The Privacy Commissioner has published an updated version of Data breach notification — A guide to handling personal information security breaches . The guide was originally released in August 2008 and updated in July 2011.
The guide provides general guidance for agencies and organisations when responding to a data breach involving personal information that they hold.
In general, if there is a real risk of serious harm as a result of a data breach, the affected individuals and the OAIC should be notified.
Notification of a data breach in compliance with this guide is not required by the Privacy Act. However, the steps and actions in this guide are highly recommended by the OAIC while legislative change is considered by the Government.
Notification of breaches is an important part of a comprehensive information security plan (which may include a data breach response plan). Prevention of a data breach is an obligation under APP 11. Once a breach is identified, it needs to be contained and the risks for individuals assessed. Notification may be warranted depending on the risks that a created by the breach.
Data breaches (or personal information security breaches) are not limited to malicious actions, such as theft or ‘hacking’, but may arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure.