Your guide to notifying an eligible data breach

How to notify the OAIC

As soon as practicable after an organisation has reasonable grounds to believe that an eligible data breach has occurred, it must prepare and lodge a data breach statement with the Office of the Australian Information Commissioner (OAIC).

The OAIC has prepared an online form for entities to lodge eligible data breach statements. Although the draft form is no longer available online, the OAIC has said that the final form will be live from 22 February.

The data breach statement

Your data breach statement must include:

• the identity and contact details of your organisation or business;
• a description of the data breach;
• the kind or kinds of information involved in the breach; and
• recommendations on steps that individuals whose information was involved in the data breach should take.¹

Part 1 of the OAIC's online form will request this mandatory information.

Where possible, the data breach statement may also include the following supplementary information:

• the contact details for the person at your organisation who can answer questions and provide further information;
• a general account of the response to the breach;
• the assistance your organisation is offering to those affected;
• details of any third parties that have been notified of the breach and why;
• how a complaint can be lodged with your organisation and the internal dispute resolution process; and
• how a complaint can be lodged with the regulator, including the OAIC.

Part 2 of the OAIC's online form will seek this type of further supporting information.

Any supporting information may be provided to the OAIC on a confidential basis and, at this stage, the OAIC has said that it will not be maintaining a register of notifications.

Providing supplementary information on a voluntary basis will potentially influence any decision by the OAIC to make further intrusive inquiries into the incident. Generally speaking, unless there are good reasons not to do so, we would recommend providing as much of this information as possible.

If the data breach involves more than one entity, you may also include the identity and contact details of the other entities involved in your statement.² Consider whether these details will be helpful to affected individuals or whether it would be more appropriate to describe the nature of your relationship with the other entity in the description of the data breach. See the OAIC's guidance on What to include in an eligible data breach statement in Part 4 of the OAIC's Data breach preparation and response guide and our article Double trouble: how to handle a data breach involving more than one organisation for more information.

How to notify individuals

As soon as practicable after your data breach statement is prepared, you must notify individuals of its contents. You may tailor the form of your notification to suit your customer base but must ensure that your notification addresses the four mandatory matters set out above.

You may notify affected individuals using any method, provided that it is reasonable and, if you normally communicate with a particular individual using a particular method, then the NDB Scheme expressly allows you to notify using that method.³

The OAIC suggests that entities should consider whether their method of notification will cause affected individuals to become aware of and understand the data breach incident. Some issues to consider include:

• the demographic of affected individuals (for example, email notification may not be appropriate for an elderly class of affected individuals who are largely digitally illiterate); and
• whether your regular means of communication with your customer base will be appropriate in the circumstances (for example, if you regularly communicate with customers via mass marketing emails, this may not necessarily be appropriate in the circumstances to ensure individuals are properly notified of the incident).

In some situations, it may be appropriate to use multiple methods of communication to ensure affected individuals are adequately notified.

Who to notify

There are three options for entities when it comes to notifying individuals whose information has been involved in a data breach:

1. Notify only those individuals who are at risk of serious harm. If you can identify with certainty those individuals who are likely to experience serious harm as a result of a data breach, you only need to notify those individuals.⁴
2. Notify all individuals affected by the breach. If you have determined that serious harm is likely to result from a data breach, but cannot reasonably assess which particular individuals are at risk, you should notify each individual whose personal information was involved.⁵
3. Publish and publicise the details of your breach. Where neither of the first two options are practicable, you must publish a copy of the data breach statement on your website and take further reasonable steps to publicise its contents.⁶
   • What reasonable steps are will depend on the circumstances but the OAIC has indicated that they should be proactive steps to increase the likelihood of individuals at risk of serious harm being made aware of the data breach incident. For example, ensuring that the statement is in a prominent location on your website, linking to it through your organisation's social media accounts or taking out advertisements that will likely reach the individuals affected by your breach.
   • While the legislation does not stipulate how long the statement should remain on your website, the OAIC expects it to be available for at least six months.⁷

When to notify

Although notification to both the OAIC and individuals must occur 'as soon as practicable' after a particular event, interestingly, the relevant event differs:

• for the OAIC, notification must occur as soon as practicable after the organisation is aware of the eligible data breach itself; and
• for affected individuals, notification must occur as soon as practicable after the preparation of a data breach statement.

On one view, this suggests that you should notify the OAIC before you notify individuals. However, the OAIC's guidance suggests that it does not matter if an entity begins to notify affected individuals of a data breach before providing a statement to the OAIC.

The slight difference between these timing requirements also gives you some flexibility to tailor the contents of your data breach statement for individuals after it has been prepared for the OAIC so that it is in a more digestible form.