What to do if your business has been breached

IDCARE's Learning Centre
Learning Centre
Fact Sheets
How to Videos
Apps and Tools
News and media
<  Back to Fact Sheets
Current requirements

A small business is defined under the Privacy Act 1988 (Cth) as one which has an annual turnover of less than 3 million Australian dollars (Section6D(1)). This value is inclusive of income from all sources and does not include assets held, capital gains or the proceeds of capital gains (Office of the Australian Information Commissioner OAIC). There exists a Small Business Exemption within the Mandatory Data Breach Reporting Requirements.

However, some small business must report a data breach event irrespective oftheir turnover, these include businesses:

1. Providing a health service, orholding any health information, except an employee record; or

2. That disclose personal information about another individual to anyone else for abenefit, service or advantage; or

3. Providea benefit, service or advantage to collect personal information about anotherindividual from anyone else; or

4. Thatare contracted service providers for a Commonwealth contract; or

5. That are credit reporting bodies (Section6D(4); OAIC).

Potential future changes

In September 2023, the Attorney-General’s Department released the Government Response to the Privacy Act review, in which the Government “agreed in principle” to removing the small business exemption (AGD 2023: 6). If the small business exemption was removed this would mean that the current Mandatory Data Breach Reporting Requirements would be changed to include small businesses.

What constitutes an eligible data breach?

1. Unauthorised access or disclosure to personal information, or a loss of personal information, held by an agency; or

2. That is likely to result in “serious harm” to one or more individuals; or

3. The organisation or agency has not been able to prevent the likely risk of serious harm with remedial action. (OAIC)

How to report a data breach?

You should report a data breach to the OAIC as soon as practicable. However, the maximum amount of time before making a report is 30 days after you believe that you experienced a data breach event. This timeframe is provided for the business to assess the risk of“serious harm” to the individual as a result of the data breach (Section26WH (2)(b)); OAIC)

You may also wish to contact the OAIC enquiries line: 1300 363 992

 

What do I notify about?

You must notify the OAIC and any affected individuals of:

1. Your organisation’s name and contact details

2. A description of the data breach

3. Types of information involved

4. Recommendations of response steps an individual should take (OAIC)

IDCARE can offer your business additional support in drafting and preparing data breach notifications and supporting impacted individuals.

Please contact our small business team to discuss your options further.

print
Download the what to do if your business has been breached fact sheet
Disclaimer

Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:

  • IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. IDCARE is a not-for-profit and registered Australian charity.
  • The Services provided do not constitute legal advice. IDCARE recommends that you consult your own legal counsel in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
  • While every effort has been made to ensure the accuracy of the content provided, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
  • IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limited liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in the course of providing the Services.
  • If you would like to provide feedback please use our Feedback Form.

CONTACT US

IDCARE is here to provide you with specialist support and guidance when faced with a cyber and identity related issue. Contact one of our Identity & Cyber Security Case Managers to learn more about our Support Services and how we can help you.   

Get help
ONLINE FORM

Submit a web request

Call Centre Icon

Call our AUSTRALIAn
NATIONAL CASE MANAGEMENT CENTRE

1800 595 160

Mon - Fri: 8am - 5pm AEST

QLD: 07 3555 5900
ACT & NSW: 02 8999 3356
VIC: 03 7018 2366
NT, SA & WA08 7078 7741

Call Centre Icon

call our NEW ZEALAND
NATIONAL CASE MANAGEMENT CENTRE

0800 121 068

Mon - Fri: 10am - 7pm NZST

AKL: 09 884 4440

Registered Charity

IDCARE as a registered charity does not ask individuals to donate or pay for our front line services. We are not a charity that can receive tax deductible donations.
We rely on organisations that care enough about you to care about us to keep our charitable service going. Proudly these organisations are displayed above and on our Subscriber Organisations page.
If you are asked for payment from someone claiming to be from IDCARE, please report this to us using our Report Phishing email.

Translating and interpreting service

IDCARE has access to the Department of Home Affairs Free Interpreting Service, delivered by the Translating and Interpreting Service (TIS National). Access to the Free Interpreting Service is provided to assist you to communicate with non-English speaking people who hold a Medicare card. Please note that the service does not extend to New Zealand citizens or residents who do not hold an Australian Medicare card, or to tourists, overseas students or people on temporary work visas.

Translating and interpreting service

New Zealand Relay provides services to help Deaf, hearing impaired, speech impaired, Deafblind and standard phone users communicate with their peers.
A TTY user connects to New Zealand Relay via a toll-free number and types their conversation to a Relay Assistant (RA) who then reads out the typed message to a standard phone user (hearing person).

The RA relays the hearing person's spoken words by typing them back to the Textphone (TTY) User.

National Relay Service

The National Relay Service (NRS) is an Australian government initiative that allows people who are deaf, hard of hearing and/or have a speech impairment to make and receive phone calls.

The NRS is available 24 hours a day, every day and relays more than a million calls each year throughout Australia.





Copyright © , IDCARE. All Rights Reserved.

ABN 84 164 038 966

IDCARE acknowledges and Respects the traditional custodians of the land on which we operate across Australia and New Zealand.
This website may contain names, images and voices of deceased Aboriginal, Torres Strait Islander and Māori peoples.

IDCARE - Australia and New Zealand’s national identity and cyber support service.