top of page

Legal framework for Australian Data Breach & Cyber Security  

Server Room

The Australian Privacy Principles


The Privacy Act 1988 (Cth)

13 Australian Privacy Principles (APPs)


Entities’ obligations for the management of personal information.

The Notifiable Data Breaches (NDB) scheme

The primary purpose of the NDB scheme is to ensure individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm.

the entities to notify individuals and the Commissioner about ‘eligible data breaches’. 

An eligible data breach occurs when the following criteria are met:

  • There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).

  • This is likely to result in serious harm to any of the individuals to whom the information relates.

  • The entity has been unable to prevent the likely risk of serious harm with remedial action.


What is a data breach?

A data breach occurs when personal information that an entity holds is subject to unauthorized access or disclosure or is lost.

Personal information is information about an identified individual or a reasonably identifiable individual.  A data breach may be caused by malicious action, human error, or a failure in information handling or security systems.

Data breach examples:

  • loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information

  • unauthorised access to personal information by an employee

  • inadvertent disclosure of personal information due to ‘human error’, for example, an email sent to the wrong person

  • ddisclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.

Other obligations

Entities may have other obligations outside of those contained in the Privacy Act that relates to personal information protection and responding to a data breach.

For data breaches affecting certain categories of information, other mandatory or voluntary reporting schemes may exist.  Entities might consider reporting certain breaches to:

  • the entity’s financial services provider

  • police or law enforcement bodies

  • the Australian Securities & Investments Commission (ASIC)

  • the Australian Prudential Regulation Authority (APRA)

  • the Australian Taxation Office (ATO)

  • the Australian Transaction Reports and Analysis Centre (AUSTRAC)

  • the Australian Cyber Security Centre (ACSC)

  • the Australian Digital Health Agency (ADHA)

  • the Department of Health

  • State or Territory Privacy and Information Commissioners

  • professional associations and regulatory bodies

  • insurance providers


  1. Australian Government - Australian Signals Directories (ASD).

  2. Australian Cyber Security Centre.

  3. Office of Australian Information Commissioner. 

Australian Cyber Security Centre 

Data breach response plan


A data breach response plan is a framework that sets out the roles and responsibilities involved in managing a data breach. simply, it is the steps an entity should take if a data breach occurs.​



A data breach response plan has to be in writing to ensure to clearly understands what needs to happen in the event of a data breach.   Regularly review the conduct and test response plan is a must to ensure the plan is up to date and what actions are expected to follow.​



having a hypothetical data breach situation and test response plan is a good and recommendable exercise entity should take for the plan to be more effective.  A well written and managed data breach response plan enables an entity to respond quickly to a data breach and reduced various harms expected by responding quickly.  this shall eventually reduce the costs associated with dealing with a breach to an entity. ​


  1. Australian Government - Australian Signals Directories (ASD)

  2. Australian Cyber Security Centre.

  3. Office of Australian Information Commissioner. 

A data breach occurs when sensitive or personal information is accessed, disclosed, or exposed to unauthorized individuals.

This can happen accidentally or as a result of a security breach. For instance:


  • Sending an email with personal information to the wrong recipient

  • Hacking into a computer system and stealing personal data

The consequences of a data breach can be far-reaching. Depending on the information involved, it may lead to:

  • Compromised online accounts, including banking accounts

  • Targeted scams using the stolen information

  • Identity theft

In Australia, the Notifiable Data Breaches (NDB) scheme requires organizations to inform individuals if their personal data has been part of a breach that puts them at risk of serious harm. This applies to Australian government agencies, businesses, credit reporting bodies, health service providers, and more.

When notifying about a breach, organizations must also provide recommendations on self-protection

To minimize the impact of a data breach:

  1. Limit the personal information shared: Only provide necessary details to organizations.

  2. Choose organizations committed to cybersecurity: Be cautious of those with poor security reputations.

  3. Avoid password reuse: Unique passwords for different accounts prevent widespread damage if one is compromised.

  4. Use strong passwords or passphrases: Consider using a password manager for better management.

Data breach legal team 

Address: Wynyard / Martin Place

Level 10, 20 Martin Place Sydney NSW 2000

T: 1300 140 291 / 1300 577 502 /

Australian Cyber Security Centre 

cybersecurity best practices enhance their online safety and protect sensitive information:

  1. Use Strong, Unique Passwords:

  2. Enable Two-Factor Authentication (2FA):

    • Whenever possible, activate 2FA for your online accounts.

    • 2FA adds an extra layer of security by requiring a second form of verification (such as a text message or authentication app) in addition to your password.

  3. Keep Software Updated:

    • Regularly update your operating system, applications, and antivirus software.

    • Software updates often include security patches that address known vulnerabilities.

  4. Be Cautious with Email and Links:

    • Think before clicking on links or downloading attachments from unknown or suspicious sources.

    • Be wary of phishing emails that impersonate legitimate organizations to steal your information.

  5. Secure Your Devices:

    • Install and update antivirus software on all your electronic devices.

    • Use firewalls to protect against unauthorized access.

    • Regularly back up your data to prevent loss in case of a security incident.

  6. Educate Yourself and Others:

    • Stay informed about the latest cybersecurity threats and trends.

    • Educate family members, colleagues, and friends about safe online practices.

Data breach legal team 

Address: Wynyard / Martin Place

Level 10, 20 Martin Place Sydney NSW 2000

T: 1300 140 291 / 1300 577 502 /

bottom of page