How do I report a data breach that I think has affected me?

Okay, let's break down how to report a data breach, based on the legislation provided.

In Plain English

If you believe your personal information has been involved in a data breach, the process for reporting it depends on the type of entity involved and the nature of the data.

• If it involves your Medicare or Centrelink information due to a breach at a third-party organization (like Albany Clinic, Sumo, or PartridgeGP): Services Australia is running data matching programs to identify affected customers and apply security measures. You can find information about these programs and Services Australia's privacy policy on their website.
• If it involves your credit reporting information: You can make a complaint to the credit reporting body or credit provider involved.
• If it involves a data scheme entity: You can notify the Commissioner.
• If it involves COVID app data: A breach is automatically considered an eligible data breach, and the data store administrator or health authority is responsible for taking action.
• For other types of data breaches: It depends on whether the entity involved is subject to the Privacy Act 1988. If so, they have obligations to assess and notify you and the Commissioner if it's an "eligible data breach" that is likely to result in serious harm.

Detailed Explanation

The legislative context provides information on various aspects of data breaches and notification obligations, but it doesn't offer a single, universal "how to report" guide for individuals. Here's a breakdown based on the provided Acts:

1. Data Matching Programs (Services Australia):

   • Services Australia has initiated data matching programs with organizations like Albany Clinic, Sumo, and PartridgeGP following their respective data breaches (Notice of a Data Matching Program – Services Australia and Albany Clinic Customers Affected by February 2023 Data Breach, Notice of a Data Matching Program – Services Australia and Sumo Customers affected by February 2024 Data Breach, Notice of a Data Matching Program – Services Australia and PartridgeGP Customers Affected by September 2023 Data Breach).
   • These programs involve Services Australia comparing data provided by these organizations with Medicare and Centrelink records to identify affected customers and apply proactive security measures.
   • If you believe you were affected by these specific breaches, you can find more information about the data matching programs and Services Australia's privacy practices on their website.

   • Eligible Data Breaches under the Privacy Act:

   • The Privacy Amendment (Notifiable Data Breaches) Act 2017 amends the Privacy Act 1988 to introduce mandatory notification of "eligible data breaches."

   • An "eligible data breach" occurs when there is unauthorized access to, or disclosure of, personal information, or loss of such information, and a reasonable person would conclude that the access, disclosure, or loss would likely result in serious harm to any of the individuals to whom the information relates (section 26WE of the Privacy Act 1988).
   • If an entity (such as an APP entity, credit reporting body, credit provider, or file number recipient) is aware of reasonable grounds to believe there has been an eligible data breach, it must prepare a statement with specific details and give a copy to the Commissioner (section 26WK of the Privacy Act 1988).
   • The entity must also notify individuals who are at risk from the eligible data breach (section 26WL of the Privacy Act 1988).
   • If you believe an entity has experienced an eligible data breach that affects you, and you haven't been notified, you may consider contacting the entity to inquire. You can also make a complaint to the Office of the Australian Information Commissioner (OAIC).

   • Data Availability and Transparency Act:

   • The Data Availability and Transparency Act 2022 deals with data sharing and breaches involving "scheme data."

   • If a data breach involves personal information shared under this Act, section 37 outlines specific responsibilities for data custodians and accredited entities.
   • Section 38 requires data scheme entities to notify the Commissioner of non-personal data breaches.

   • COVIDSafe App Data:

   • The Privacy Amendment (Public Health Contact Information) Act 2020 includes provisions specific to COVID app data.

   • Any breach of the requirements of this Part in relation to COVID app data is taken to be an eligible data breach (section 94S of the Privacy Act 1988).

   • Credit Reporting Information:

   • The Privacy Amendment (Enhancing Privacy Protection) Act 2012 deals with credit reporting and related complaints.

   • If your complaint relates to a potential breach of provisions related to credit reporting, you can complain to the credit reporting body or credit provider (section 23A of the Privacy Act 1988).

In summary, the best course of action depends on the specific circumstances of the suspected data breach. If you believe your personal information has been compromised, consider the following steps:

1. Identify the organization involved: Determine which entity experienced the data breach.
2. Check their website: Look for information about the breach and any steps they recommend.
3. Contact the organization: Reach out to them to inquire about the breach and how it might affect you.
4. Contact the OAIC: If you believe the organization has mishandled your personal information or failed to comply with the Privacy Act 1988, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC).