Mandatory Data Breach Notifications Are Coming: Here's Everything You Need To Know

Image: iStock

This Thursday is the day! Yes, it is World Thinking Day (which you should still definitely do), but it's also the day that Australian Government agencies - and other organisations with obligations to secure personal information under the Privacy Act 1988 have to let you know if there's been a data breach that is likely to result in serious harm.

That's right, they didn't have to before. Now if they don't, they could be fined up to $2.1 million.

Here's everything you need to know.

The Office of the Australian Information Commissioner has released a bunch of new resources for the Australian public ahead of the commencement of the Notifiable Data Breaches scheme, one of which is called Receiving data breach notifications. It tells you what to expect when you receive a data breach notification - including how organisations might deliver notifications and when a privacy complaint can be made to the OAIC.

Here's the basics:

What is a data breach? A data breach happens when personal information (such as a person's name, contact details, medical records, or banking details) is:

accessed or released without proper authorisation, or lost and likely to be accessed or released without authorisation.

Examples of a data breach include when:

  • A USB or mobile phone that holds customers’ personal information is stolen
  • A database containing personal information is hacked
  • Someone’s personal information is sent to the wrong person.

When you might receive a data breach notification

Australian Government agencies and organisations with obligations under the Privacy Act must comply with the ‘Notifiable Data Breaches scheme’ (NDB scheme).

Under the NDB scheme, agencies and organisations must promptly notify you if a data breach is likely to result in ‘serious harm’. This could be serious financial harm, or harm to your mental or physical well-being.

Examples of serious harm include:

  • A likely risk of physical harm, such as by an abusive ex-partner
  • Financial loss through fraud
  • Identity theft, which can affect an individual’s finances and credit report
  • Serious psychological harm
  • Serious reputational harm

Agencies and organisations might notify you directly (such as by an email) or indirectly by promoting a notification on their website (read more in the How you will be notified section).

Agencies and organisations must also notify the Office of the Australian Information Commissioner (OAIC) about data breaches that are likely to result in serious harm to any individual.

Generally, agencies and organisations have a maximum of 30 days to assess whether a data breach is likely to result in serious harm.

We expect agencies and organisations to take action to reduce the chance that individuals experience harm if a data breach occurs. If this action is successful, and the data breach is not be likely to result in serious harm, notification is generally not required under the NDB scheme.

Is this a real data breach notification, or a phishing scam?

A phishing scam is an attempt by scammers to trick you into giving them your personal information, such as your bank account details or passwords.

Avoid clicking on links in emails, or sharing your personal information on the phone or by email, unless you are certain that the agency or organisation that has contacted you is genuine. Instead, contact the agency or organisation through publicly available contact details (such as the phone book or their website).

Data breach examples

Example 1:

An online retail business suspects that they may have experienced a data breach when they receive a few complaints from customers about scam emails that try to get the customer to provide their credit card details.

The business conducts an assessment and finds out that their customer mailing list was stolen. The mailing list has each customer’s name, email address, and home address.

The business finds that the data breach is likely to result in a customer becoming the victim of a scam or experiencing identity theft. The business sends an email notification to each customer affected by the breach, which provides tips on spotting a scam email and advice on what customers should do if they think they are at risk of identity theft.

Example 2:

A staff member loses a USB containing clients’ personal information on their way home from work. The USB had client’s names, tax file numbers, and financial information.

The staff member reports the loss to their manager. The organisation believes it is likely that the information on the USB would be used for identity theft. The organisation notifies each of their clients with an email about the data breach and includes recommended steps to lower the risk of identity theft.

How you will be notified

Direct notification:

An agency or organisation may notify you directly in a few different ways. For example, they might:

  • Send you an SMS and direct you to their website
  • Contact you by email
  • Call you

We recommend that agencies and organisations contact you the way they usually do. For example, if they usually contact you by phone, this may be the best method to notify you about a data breach.

Website notification:

If an agency or organisation is not able to contact everyone they must notify about a data breach, they are required to put a notification on their website and to promote this notification. This may mean an agency or organisation will use social media channels, news articles, or advertisements to bring attention to a data breach notification.

What information should be in a notification?

If a data breach is likely to result in serious harm, an agency or organisation must send you a notification that tells you:

  • the agency/organisation name and contact details
  • the kinds of personal information involved in the breach
  • a description of the data breach
  • recommendations for what steps you can take in response

What if you’re not notified?

If you think that a data breach may affect your personal information and you have not been notified, you can contact the agency or organisation and ask them for information about the data breach (including whether your personal information was affected).

You can make a complaint to our office if an agency or organisation is required to comply with the NDB scheme (see our guide on Entities covered by the NDB scheme) and did not promptly notify you about a data breach that:

  • involved your personal information, and
  • was likely to result in serious harm

You can also complain to our office if you believe that a data breach raises other privacy issues, such as a failure to reasonably protect personal information.

Before making a complaint to the OAIC you must first make a complaint to the agency or organisation.

What to do when you are notified about a data breach

Data breach notifications give you an opportunity to take steps that may reduce the chance of experiencing harm.


There's also What to do after a data breach notification, which goes into specifics about, well, what you can do after a data breach notification.

Here's the information provided:

Take action to reduce your risk of harm

By acting quickly after you’ve been notified of a data breach, you can reduce your chance of experiencing harm.

Listed below are some steps you could take, depending on the type of personal information involved in the data breach.

Keep a record of any action you take or any assistance you seek. This may become useful if you experience harm as a result of the data breach.

  • Financial information e.g. credit card details, online banking login
  • If you have questions about a data breach that aren’t answered by a data breach notification, contact your bank or financial institution. Only contact your financial institution using contact details found on their website or in the phonebook

    Change your online banking account passwords. Make sure you have strong passwords that you have not used for other accounts.

    When updating your internet banking passwords, go to the financial institution’s website directly by typing their web address into your web browser. Remember, generally banks will not initiate contact with you with an email requesting you to click on a link to update your password.

    You might also consider enabling multi-factor authentication for your accounts if it is available. Multi-factor authentication requires you to confirm your identity with two or more pieces of evidence (such as a password and a security code sent to your mobile phone). Having multi-factor authentication makes it more difficult for someone to gain access to your online accounts.

    Change your banking PIN number. Monitor your bank account transactions online and bank account statements. If you spot any purchases you didn’t make, immediately report these to your bank.

  • Contact information e.g. home address, email, phone number
  • Know how to spot a scam. Scamwatch provides helpful information about protecting yourself from scams. You can subscribe to their Scamwatch Radar newsletter for email alerts on the latest scams. Be aware that if your name and contact details were involved in a data breach, a scam email might be personalised and address you by name.

    Change your email account passwords. Make sure you have strong passwords that you haven’t used for other accounts.

    If you emailed yourself online account passwords, such as your online banking password, change these as well.

    Enable multi-factor authentication for your email accounts where possible.

    Ensure you have up-to-date anti-virus software installed on any device you use to access your emails.

    Do not open attachments or click on links in emails or social media messages from strangers or if you’re unsure that the sender is genuine.

    Do not share your personal information until you are certain about who you are sharing it with. If someone calls you and claims to be from an agency or organisation, you can hang up and call the agency or organisation back using publicly available contact details (e.g. from their website or a phone book) to be sure you are really talking to a staff member from that agency or organisation.

    If your physical safety is at risk, contact the police. If your mental health and safety is at risk, contact your doctor, your local crisis team, or one of the organisations listed below under ‘Support services’.

  • Health information
  • If you have questions that aren’t answered by a data breach notification, get in contact with the health service provider about the data breach

    Contact your doctor, local crisis team, one of the support services listed below, or your family or friends if you experience distress.

  • Sensitive information about sexuality, race, political views, etc.
  • Contact the agency or organisation that experienced the data breach if you have questions that aren’t answered by a data breach notification

    Contact your doctor, local crisis team, one of the support services listed below, or your family or friends if you experience distress.

    If your physical safety is at risk, contact the police.

    The Office of the eSafety Commissioner has resources that provide advice on a range of online safety issues, which may help you if you experience online harassment, racism, or abuse.

  • Tax file number information
  • If your tax file number or other tax-related information is involved in a data breach, contact the Australian Taxation Office (ATO). The ATO can apply security measures that will monitor any unusual or suspicious activity with your TFN. If you suspect the misuse of your TFN, you can phone the ATO’s Client Identity Support Centre on 1800 467 033 between 8.00am and 6.00pm, Monday to Friday

    Find out more about protecting yourself from identity fraud below.

  • Government identity document information e.g. driver’s licence, Medicare card, passport
  • Contact the agency that issued the identity document for advice

    Find out more about protecting yourself from identity fraud below.

Protecting yourself from identity fraud

Identity fraud (also known as ‘identity theft’) involves someone using another person’s personal information without consent, often to obtain a benefit. For example, identity fraud can result in someone using another person’s identity to open bank accounts, obtain a credit card, apply for a passport, or conduct illegal activity.

If you suspect you could be a victim of identity fraud:

  • Report the matter to your local police. Ask for a police report or reference number so you have evidence that you reported the issue.
  • Inform the agency or organisation that issued your identity document.
  • Contact your bank or financial institution and tell them what happened.
  • Change your account passwords and close any unauthorised accounts.
  • You can contact IDCARE. IDCARE is Australia’s national identity and cyber support service. They can connect you with a specialist identity and cyber security counsellor for expert advice.
  • You can get a copy of your credit report to check it is accurate (you are entitled to a free credit report every year). This report will also show you which organisations have recently checked your credit history, so you can tell them not to authorise a new account in your name.
  • Consider contacting credit reporting bodies to place a ban period on your credit report (see our Privacy fact sheet 37: Fraud and your credit report). This means they will not be able to share your credit report with credit providers without your consent for 21 days (unless extended).
  • The credit reporting bodies in Australia are Equifax (Phone: 138 332), illion (Phone: 13 23 33), Experian (Phone: (03) 8622 1600 or email: [email protected]), Compuscan Australia (Phone: 02 8404 4217), Tasmanian Collection Service (email [email protected]).

  • Apply for a Commonwealth victims’ certificate. This certificate helps support your claim that you have been the victim of a Commonwealth identity crime. You can present the certificate to government agencies or businesses to re-establish your credentials or remove fraudulent transactions from their records.
  • You can contact the Australian Cybercrime Online Reporting Network (ACORN) to securely report instances of cybercrime. You will receive a reference number for the report. ACORN is a national policing initiative of the Commonwealth, State, and Territory governments.

Making a privacy complaint

If you think that a data breach may affect your personal information and you have not been notified, you can contact the agency or organisation and ask them for information about the data breach (including whether your personal information was affected).

You can make a complaint to our office if you believe an agency or organisation that is required to comply with the NDB scheme did not promptly notify you about a data breach that:

  • involved your personal information, and
  • was likely to result in serious harm

Before making a complaint to the OAIC you must first complain to the agency or organisation, and give it a reasonable opportunity to respond.

Here's some other places that can assist:

IDCARE is Australia and New Zealand’s national identity and cyber support service. They can connect you with a specialist identity and cyber security counsellor. Call 1300 IDCARE (432273)

Securely report instances of cybercrime at Australian Cybercrime Online Reporting Network (ACORN).

Scamwatch has information about how to recognise, avoid, and report scams.

Stay Smart Online has advice on protecting yourself online and information on the latest online threats and how to respond. For example, Stay Smart Online has guidance on creating strong passwords, two-factor authentication and anti-virus software.

MoneySmart has information about financial and investments scams, including those involving financial products, superannuation, managed funds, financial advice and insurance.

Office of the eSafety Commissioner has guidance on staying safe online, including how to respond to cyberbullying and cyber abuse.

beyondblue offers support on 1300 224 636. You can also chat online every day from 3pm – 12am (AEST), or send an email at any time.

Lifeline provides crisis support on 13 11 14. Lifeline’s online chat service is also available every night.

Kids Helpline provides support to young people any time and for any reason on 1800 55 1800. You can also chat to a web counsellor from 12pm-10pm (AEST) on weekdays and 10am-10pm (AEST) on weekends, or email a Kids Helpline counsellor at any time.

The OAIC has worked with consumer groups, not-for-profits, and Australian Government agencies in the development of these resources.

"The Notifiable Data Breaches scheme formalises a long-standing community expectation to be told when a data breach that is likely to cause serious harm occurs," The Australian Information Commissioner, Timothy Pilgrim, said. "The practical benefit of the scheme is that it gives individuals the chance to reduce their risk of harm, such as by re-securing compromised online accounts."

Pilgrim says the scheme also has a broader beneficial impact — "it reinforces organisations’ accountability for personal information protection and encourages a higher standard of personal information security across the public and private sectors."

"By reinforcing accountability for personal information protection, the NDB scheme supports greater consumer and community trust in data management. This trust is key to realising the potential of data to benefit the community, for example, by informing better policy-making and the development of products and services."

The 2017 Australian Community Attitudes to Privacy Survey found that 94 per cent of Australians believe they should be told if a business loses their personal information. Ninety-five per cent said they should be told if a government agency loses their personal information.

Trending Stories Right Now