Australian Privacy Act: Data Breach Notification Requirements

Disclaimer: This article provides general information about the Australian Privacy Act Notifiable Data Breaches scheme. It is not legal advice. Businesses should consult their legal counsel or privacy lawyers for formal reporting guidance specific to their circumstances.

Australian businesses must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals within 30 days if a data breach is likely to result in serious harm. This applies to organizations covered by the Privacy Act—businesses with annual turnover exceeding $3 million, private health service providers, and credit reporting bodies. Failing to notify when required triggers penalties up to $2.5 million.

What Triggers Notification

You must notify only if the breach is likely to result in serious harm: identity theft, financial loss, physical harm, psychological harm, or reputational damage. The 30-day clock starts when you have reasonable grounds to believe unauthorized access occurred and serious harm is likely.

Breaches typically requiring notification include ransomware exposing customer financial records, lost unencrypted devices with health data, or database misconfigurations exposing government identifiers. Notification isn’t required if the breach was contained before data access, exposed data was encrypted with secure keys, or only publicly available information was compromised.

What You Must Disclose

OAIC notifications (via their online form) must include your organization’s details, breach description, types of personal information involved, and harm mitigation recommendations. Notify affected individuals in plain language covering what happened, what data was compromised, containment actions taken, and steps individuals should take (password resets, account monitoring).

The OAIC expects transparency—specify data categories (names, dates of birth, financial records) rather than vague statements like “some personal information may have been accessed.”

Enforcement and Penalties

The OAIC can issue penalties up to AU$2.5 million for failure to notify when required. Enforcement targets large-scale breaches involving sensitive data, repeated violations indicating inadequate security, and failure to assess serious harm after confirmed breaches.

The OAIC distinguishes between breaches caused by sophisticated attacks (ransomware, zero-days) and negligence (unencrypted databases, default passwords, misconfigured storage). Organizations with reasonable security measures pre-breach receive more lenient treatment than those demonstrating negligent practices.

Response Steps

Immediately assess whether serious harm is likely and document your reasoning. Notify legal counsel and executives within 24 hours. You have 30 days to notify the OAIC (via oaic.gov.au) and affected individuals, but earlier notification demonstrates good faith.

Use direct communication for individuals (email, postal mail, phone). Public website notices are acceptable only if you cannot identify individuals or obtain contact details. Maintain detailed records of discovery, assessment, containment, and notifications—the OAIC expects documentation demonstrating compliance.

Key Takeaways

• 30-day notification requirement applies only if a breach is likely to result in serious harm—not all breaches require notification under the Privacy Act.
• Serious harm assessment must be documented—the OAIC may request your reasoning if they investigate; when uncertain, notify.
• Specify compromised data categories clearly—vague statements like “some personal information” don’t satisfy OAIC requirements.
• Penalties reach AU$2.5 million for failure to notify when required, with enforcement focused on breaches involving sensitive data, negligent security, or repeated violations.

Need help with data breach response planning or Privacy Act compliance? Contact Eviant for incident response planning and NDB scheme compliance reviews.