combination results in an individual becoming ‘reasonably identifiable’ as a result.
A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems.
Examples of data breaches include:
- loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
- unauthorised access to personal information by an employee
- inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person
- disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.
Consequences of a data breach
Data breaches can cause significant harm in multiple ways.
Individuals whose personal information is involved in a data breach may be at risk of serious harm, whether that is harm to their physical or mental well-being, financial loss, or damage to their reputation.
Examples of harm include:
- financial fraud including unauthorised credit card transactions or credit fraud
- identity theft causing financial loss or emotional and psychological harm
- family violence
- physical harm or intimidation.
A data breach can also negatively impact an entity’s reputation for privacy protection, and as a result undercut an entity’s commercial interests. As shown in the OAIC’s long-running national community attitudes to privacy survey, privacy protection contributes to an individual’s trust in an entity.  If an entity is perceived to be handling personal information contrary to community expectations, individuals may seek out alternative products and services.
An entity can reduce the reputational impact of a data breach by effectively minimising the risk of harm to affected individuals, and by demonstrating accountability in their data breach response. This involves being transparent when a data breach, which is likely to cause serious harm to affected individuals, occurs. Transparency enables individuals to take steps to reduce their risk of harm. It also demonstrates that an entity takes their responsibility to protect personal information seriously, which is integral to building and maintaining trust in an entity’s personal information handling capability.
The Australian Privacy Principles
The Privacy Act contains 13 Australian Privacy Principles (APPs) that set out entities’ obligations for the management of personal information. The APPs are principles-based and technologically neutral; they outline principles for how personal information is handled and these principles may be applied across different technologies and uses of personal information over time.
Compliance with the APPs as a whole will reduce the risk of a data breach occurring. This is because the APPs ensure that privacy risks are reduced or removed at each stage of personal information handling, including collection, storage, use, disclosure, and destruction of personal information. For example, APP 3 restricts the collection of personal information. APPs 4.3 and 11.2 outline requirements to destroy or de-identify information if it is unsolicited or no longer needed by the entity. Compliance with these requirements reduces the amount of data that may be exposed as a result of a breach.
Compliance with the requirement to secure personal information in APP 11 is key to minimising the risk of a data breach. APP 11 requires entities to take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. The type of steps that are reasonable to protect information will depend on the circumstances of the entity and the risks associated with personal information handled by the entity.
In addition, APP 1 requires entities to take reasonable steps to establish and maintain practices, procedures, and systems to ensure compliance with the APPs.
The Notifiable Data Breaches (NDB) scheme
The NDB scheme in Part IIIC of the Privacy Act requires entities to notify affected individuals and the Commissioner of certain data breaches.
The NDB scheme requires entities to notify individuals and the Commissioner about ‘eligible data breaches’. An eligible data breach occurs when the following criteria are met:
- There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
- This is likely to result in serious harm to any of the individuals to whom the information relates.
- The entity has been unable to prevent the likely risk of serious harm with remedial action.
Entities must also conduct an assessment if it is not clear if a suspected data breach meets these criteria. The assessment will determine whether the breach is an ‘eligible data breach’ that triggers notification obligations.
The primary purpose of the NDB scheme is to ensure individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm. This has a practical function: once notified about a data breach, individuals can take steps to reduce their risk of harm. For example, an individual can change passwords to compromised online accounts, and be alert to identity fraud or scams.
The NDB scheme also serves the broader purpose of enhancing entities’ accountability for privacy protection. By demonstrating that entities are accountable for privacy, and that breaches of privacy are taken seriously, the NDB scheme works to build trust in personal information handling across industries.
Part 4 of this guide provides detailed information to assist entities to meet their obligations under Part IIIC of the Privacy Act when responding to an eligible data breach or a suspected eligible data breach.
Entities may have other obligations outside of those contained in the Privacy Act that relate to personal information protection and responding to a data breach. These may include other data protection obligations under state-based or international data protection laws. Australian businesses may need to comply with the European Union’s (EU’s) General Data Protection Regulation (GDPR)if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
For data breaches affecting certain categories of information, other mandatory or voluntary reporting schemes may exist. For example, entities might consider reporting certain breaches to:
- the entity’s financial services provider
- police or law enforcement bodies
- the Australian Securities & Investments Commission (ASIC)
- the Australian Prudential Regulation Authority (APRA)
- the Australian Taxation Office (ATO)
- the Australian Transaction Reports and Analysis Centre (AUSTRAC)
- the Australian Cyber Security Centre (ACSC)
- the Australian Digital Health Agency (ADHA)
- the Department of Health
- State or Territory Privacy and Information Commissioners
- professional associations and regulatory bodies
- insurance providers.
Other resources are listed in Part 5 of this guide.
Some entities may have additional obligations to report to the Commissioner under the National Cancer Screening Register Act 2016 (NCSR Act) or have different reporting obligations under the My Health Records Act 2012 (My Health Records Act) or the Consumer Data Right (CDR) system.
Under the NCSR Act, current and former contracted service providers of the National Cancer Screening Register must notify the Secretary of the Department of Health (the Secretary) and the Commissioner if they become aware of unauthorised recording, use or disclosure of personal information included in the Register. The Secretary must also notify the Commissioner of certain data breaches, including potential breaches, in connection with the National Cancer Screening Register. The Secretary must also consult the Information Commissioner about notifying individuals who may be affected. Separately, entities with NCSR Act obligations must consider whether the incident also requires notification under the NDB scheme, as the two schemes operate concurrently. Where the test for both schemes have been met, the entity may make a joint notification to the Commissioner.
Certain participants in the My Health Record system (such as the System Operator, a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider), are required to report data breaches that occur in relation to the My Health Record system to the either the System Operator or the Commissioner, or both, depending on the entity reporting the data breach (s 75 of the My Health Records Act). More information about obligations under the My Health Records Act and how these obligations interact with the NDB scheme is available in Part 4.
Under the CDR system, accredited data recipients must create and maintain plans to respond to information security incidents that could plausibly occur (CDR data security response plans). These plans must include procedures for:
- managing all relevant stages of an incident, from detection to post-incident review
- notifying eligible CDR data breaches to the OAIC and affected CDR consumers as required under the NDB scheme
- notifying information security incidents to the ACSC as soon as practicable, and in any case no later than 30 days after the accredited data recipient becomes aware of the security incident.
 Sections 20Q and 21S of the Privacy Act impose equivalent obligations on credit reporting agencies and all credit providers. Similarly, the Privacy (Tax File Number) Rule 2015 made under s 17 of the Privacy Act requires TFN recipients to take reasonable steps to protect TFN information from misuse and loss, and from unauthorised access, use, modification or disclosure.
 A similar requirement applies to credit reporting bodies in s 20B(2), to take reasonable steps to implement practices, procedures and systems to ensure compliance with the credit reporting obligations in Part IIIA of the Privacy Act and the Privacy (Credit Reporting) Code 2014 (Version 2).
 See Privacy Management Framework, Privacy Management Plan Template (for Organisations), Interactive Privacy Management Plan (for Agencies), and Chapter 1 of the APP Guidelines on the OAIC website.
 The OAIC’s Australian Entities and the EU General Data Protection Regulation may assist Australian businesses to understand and comply with the GDPR’s requirements. Further guidance is also available from the Article 29 Working Group.
 See Part IVD of the Competition and Consumer Act 2010 and the Competition and Consumer (Consumer Data Right) Rules 2020.
 Clause 1.7 of Schedule 2 to the Competition and Consumer (Consumer Data Right) Rules 2020.