When and how to report a data breach

When and how to report a data breach

Let’s understand the Notifiable Data Breaches (NDB) scheme at its very basic layer!

Under the NDB scheme, any organisation or agency the Privacy Act (Rights and responsibilities — OAIC) covers must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved.

A data breach occurs when personal information an organisation or agency holds is lost or subjected to unauthorised access or disclosure. Personal information is any information on a person that can be used with malicious intention. This can be someone’s name, date of birth, and home address or even something as simple as someone’s photograph. It is not just bank details that classifies as a breach. For more information on what is classified as Personal Information according to the Australian Government, go to: What is personal information? — OAIC

Data breach examples
  • A device with a customer’s personal information is lost or stolen.
  • A database with personal information is compromised.
  • Personal information is mistakenly given to the wrong person.

The notification to individuals must include recommendations about the steps they should take in response to the data breach that has occurred. If an individual is made aware of a data breach, they should notify the OAIC using their online Notifiable Data Breach: Notifiable Data Breach Form (business.gov.au). For more information, see Report a data breach — OAIC

Data breaches can occur through various circumstances, some being:
  • There is unauthorised access to or unauthorised disclosure of personal information.
  • Loss of personal information, that an organisation or agency holds.
  • The organisation or agency hasn’t been able to prevent the likely risk of serious harm or provide remedial action.

An organisation or agency that suspects an eligible data breach may have occurred must quickly assess the incident to determine if it is likely to result in serious harm to any individual.

A data breach that occurred before 22 February 2018 is unable to qualify as an eligible data breach for the purposes of the NDB scheme. However, certain data breaches can span over a long period of time. While a system may have been compromised before 22 February 2018, data may have been accessed after that date and while the circumstances will need to be assessed, we suggest that an organisation or agency in this situation should assume the data breach is subject to the NDB scheme.

Experiencing a data breach or cyber-attack is a grave loss of time and money and can somewhat bring a company to a halt. Furthermore, reporting the incident is very time consuming (see link to see what is involved: Notifiable Data Breach Form (business.gov.au)).

The best course of pro-active defence for your company, staff, and clients, is to ensure that you have established systems, protection, and security procedures to help prevent a data breach or cyber-attack from occurring in the first place. If you would like to know how we can help you get more protected, please contact us and we will be happy to assist.

Our Mission

Our mission is to help Australian companies achieve their mission. Whatever the reason is that you decided to start your company is our purpose. When it comes to the growth strategy, competitive edge plan, compliance with the governance in their industry, maintaining best practices with technology, planning for disasters, or even world domination as we call it at Levit8; We are there to sit alongside our clients and provide our professional advice. We are very different to other IT service providers across Australia; We deliver managed IT Support through strategic IT solutions.

Levit8 Business IT Solutions
We Raise the Bar