What is a data breach, and what happens if my information is involved in one?

In Plain English

A data breach happens when personal information that an organisation holds is accessed or disclosed without authorisation, or is lost in a way that could lead to unauthorised access or disclosure.

If your information is involved in a data breach, here's what might happen, depending on the type of organisation involved and the specific laws that apply:

1. Assessment: If an organisation suspects a data breach, they need to quickly assess the situation to see if it's likely to cause serious harm.
2. Notification: If the breach is likely to cause serious harm, the organisation usually has to notify you and the relevant authorities (like the Information Commissioner). This notification will include details about the breach and what steps you should take to protect yourself.
3. Remedial Action: Organisations may take action to try and fix the breach and prevent further harm. If they act quickly enough, it might mean the breach doesn't have to be reported.
4. Data Matching: Government agencies like Services Australia may use data matching to identify individuals affected by a data breach and apply security measures to protect their records.
5. Mitigation: Data scheme entities must take reasonable steps to prevent or reduce any harm resulting from the breach to entities, groups of entities and things to which the data involved in the breach relates.
6. Eligible Data Breach Declaration: In certain situations, the Minister may make a declaration to allow entities to collect, use, or disclose personal information to prevent or reduce the risk of harm from a data breach.

Detailed Explanation

A data breach, as defined within the Australian legislative context, involves unauthorised access, disclosure, or loss of information held by an entity. The specific consequences and obligations arising from a data breach depend on the nature of the entity involved and the type of data affected.

Here's a breakdown based on the provided legislation:

1. Eligible Data Breach under the Privacy Act 1988:

   • Definition: Section 26WE of the Privacy Act 1988 defines an eligible data breach as occurring when there is unauthorised access to, or disclosure of, personal information, or the loss of such information in circumstances where unauthorised access or disclosure is likely, and a reasonable person would conclude that this access or disclosure would likely result in serious harm to any of the individuals to whom the information relates.
   • Assessment: Under section 26WH of the Privacy Amendment (Notifiable Data Breaches) Act 2017, if an entity suspects an eligible data breach, it must conduct a reasonable and expeditious assessment (within 30 days) to determine if there are reasonable grounds to believe that an eligible data breach has occurred.
   • Notification: If an entity believes an eligible data breach has occurred, section 26WK of the Privacy Amendment (Notifiable Data Breaches) Act 2017 requires the entity to prepare a statement with specific details (nature of the breach, kind of information, recommendations for individuals) and provide it to the Commissioner as soon as practicable. Section 26WL of the Privacy Amendment (Notifiable Data Breaches) Act 2017 then mandates that the entity notify the contents of the statement to affected individuals, those at risk, or publicise the statement if individual notification isn't practicable.
   • Exception - Remedial Action: Section 26WF of the Privacy Amendment (Notifiable Data Breaches) Act 2017 provides an exception. If an entity takes action to remedy the breach before serious harm occurs, and a reasonable person would conclude that the access or disclosure would not likely result in serious harm, the incident is not considered an eligible data breach.
   • Relevant Matters: Section 26WG of the Privacy Amendment (Notifiable Data Breaches) Act 2017 outlines factors to consider when determining whether access or disclosure would likely result in serious harm, including the kind and sensitivity of information, security measures in place, and the potential for those measures to be overcome.
   • Eligible Data Breach Declaration: Section 26X of the Privacy and Other Legislation Amendment Act 2024 allows the Minister to make a declaration if an eligible data breach occurs and the declaration is necessary to prevent or reduce the risk of harm. This declaration specifies the types of personal information, entities involved, and permitted purposes for collecting, using, or disclosing the information (section 26XB of the Privacy and Other Legislation Amendment Act 2024).

2. Data Breaches under the Data Availability and Transparency Act 2022:

   • Definition: Section 35 of the Data Availability and Transparency Act 2022 defines a data breach for data scheme entities as unauthorised access or disclosure of scheme data, loss of data where unauthorised access or disclosure is likely, or an event prescribed by a data code.
   • Mitigation: Section 36 of the Data Availability and Transparency Act 2022 requires data scheme entities to take reasonable steps to prevent or reduce harm resulting from a data breach as soon as practicable.
   • Interaction with the Privacy Act: Section 37 of the Data Availability and Transparency Act 2022 addresses situations where public sector data that is personal information is shared with an accredited entity. In such cases, the Privacy Act 1988 applies as if the data custodian also held the personal information, making them responsible for notification of eligible data breaches. The accredited entity must notify the data custodian of the breach.
   • Non-Personal Data Breaches: Section 38 of the Data Availability and Transparency Act 2022 requires data scheme entities to notify the Commissioner of data breaches involving non-personal information.

3. Data Matching Programs:

   • Government agencies like Services Australia may conduct data matching programs to identify individuals affected by data breaches and apply security measures to protect their records (see Notice of a Data Matching Program – Services Australia and Sumo Customers affected by February 2024 Data Breach and Notice of a Data Matching Program – Services Australia and Albany Clinic Customers Affected by February 2023 Data Breach).

4. Digital ID System:

   • Sections 39 and 40 of the Digital ID Act 2024 outline the notification requirements for eligible data breaches by accredited entities within the digital ID system. APP entities must notify both the Information Commissioner and the Digital ID Regulator. Non-APP entities must also notify both, unless they are a State or Territory authority with a comparable data breach notification scheme.

5. Telecommunications Sector:

   • Section 29 of the Telecommunications (Domestic, Family and Sexual Violence Consumer Protections) Industry Standard 2025 requires providers to notify both the ACMA and the affected person within 2 days if an affected person's personal information has been accessed or disclosed without authorisation. This is separate from any obligations under the Privacy Act 1988.

6. APRA-Regulated Entities:

   • APRA-regulated entities must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident that materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or has been notified to other regulators, either in Australia or other jurisdictions (see Banking, Insurance, Life Insurance, Health Insurance and Superannuation (prudential standard) determination No. 1 of 2018).