The Australian Privacy Commissioner, Karen Curtis, has released a "Guide to Handling Personal Information Security Breaches" (pdf). It is a voluntary guide for use by businesses, agencies and non-government organisations in preventing and, if necessary, responding to a data breach.

The Guide includes four key steps to consider when responding to a breach:

Step 1: Contain the breach and do a preliminary assessment

Step 2: Evaluate the risks associated with the breach (risk analysis is on a case-by-case basis: not all breaches necessarily warrant notification).

Step 3: Consider notification

Step 4: Prevent future breaches.

With regard to Step 3, the Guide suggests that individuals affected by a breach should only be notified where a breach creates a real risk of serious harm to the individuals. This is consistent with the recent ALRC report recommendation. 

The Guide incorporates illustrative examples which will assist in circumstances, such as whether notification is an appropriate response.