Notifying a breach
If a breach is assessed to potentially result in serious harm, you are obliged to advise affected individuals and the Australian Information Commissioner.
You have the option to:
- Notify all individuals whose personal information is involved in the eligible data breach
- Notify only the individuals who are at likely risk of serious harm; or
- Publish your notification, and publicise it with the aim of bringing it to the attention of all individuals at likely risk of serious harm.
You advise the Australian Information Commissioner of a serious potential breach using the Notifiable Data Breach statement — Form.
And it’s not just Australia. Does your business have international connections?
Data breaches are common and many countries have moved to ensure that the personal information of individuals is protected. If your business operates overseas or has customers overseas you need to be aware of the requirements in those countries.
Most US states have compulsory data breach requirements. The European Union’s General Data Protection Regulation (GDPR) comes into effect from 25 May 2018. If you operate through a local distributor in the European Union or have direct supply into those countries then it’s likely your business will be caught by the Regulation.