What to do if your business has been breached

Current requirements

A small business is defined under the Privacy Act 1988 (Cth) as one which has an annual turnover of less than 3 million Australian dollars (Section6D(1)). This value is inclusive of income from all sources and does not include assets held, capital gains or the proceeds of capital gains (Office of the Australian Information Commissioner OAIC). There exists a Small Business Exemption within the Mandatory Data Breach Reporting Requirements.

However, some small business must report a data breach event irrespective of their turnover, these include businesses:

1. Providing a health service, or holding any health information, except an employee record; or

2. That disclose personal information about another individual to anyone else for a benefit, service or advantage; or

3. Provide a benefit, service or advantage to collect personal information about another individual from anyone else; or

4. That are contracted service providers for a Commonwealth contract; or

5. That are credit reporting bodies (Section6D(4); OAIC).

‍

Potential future changes

In September 2023, the Attorney-General’s Department released the Government Response to the Privacy Act review, in which the Government “agreed in principle” to removing the small business exemption (AGD 2023: 6). If the small business exemption was removed this would mean that the current Mandatory Data Breach Reporting Requirements would be changed to include small businesses.

What constitutes an eligible data breach?

1. Unauthorised access or disclosure to personal information, or a loss of personal information, held by an agency; or

2. That is likely to result in “serious harm” to one or more individuals; or

3. The organisation or agency has not been able to prevent the likely risk of serious harm with remedial action. (OAIC)

‍

How to report a data breach?

You should report a data breach to the OAIC as soon as practicable. However, the maximum amount of time before making a report is 30 days after you believe that you experienced a data breach event. This timeframe is provided for the business to assess the risk of“serious harm” to the individual as a result of the data breach (Section26WH (2)(b)); OAIC)

You may also wish to contact the OAIC enquiries line: 1300 363 992

What do I notify about?

You must notify the OAIC and any affected individuals of:

1. Your organisation’s name and contact details

2. A description of the data breach

3. Types of information involved

4. Recommendations of response steps an individual should take (OAIC)

IDCARE can offer your business additional support in drafting and preparing data breach notifications and supporting impacted individuals.

Please contact our small business team to discuss your options further.

‍

For additional support or information, contact IDCARE by submitting a Get Help Form or call 1800 595 160 (Aus) or 0800 121 068 (NZ).

Disclaimer

Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:

• IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. IDCARE is a not-for-profit and registered Australian charity.
• The Services provided do not constitute legal advice. IDCARE recommends that you consult your own legal counsel in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
• While every effort has been made to ensure the accuracy of the content provided, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
• IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limited liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in the course of providing the Services.
• If you would like to provide feedback please use our Feedback Form.