top of page

Data Breach & Cyber Security 

The Australian Privacy Principles

The Privacy Act 1988 (Cth) has 13 Australian Privacy Principles (APPs) setting out entities’ obligations for the management of personal information. 

Compliance with the APPs as a whole will reduce the risk of a data breach occurring. This is because the APPs ensure that privacy risks are reduced or removed at the personal information handling stage including collection, storage, use, disclosure, and destruction of personal information.


What is a data breach?

A data breach occurs when personal information that an entity holds is subject to unauthorized access or disclosure or is lost.

Personal information is information about an identified individual or an individual who is reasonably identifiable.  A data breach may be caused by malicious action, human error, or a failure in information handling or security systems.

Data breaches examples:

  • loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information

  • unauthorised access to personal information by an employee

  • inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person

  • disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures


Examples of harm caused by Date breaches:

  • financial fraud including unauthorised credit card transactions or credit fraud

  • identity theft causing financial loss or emotional and psychological harm

  • family violence

  • physical harm or intimidation

The Notifiable Data Breaches (NDB) scheme

The primary purpose of the NDB scheme is to ensure individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm.

the entities to notify individuals and the Commissioner about ‘eligible data breaches’. 

An eligible data breach occurs when the following criteria are met:

  • There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).

  • This is likely to result in serious harm to any of the individuals to whom the information relates.

  • The entity has been unable to prevent the likely risk of serious harm with remedial action.

Other obligations

Entities may have other obligations outside of those contained in the Privacy Act that relates to personal information protection and responding to a data breach.

For data breaches affecting certain categories of information, other mandatory or voluntary reporting schemes may exist.  Entities might consider reporting certain breaches to:

  • the entity’s financial services provider

  • police or law enforcement bodies

  • the Australian Securities & Investments Commission (ASIC)

  • the Australian Prudential Regulation Authority (APRA)

  • the Australian Taxation Office (ATO)

  • the Australian Transaction Reports and Analysis Centre (AUSTRAC)

  • the Australian Cyber Security Centre (ACSC)

  • the Australian Digital Health Agency (ADHA)

  • the Department of Health

  • State or Territory Privacy and Information Commissioners

  • professional associations and regulatory bodies

  • insurance providers


Data breach response plan

A data breach response plan is a framework that sets out the roles and responsibilities involved in managing a data breach. simply, it is the steps an entity should take if a data breach occurs.

A data breach response plan has to be in writing to ensure to clearly understands what needs to happen in the event of a data breach.   Regularly review the conduct and test response plan is a must to ensure the plan is up to date and what actions are expected to follow.

having a hypothetical data breach situation and test response plan is a good and recommendable exercise entity should take for the plan to be more effective.  A well written and managed data breach response plan enables an entity to respond quickly to a data breach and reduced various harms expected by responding quickly.  this shall eventually reduce the costs associated with dealing with a breach to an entity. 


bottom of page