How to report a data breach

Soon, where unauthorised access or disclosure of personal information that your business holds occurs, the breach will need to be reported. That’s right, the Privacy Act has changed and, effective from 22 February 2018, your responsibilities will change too. 

How do you report a breach when it occurs? And who do you report it to?   

Legislation requires that any data breach will need to be reported to the Australian Information Commissioner and affected individuals as soon as practicable. The affected individuals could be customers and/or staff.

Eligible breaches include instances of unauthorised access or disclosure of information, loss or theft of a device containing personal information and the hacking of a database.

Depending upon the severity of the breach and the potential for harm, it may be necessary to prepare and submit a formal report.

The Australian Government has prepared a draft notification template, which it made available publicly for consultation in September 2017. The template is available here.

The report requires the following to be disclosed:

  • details of the organisation, including the identity’s name and contact details
  • a description of the breach
  • the kinds of information that have been involved in the breach
  • the recommended steps that individuals should take to protect themselves.

When it comes to describing the breach, enough detail should be included to allow individuals to understand the potential impact of the breach. The description might include:

  • the date the breach occurred
  • the date the organisation became aware of the breach
  • the circumstances as they relate to the breach, including any known causes
  • who is responsible for the breach, if known, and who is likely to have access to the information.

When it comes to giving advice to individuals with regard to protecting themselves, this will largely depend upon the kind of information that was involved in the breach. For example, if the breach involved bank account information, you might recommend the person contact their financial institution.

With the right cyber security strategy in place, you can minimise the risk of a breach occurring. If you don’t have a strategy, now is the time to establish one. If you do, now is the time to review its currency and relevance to your business and the way it operates today.

If you need any assistance with your cyber security or you don't know where to start please call us on  1300 4 787 389 or email us at

About the Author

Geoff Stewart is a highly experienced and skilled Technology Director at Surety IT. His knowledge is based on years of industry experience having created customised, stable, well performing systems both for multi-national companies in the UK and Australia and Surety IT customers.

Surety IT can help you create the right system to enhance your business, ensuring you know how it is right for you and how to use it. We will tailor a solution to suit your needs with leading systems, local support and more, building your vision for a more flexible and capable business.

Call us today on 1300 4 787 389 or email to discuss your requirements.