When to report a data breach

Last updated: 21 July 2019

Under the Notifiable Data Breach (NDB) scheme an organisation or agency must notify affected individuals and the OAIC about an eligible data breach.

An eligible data breach occurs when:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
  • this is likely to result in serious harm to one or more individuals, and
  • the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action

An organisation or agency that suspects an eligible data breach may have occurred must quickly assess the incident to determine if it is likely to result in serious harm to any individual.

A data breach that occurred before 22 February 2018 is not an eligible data breach for the purposes of the NDB scheme. However, certain data breaches occur over a period of time. While a system may have been compromised before 22 February 2018, data may have been accessed after that date. While the circumstances will need to be assessed, we suggest that an organisation or agency in this situation should assume the data breach is subject to the NDB scheme.

For how to notify individuals or us about a data breach, see Report a Data Breach

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au