When a business has reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Information Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.
The notification to affected individuals and the Commissioner must include the following information:
- The identity and contact details of the organisation
- A description of the data breach
- The kinds of information concerned and;
- Recommendations about the steps individuals should take in response to the data breach.
A template for notification has been developed and is available here.
The Notifiable Data Breaches Scheme provides flexibility around notifying an individual, providing three different options. These options depend on what is ‘practical’ for the business and are as follows:
Option 1 – Notify all individuals
If it is practical, a business can notify all of the individuals to whom the data breach relates. This option may be suitable if a business cannot easily determine which particular individuals have been breached. This approach ensures that all individuals that may be at serious harm are notified.
Option 2 – Notify only those individuals at risk of Serious Harm
If practical, a business can notify only those individuals that are at risk of serious harm from the eligible data breach. This requires a business to be able to easily identify individuals or a specific subset of clients that have been affected and need to be notified.
The benefit of this targeted approach is that it avoids unnecessary distress to individuals that are not at risk whilst also reducing the administrative costs involved.
Option 3 – Publish Notification
If neither option 1 or 2 above are practicable, then the business must:
- publish a copy of the statement on its website, if it has one
- take reasonable steps to publicise the contents of the statement
This option would likely be required in the event that a business does not have up-to-date contact details for all individuals.
Businesses must take proactive steps to publicise the eligible data breach rather than just simply posting the information to a website. This will increase the likelihood that the eligible data breach will come to the attention of individuals at risk of serious harm.
While the Privacy Act 1988 (Cth) does not specify the amount of time that an entity must keep the information accessible on their website, the Information Commissioner would generally expect that it is available for at least 6 months.