11.10.2017

‘After a data breach’: OAIC helps prepare for new obligations


A slew of high profile government and commercial cyber breaches have raised general public awareness — but it’s up to organisations to let customers know when it affects them personally.

By February next year, any organisation covered by the Privacy Act — including government — must comply with a new Notifiable Data Breaches scheme.

It’s not just major database hacks that fall within the new rules. Other examples could be a device containing customers’ personal information is lost or stolen, or personal information is mistakenly provided to the wrong person.

The Office of the Australian Information Commissioner is building a set of resources for organisations preparing for the new scheme, and it’s seeking comment on its work so far. New material includes

  • assessing a suspected data breach
  • what to include in an eligible data breach statement
  • exceptions to notification obligations
  • a draft online form to assist organisations in preparing a statement about an eligible data breach to the Australian Information Commissioner
  • a new chapter to the OAIC’s Guide to privacy regulatory action on data breach incidents.

The OAIC is asking for feedback via consultation@oaic.gov.au before 23 October 2017.